Analysis and Exploration of Vulnerabilities

Applied Cryptography Robust Software Quantum Safety Machine Learning Applied to Security Analysis and Exploration of Vulnerabilities Computer Systems Forensic Analysis Reverse Engineering Identification, Authentication and Authorization Secure Execution Environments Direito da Organização e da Segurança

Analysis and Exploration of Vulnerabilities
Vulnerabilities
Vulnerability Assessment of Networked Systems
Enumeration and Information Leakage
Injection
Broken Authentication
XSS Cross Site Scripting
Concurrency
Buffers

Powered by GitBook

On this page

Trusting user-provided data
Trusting internal systems or private APIs
Trusting data coming from the database
Ignoring/not knowing how data is used externally

Common Pitfalls

PreviousHow it works NextCWE-89 SQL Injection

Last updated 10 months ago

Trusting user-provided data

Do not validate inputs coming from external sources.
An attacker can control the execution flow.

Trusting internal systems or private APIs

Do not validate inputs for some APIs, or sockets.
If an attacker breaches the domain, internal systems become sources of external data.

Trusting data coming from the database

Make a query and use the data directly.
If an attacker breaches the database, it may use it to move laterally.

Ignoring/not knowing how data is used externally

Using external data to call a bash command or include a file.
Tools called may allow a wide range of options, some with exec capabilities.
- -exec in find
- ProxyCommand in ssh
- -checkpoint-action = in tar
- LOLBAS
- GTFOBins