10 lines
802 B
Plaintext
10 lines
802 B
Plaintext
== Ask Yourself Whether
|
|
|
|
* an input is not sanitized before being used. This includes any value coming from the URI, header, body and cookies.
|
|
* the response contains some unsafe data. for example the input could come from a database which contains user inputs. Check the response's headers, cookies, body and status code.
|
|
* the response contains some sensitive information which the user shouldn't have access to.
|
|
* no access control prevents attackers from successfully performing a forbidden request.
|
|
* an attacker can get sensitive information by analyzing the returned errors. For example, a web service can expose the existence of user accounts by returning 403 (Forbidden) instead of 404 (Not Found) when an attacker ask for them.
|
|
|
|
You are at risk if you answered yes to any of those questions.
|