Jumat, 10 Juni 2011

Data Validation Testing

LDAP INJECTION (OWASP-DV-006)

LDAP is an acronym for Lightweight Directory Access Protocol. It is a paradigm to store information about users, hosts and
many other objects. LDAP Injection is a server side attack, which could allow sensitive information about users and hosts
represented in an LDAP structure to be disclosed, modified or inserted.
This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.
http://www.akakom.ac.id/ldapsearch?login=iang
this was found page like bellow

ORM INJECTION (OWASP-DV-007)



ORM Injection is an attack using SQL Injection against an ORM generated data access object model. From the point of view
of a tester, this attack is virtually identical to a SQL Injection attack. However, the injection vulnerability exists in code
generated by the ORM tool.

  • Black box testing for ORM Injection vulnerabilities is identical to SQL Injection testing (see Testing for SQL_Injection.) Inmost cases, the vulnerability in the ORM layer is a result of customized code that does not properly validate input parameters. Most ORM software provides safe functions to escape user input. However if these functions are not used, andthe developer uses custom functions that accept user input, it may be possible to execute a SQL injection attack
XML INJECTION (OWASP-DV-008)


We talk about XML Injection testing when we try to inject an XML doc to the application: if the XML parser fails to make an
appropriate data validation the test will results positive.

SSI INJECTION (OWASP-DV-009)


Web servers usually give to the developer the possibility of adding small pieces of dynamic code inside static HTML pages,
without having to play with full-fledged server-side or client-side languages. This feature is incarnated by the Server-Side
Includes (SSI), a very simple extension that can enable an attacker to inject code into HTML pages, or even perform remote
code execution.


XPATH INJECTION (OWASP-DV-010)

XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath
injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to
bypass authentication or access information in an unauthorized manner.

IMAP/SMTP INJECTION (OWASP-DV-011)


This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications. The
aim of this test is to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data
not properly sanitized

Tidak ada komentar:

Posting Komentar