AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Inadequate Input Validation - MVC/Web API

The attacker can freely play with the input that is not validated and execute any possible injection or business logic attacks, such as SQL Injection or manipulation attacks.

Severity

Medium

Fix Cost

Medium

Trust Level

Medium

User input models that are not strictly validated in controllers (both in ASP.NET MVC and Web API) may lead to vast amount of vulnerability types from SQL Injection to business logic problems.

Here’s an example Controller and its Post action method which doesn’t check the validity of input model.

                          
public class ProductsController : ApiController
{
[HttpPost]
public HttpResponseMessage Post(Product product)
{
// use the product; process properties, save it to database, etc.
}
}
                
            

Without any whitelist rules attackers can freely manipulate Product properties and cause for example injection type of vulnerabilities.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!