[Forgot Password]
Login  Register Subscribe

23631

 
 

127000

 
 

102010

 
 

909

 
 

81059

 
 

123

 
 
Paid content will be excluded from the download.

Filter
Matches : 909 Download | Alert*

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG is not cryptographically strong.

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

The application does not sufficiently restrict access to a log file that is used for debugging.

The software does not check or improperly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.


Pages:      Start    1    2    3    4    5    6    7    8    9    10    11    12    13    14    ..   90

© 2013 SecPod Technologies