Unexpected Injection
SQL injection
Description Dynamic SQL statements are generated without the required data validation and without using parameterized statements or stored procedures. Impact Inject SQL statements, with the possibility of obtaining information about the database, as ...
Lack of data validation - URL
Description Any user on the Internet can obtain information on users who have sent their documents through the portal by sending as a parameter in the URL the date on which the document was sent. Impact Obtain information of the platform users. ...
Lack of data validation - Type confusion
Description A field is interpreted on the server-side, although it indicates that it only accepts numbers, it allows values in the form 0xff. Impact - Get internal information about the operation of the system. - Inject code and get it interpreted by ...
HTTP parameter pollution
Description The application allows extra parameters injection to HTTP communication protocol, this can cause unexpected behavior on the server. Impact - Make the application to read malicious parameters and have a wrong behavior. - Cause unexpected ...
SQL injection - Java SQL API
Description Dynamic SQL statements are generated without the required data validation and without using parameterized statements or stored procedures. Impact Inject SQL statements, with the possibility of obtaining information about the database, as ...
LDAP injection
Description The system builds LDAP queries using untrusted data that could modify the query. Impact Inject LDAP statements to extract sensitive information without authorization. Recommendation - Avoid using untrusted data to generate dynamic LDAP ...
NoSQL injection
Description The system generates NoSQL queries dynamically and without validating untrusted inputs. Impact Obtain information from the environment by means of malicious statements. Recommendation Validate and escape data that will be included in ...
Apache lucene query injection
Description The system generates Apache Lucene queries dynamically, without validating untrusted inputs and without using parameterized statements or stored procedures. Impact - Obtain information linking a user to a Wallet ID. - Obtain balances on ...
Insecure deserialization
Description The system deserializes objects without first validating their content nor casting them to a specific type. Impact Enable to control the application execution flow. Recommendation Validate the incoming serialized objects and only ...
CSV injection
Description It is possible to inject formulas into fields that are later exported as part of CSV files and can be interpreted by Excel. Impact Inject code into fields to create malicious formulas. Recommendation Sanitize all the fields that will be ...
Lack of data validation - Trust boundary violation
Description The system mixes trusted and untrusted data in the same data structure or structured message. Impact Introduce data into critical data structures, which could lead to some types of injections. Recommendation - Prevent the use of untrusted ...
XML injection (XXE)
Description It is possible to inject XML code into the application's requests, which is then interpreted by the server. This could allow an attacker to perform data exfiltration or execute commands remotely. Impact Perform various attacks that ...
Lack of data validation - Path Traversal
Description The software uses external input to construct a pathname that is intended to identify a file or directory but it does not properly neutralize or validate special elements within the pathname. Impact Make the software resolve the pathname ...
HTML code injection
Description The applications fields allow the injection of HTML code. This could enable attackers to modify the applications appearance in order to trick its users into performing undesired actions. Impact - Allow an attacker to modify the page. - ...
XPath injection
Description Dynamic XPath statements are generated without the required data validation. Impact Inject queries to obtain sensitive information without authorization. Recommendation Perform input data validations on the server-side to avoid common ...
SQL injection - Java Persistence API
Description Dynamic SQL statements are generated without the required data validation and without using parameterized statements or stored procedures. When using LIKE-conditions with values that are coming from a not secure source in the Java ...
Stored cross-site scripting (XSS)
Description It is possible to persistently inject JavaScript code into the application fields. This could allow an attacker to compromise the session of any user who enters the platform or to distribute malicious software. Impact Inject malicious ...
Reflected cross-site scripting (XSS)
Description The web application dynamically generates web content without validating the source of the potentially untrusted data. Impact Generate web pages that could contain malicious scripts injected into untrusted data. Recommendation Perform ...
Remote command execution
Description The system builds OS commands using inputs that can be manipulated externally, it does not correctly neutralize special elements that could modify the OS command. Impact Execute unauthorized code or commands. Recommendation - If at all ...
SQL injection - C Sharp SQL API
Description Dynamic SQL statements are generated without the required data validation and without using parameterized statements or stored procedures. Impact Inject SQL statements, with the possibility of obtaining information about the database, as ...