1. Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php  ______________ user input controls file access location – the “double-dot attack”  ______________ user input controls file naming in such a way as to get a program to read, write or delete files that should be protected  Denial of Service user input controls causes application to consume excessive resources or simply stop executing due to unacceptable input  _______________ user input controls causes the application to reveal confidential information perhaps this information can be used as part of a more sophisticated attack

2. more common associated risks  ________________ user input controls injects HTML or script commands into Web application causing the Web application to breach its security http://www.acunetix.com/websitesecurity/xss.htm  ______________ user input injects commands, often via meta-characters, that cause a server to perform unintended functions  Buffer Overflows user input controls exceeds limits in a way that allows the attacker to control application behavior

3. Before Mitigation  user interface  files  parameters of externally-invoked methods  network sockets/ports  URLs (passed to Web servers)  cookies  network certificates

4. Mitigation Techniques

5. Escaping individual characters is a particularly effective way of mitigating XSS. CharacterEquivalent HTML escape “&#34 #&#35 &&#38 ‘&#39 (&#40 )&#41 /&#47 ;&#59 <&#60 >&#62