Summary

Malicious input attacks target parameter values that the application does not adequately parse. Inadequate parsing may be due to indiscriminate acceptance of user -supplied data, reliance on client-side validation filters, or expectation that nonform data will not be manipulated. Once an attacker identifies a vector, then a more serious exploit may follow. Exploits based on poor input validation include buffer overflows, arbitrary file access, social engineering attacks, SQL injection, and command injection. Input validation routines are no small matter and are ignored at the application's peril.

Here are some vectors for discovering inadequate input filters:

• Each argument of a GET request

• Each argument of a POST request

• Forms (e-mail address, home address, name , comments)

• Search fields

• Cookie values

• Browser environment values (User agent, IP address, Operating System, etc.)

Additionally, Table 6-2 lists several characters and their URL encoding that quite often represent a malicious payload or otherwise represent some attempt to generate an error or execute a command. These characters alone do not necessarily exploit the application, nor are they always invalid; however, where these characters are not expected by the application then a little patience can turn them into an exploit.