Common Pitfalls
Trusting user-provided data
Do not validate inputs coming from external sources.
An attacker can control the execution flow.
Trusting internal systems or private APIs
Do not validate inputs for some APIs, or sockets.
If an attacker breaches the domain, internal systems become sources of external data.
Trusting data coming from the database
Make a query and use the data directly.
If an attacker breaches the database, it may use it to move laterally.
Ignoring/not knowing how data is used externally
Using external data to call a bash command or include a file.
Last updated