User-Controllable Input
Most
web application
vulnerabilities stem from poorly
validated, user-controllable input—or any data accepted
into the application, regardless of method or source.
Typically, the data is sent between client and server in either
direction and is completely controllable by the user, regardless of
where in the
HTTP(S) request
it is found (GET
/POST
parameters, headers, etc.). When testing from the source, we might
consider identifying each potential user input and tracing its data
path through the code. Once the application accepts the input data it
typically reassigns it to variables, carries it across multiple
layers of code, and uses it in some transaction or database query.
Eventually, the data might return to the user on a similar or
alternative data path. The problem is that some paths might lead to
symptom code, and others might not. In addition, applications with a
large number of inputs increase the likelihood for multiple complex
data paths, so tracing data paths from the point of input is
inefficient. Given time-constrained testing windows, a more efficient
approach is to target symptom code first and trace the paths of any
related data out to sources of user-controllable input.
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.