HTTP header injection vulnerabilities arise when user-controllable data is inserted in an unsafe manner into an HTTP header returned by the application. If an attacker can inject newline characters into the header he controls, he can insert additional HTTP headers into the response and can write arbitrary content into the body of the response. This … Read more
The majority of interesting attacks against web applications involve targeting the server-side application itself. Many of these attacks do of course impinge upon other users — for example, an SQL injection attack that steals other users’ data. But the essential methodology of the attacker is to interact with the server in unexpected ways in order to … Read more
Just as there is no unique signature by which logic flaws in web applications can be identified, there is also no silver bullet with which you can be protected. For example, there is no equivalent to the straightforward advice of using a safe alternative to a dangerous API. Nevertheless, there is a range of good … Read more
The best way to learn about logic flaws is not by theorizing, but through acquaintance with some actual examples. Although individual instances of logic flaws differ hugely, they share many common themes, and they demonstrate the kinds of mistake that human developers will always be prone to making. Hence, insights gathered from studying a sample of … Read more
All web applications employ logic in order to deliver their functionality. Writing code in a programming language involves at its root nothing more than breaking down a complex process into very simple and discrete logical steps. Translating a piece of functionality that is meaningful to human beings into a sequence of small operations that can … Read more
By far the most effective means of eliminating path traversal vulnerabilities is to avoid passing user-submitted data to any file system API. In many cases, including the original example GetImage.aspx?file=diagram1.jpg , it is entirely unnecessary for an application to do this. For most files that are not subject to any access control, the files can simply … Read more
Path traversal vulnerabilities are often subtle and hard to detect, and it may be necessary to prioritize your efforts on locations within the application that are most likely to manifest the vulnerability. Locating Targets for Attack During your initial mapping of the application, you should already have identified any obvious areas of attack surface in … Read more
Many kinds of functionality oblige a web application to read from or write to a file system on the basis of parameters supplied within user requests. If these operations are carried out in an unsafe manner, an attacker can submit crafted input which causes the application to access files that the application designer did not … Read more
The Lightweight Directory Access Protocol (LDAP) is used for accessing directory services over a network. A directory is a hierarchically organized data store that may contain any kind of information but is commonly used to store personal data such as names, telephone numbers, email addresses, and job functions. An example of such a directory is … Read more
Many applications contain a facility for users to submit messages via the application; for example, to report a problem to support personnel or provide feed-back about the web site. This facility is usually implemented by interfacing with a mail (or SMTP) server. Typically, user-supplied input will be inserted into the SMTP conversation that the application server … Read more