|
Improper Input Validation
Improper input validation or unchecked user input is a type of vulnerability in computer software that may be used for security exploits. This vulnerability is caused when " e product does not validate or incorrectly validates input that can affect the control flow or data flow of a program." Examples include: * Buffer overflow * Cross-site scripting * Directory traversal * Null byte injection * SQL injection * Uncontrolled format string Uncontrolled format string is a type of code injection software vulnerability, vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to Crash (computing), crash ... References {{security-software-stub Computer security exploits ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Common Weakness Enumeration
Common Weakness Enumeration (CWE) logo The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws. The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security. The first release of the list and associated classification taxonomy was in 2006. Version 4.15 of the CWE standard was released in July 2024. CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers. Ex ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
MITRE
The mitre (Commonwealth English) or miter (American English; American and British English spelling differences#-re, -er, see spelling differences; both pronounced ; ) is a type of headgear now known as the traditional, ceremonial headdress of bishops and certain abbots in traditional Christianity. Mitres are worn in the Catholic Church, Malankara Orthodox Syrian Church (IOC), Malankara Syrian Orthodox Church (Jacobites), Eastern Orthodox Church, Oriental Orthodox Churches, the Anglican Communion, some Lutheranism, Lutheran churches, for important ceremonies, by the Metropolitan of the Malankara Mar Thoma Syrian Church, and also, in the Catholic Church, all Cardinal (Catholic Church)#Cardinals who are not bishops, cardinals, whether or not bishops, and some Eastern Orthodox Archpriest#Eastern Christianity, archpriests. Etymology (Ionic Greek, Ionic ) is Greek language, Greek, and means a piece of armour, usually a metal guard worn around the waist and under a cuirass, as menti ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Vulnerability (computing)
Vulnerabilities are flaws or weaknesses in a system's design, implementation, or management that can be exploited by a malicious actor to compromise its security. Despite a system administrator's best efforts to achieve complete correctness, virtually all hardware and software contain bugs where the system does not behave as expected. If the bug could enable an attacker to compromise the confidentiality, integrity, or availability of system resources, it can be considered a vulnerability. Insecure software development practices as well as design factors such as complexity can increase the burden of vulnerabilities. Vulnerability management is a process that includes identifying systems and prioritizing which are most important, scanning for vulnerabilities, and taking action to secure the system. Vulnerability management typically is a combination of remediation, mitigation, and acceptance. Vulnerabilities can be scored for severity according to the Common Vulnerability S ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Computer Software
Software consists of computer programs that instruct the Execution (computing), execution of a computer. Software also includes design documents and specifications. The history of software is closely tied to the development of digital computers in the mid-20th century. Early programs were written in the machine language specific to the hardware. The introduction of high-level programming languages in 1958 allowed for more human-readable instructions, making software development easier and more portable across different computer architectures. Software in a programming language is run through a compiler or Interpreter (computing), interpreter to execution (computing), execute on the architecture's hardware. Over time, software has become complex, owing to developments in Computer network, networking, operating systems, and databases. Software can generally be categorized into two main types: # operating systems, which manage hardware resources and provide services for applicat ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Security Exploit
An exploit is a method or piece of code that takes advantage of Vulnerability (computer security), vulnerabilities in software, Application software, applications, Computer network, networks, operating systems, or Computer hardware, hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or data breach, steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls. Researchers estimate that malicious exploits cost the global economy over US$450 billion annually. In response to this threat, organizations are increasingly utilizing cyber threat intelligence to identify vulnerabilities and prevent hacks before they occur. Description Expl ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Cross-site Scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network. OWASP considers the term cross-site scripting to be a misnomer. It initially was an attack that was used for breaching data across sites, but gradually started to include other forms of data injection attacks. Background Security on the web depends on a variety of ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Directory Traversal
A directory traversal (or path traversal) attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing "traverse to parent directory" are passed through to the operating system's file system API. An affected application can be exploited to gain unauthorized access to the file system. Examples In PHP A typical example of a vulnerable application in PHP code is: TEMPLATE") include "/home/users/phpguru/templates/" . $template; An attack against this system could be to send the following HTTP request: [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Null Byte Injection
The null character is a control character with the value zero. Many character sets include a code point for a null character including Unicode (Universal Coded Character Set), ASCII (ISO/IEC 646), Baudot, ITA2 codes, the C0 control code, and EBCDIC. In modern character sets, the null character has a code point value of zero which is generally translated to a single code unit with a zero value. For instance, in UTF-8, it is a single, zero byte. However, in Modified UTF-8 the null character is encoded as two bytes : . This allows the byte with the value of zero, which is not used for any character, to be used as a string terminator. Originally, its meaning was like NOP when sent to a printer or a terminal, it had no effect (although some terminals incorrectly displayed it as space). When electromechanical teleprinters were used as computer output devices, one or more null characters were sent at the end of each printed line to allow time for the mechanism to return to the first ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
SQL Injection
In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Document-oriented NoSQL databases can also be affect ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Uncontrolled Format String
Uncontrolled format string is a type of code injection software vulnerability, vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to Crash (computing), crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C (programming language), C functions that perform formatting, such as Printf, printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack. Details A typical exploit uses a combination of these techniques to take control of the instruction pointer (IP) of a process, for example by forcing a program to overwrite the add ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
