Improper input validation: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 01:42, 26 February 2011 edit Ron Ritzman (talk \| contribs) 75,721 edits AFD closed keep ← Previous edit		Latest revision as of 02:39, 24 November 2022 edit undo 64.67.144.111 (talk) Undid revision 1114218016 by 82.41.68.100 (talk) Tag: Undo
(12 intermediate revisions by 9 users not shown)
Line 1: A '''~~string~~Improper ~~exploit~~input validation'''<ref isname=":0">{{cite aweb \|work=[[~~security~~Common ~~exploit~~Weakness Enumeration]] ~~involving~~\|publisher=[[MITRE]] \|title=CWE-20: Improper Input Validation \|url=http://cwe.mitre.org/data/definitions/20.html \|date=December 13, 2010 \|accessdate=February 22, 2011}}</ref> or '''unchecked user input''' is a ~~handling~~type of [[~~String~~vulnerability (~~computer science~~computing)\|~~string~~vulnerability]] ~~data~~ in [[computer software]] that may be used for [[security exploit]]s.<ref name=hacking>{{cite book\|title=Hacking: the art of exploitation\|series=No Starch Press Series\|publisher=Safari Books Online\|first=Jon\|last=Erickson\|~~Edition~~edition=2, illustrated\|year=2008\|ISBN= ~~9781593271442~~978-1-59327-144-2}}</ref> This vulnerability is caused when "[t]he product does not validate or incorrectly validates input that can affect the control flow or data flow of a program."<ref name=":0" /> ~~{{cite web~~ ~~\| url = http://www.derkeiler.com/pdf/Mailing-Lists/securityfocus/pen-test/2003-02/0152.pdf~~ ~~\| title = SecurityFocus penetration: The Building of an exploit string~~ ~~\| date = February 27, 2003~~ ~~\| publisher = derkeiler.com~~ ~~\| accessdate = February 22, 2011~~ }} ~~</ref><ref>~~ ~~{{cite web~~ ~~\| url = http://security.ece.cmu.edu/aeg/aeg-current.pdf~~ ~~\| title = AEG: Automatic Exploit Generation~~ ~~\| author = Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, and David Brumley~~ ~~\| date = 2010~~ ~~\| ___location = Pittsburgh~~ ~~\| publisher = ece.cmu.edu~~ ~~\| quote = The exploit string can be directly fed into the vulnerable application...~~ ~~\| accessdate = February 22, 2011~~ }} ~~</ref>~~ Examples include: * Unchecked user input or Improper input validation<ref>{{cite web \|work=[[Common Weakness Enumeration]] \|publisher=[[MITRE]] \|title=CWE-20: Improper Input Validation \|date=December 13, 2010 \|accessdate=February 22, 2011}}</ref> * [[Format string attack]] * [[Buffer overflow]] * [[Cross-site scripting]] * [[Directory traversal]] * [[Null byte injection]] * [[SQL injection]] * [[Uncontrolled format string]] * [[Null character\|Asciiz exploit]]<ref> ~~{{cite web~~ ~~\| url = http://www.emagined.com/securityfocus-advisory/22831/mod-security-asciiz-byte-post-bypass-vulnerability~~ ~~\| title = Network security advisories article: Mod_Security ASCIIZ byte POST bypass Vulnerability~~ ~~\| date = July 15, 2008~~ ~~\| publisher = Emagined Security~~ ~~\| accessdate = February 22, 2011~~ }} ~~</ref>~~ == References == {{reflist}} {{security-software-stub}} ~~{{DEFAULTSORT:String Exploits}}~~ [[Category:Computer security exploits]]