Tag: injection

SQL injection

The use of untrusted inputs in a SQL database query can enable attackers to read, modify, or delete sensitive data in the database.

New function detected

Use of new Function() can be dangerous if used to evaluate dynamic content.

XPath injection

Potentially unsanitized user input in XPath queries can allow an attacker to control the query in unwanted or insecure ways.

Improper input validation

Improper input validation can enable attacks and lead to unwanted behavior.

Header injection

Constructing HTTP response headers from user-controlled data is unsafe.

Untrusted Amazon Machine Images

Improper filtering of Amazon Machine Images (AMIs) can result in loading an untrusted image, which is a potential security vulnerability.

XML external entity

Objects that parse or handle XML can lead to XML external entity (XXE) attacks when they are misconfigured.

File injection

Writing unsanitized user data to a file is unsafe.

Log injection

Using untrusted inputs in a log statement can enable attackers to break the log's format, forge log entries, and bypass log monitors.

Server side request forgery

Insufficient sanitization of potentially untrusted URLs on the server side can allow server requests to unwanted destinations.

Cross-site request forgery

Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability.

Deserialization of untrusted object

Deserialization of untrusted objects can lead to security vulnerabilities such as, inadvertently running remote code.

Unsanitized input is run as code

Scripts generated from unsanitized inputs can lead to malicious behavior and inadvertently running code remotely.

OS command injection

Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code.

NoSQL injection

User input can be vulnerable to injection attacks.

Path traversal

Creating file paths from untrusted input might give a malicious actor access to sensitive files.

LDAP injection

LDAP queries that rely on potentially untrusted inputs can allow attackers to read or modify sensitive data, run code, and perform other unwanted actions.

Cross-site scripting

Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.

Untrusted data in security decision

Security decisions should not depend on branching that can be influenced by untrusted or client-provided data.