Tag: injection
The use of untrusted inputs in a SQL database query can enable attackers to read, modify, or delete sensitive data in the database.
Use of new Function()
can be dangerous if used to evaluate dynamic content.
Potentially unsanitized user input in XPath queries can allow an attacker to control the query in unwanted or insecure ways.
Improper input validation can enable attacks and lead to unwanted behavior.
Constructing HTTP response headers from user-controlled data is unsafe.
Improper filtering of Amazon Machine Images (AMIs) can result in loading an untrusted image, which is a potential security vulnerability.
Objects that parse or handle XML can lead to XML external entity (XXE) attacks when they are misconfigured.
Writing unsanitized user data to a file is unsafe.
Using untrusted inputs in a log statement can enable attackers to break the log's format, forge log entries, and bypass log monitors.
Insufficient sanitization of potentially untrusted URLs on the server side can allow server requests to unwanted destinations.
Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability.
Deserialization of untrusted objects can lead to security vulnerabilities such as, inadvertently running remote code.
Scripts generated from unsanitized inputs can lead to malicious behavior and inadvertently running code remotely.
Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code.
User input can be vulnerable to injection attacks.
Creating file paths from untrusted input might give a malicious actor access to sensitive files.
LDAP queries that rely on potentially untrusted inputs can allow attackers to read or modify sensitive data, run code, and perform other unwanted actions.
Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.
Security decisions should not depend on branching that can be influenced by untrusted or client-provided data.