Example input validation vulnerabilities

You can find many examples of input validation vulnerabilities by searching for CVE entries with references to CWE-20. This search only returns results where input validation is the primary problem, not where it is a contributing factor. In spite of this limitation, the search returns thousands of results. This section lists a very few of the examples you can easily find.

Example: 3D3.Com ShopFactory

3D3.Com ShopFactory is an e-commerce shopping cart application. In 2002, the software stored the items in the shopping cart and their prices in cookies. However, it is trivial to change cookie values; examples include using the Firefox web developer toolbar or using a proxy such as OWSAP ZAP. This means that users could alter their cookies and thereby alter the price they paid for items.

A later version “encrypted” the cookies. The encryption/decryption code was in JavaScript running on the client. Look into Greasemonkey for Firefox as one simple way of attacking this approach.

The solution was to use server-side validation of all input data and cryptographic tamper detection (Section 16.4.1) for any values stored in the browser (e.g., cookies).

Example: VMware vSphere API

CVE-2012-5703 describes a bug in some versions of VMware ESX and ESXi. By sending an invalid value in a SOAP request toRetrieveProp or RetrievePropEx, the attacker could crash the system causing all guest systems to become unresponsive. SOAP is a remote procedure call protocol using XML and HTTP. Note that using XML or SOAP did not do the input validation for the programmers. For more information including an example exploit, see the Core Security advisory VMware vSphere Hypervisor Vulnerability.

Example: Internet Explorer URL validation error

CVE-2010-0027 describes an input validation vulnerability in several versions of Microsoft Internet Explorer. The attacker (e.g., a compromised web site sending malware, hostile email, etc) supplies a specially-crafted URL that allows the attacker to run an arbitrary program.

Example: Buffer overflow in Poster Software PUBLISH-iT

CVS-2014-0980 describes a classic buffer overflow vulnerability where the developer(s) failed to perform length validation. The result is that a remote attacker can run arbitrary code. A proof-of-concept attack exists showing the code execution capability.

Published by

Kenneth Ingham

Kenneth has been working with security since the early 1980s. He was a system administrator when the Morris Worm was released, and one of his work areas was helping secure the systems. Since then, Kenneth has studied network and computer security, and spent many, many hours looking at how software fails. With knowledge about failures, he can help you produce software that is less likely to suffer a security breach. Kenneth has a Ph.D. in Computer Science, and his research topic was on computer security. Kenneth has helped developers creating systems for financial services institutions, telecommunications companies, and embedded system and process control.

Leave a Reply

Your email address will not be published. Required fields are marked *