Analysis and Exploration of Vulnerabilities

How it works

Vulnerable pattern.

  • Input is provided to the system.

  • Input is not validated, or filtered, or used in an adequate manner.

  • Input is used to build a command, statement, or trigger an action.

Why?

  • Developed fails to implement the proper methods to distinguish between specification and data.

  • If an attacker manipulates data, and said data is used to build a command, attacker controls the flow of execution.

How to avoid:

  • Never trust data from external sources.

    • Database IS an external source, as well as other internal services.

  • Never mix command specification and data.

  • Sanitize all external data.

PreviousCWE-74NextCommon Pitfalls

Last updated