Concepts

Broken Access Control Description. Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside the user’s limits. Authentication Vs Authorization Authenticatoin is verifying a user’s identity – typically through passwords, biometrics, multi-factor authentication, or tokens. Authentication happens before authorization and establishes a session or identity context. Authorization is determining which resources, actions, and data you are permitted to access. ...

Command Injection Description. Command injection (also known as OS command injection) is a vulnerability that allows an attacker to execute arbitrary operating system commands on the server hosting an application. This typically occurs when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell without proper validation or sanitization. Dangerous Functions by Platform PHP: exec(), shell_exec(), system(), passthru(), proc_open(), popen(),etc... Java: Runtime.exec(),ProcessBuilder,etc... Python: os.system(), os.popen(), subprocess.Popen(), subprocess.call(), eval(),etc... ...