Common Pitfalls

Trusting user-provided data

• Do not validate inputs coming from external sources.

• An attacker can control the execution flow.

Trusting internal systems or private APIs

• Do not validate inputs for some APIs, or sockets.

• If an attacker breaches the domain, internal systems become sources of external data.

Trusting data coming from the database

• Make a query and use the data directly.

• If an attacker breaches the database, it may use it to move laterally.

Ignoring/not knowing how data is used externally

• Using external data to call a bash command or include a file.

• Tools called may allow a wide range of options, some with exec capabilities.

  • -exec in find

  • ProxyCommand in ssh

  • -checkpoint-action = in tar

  • LOLBAS

  • GTFOBins