Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
en:cs:web_applications_threats_modeling [2017/02/16 14:42] – [Threats class: A1 injection] fraggle | en:cs:web_applications_threats_modeling [2021/12/27 18:25] (Version actuelle) – modification externe 127.0.0.1 | ||
---|---|---|---|
Ligne 9: | Ligne 9: | ||
Each web applications has a finite set of visibles parameters being in forms, URL parameters, ... called $ \mathcal{P} = \{p_{1}, | Each web applications has a finite set of visibles parameters being in forms, URL parameters, ... called $ \mathcal{P} = \{p_{1}, | ||
- | All parameters are not typed: | + | All parameters are not typed: |
We will consider the set $ \mathcal{P} $ in the future. | We will consider the set $ \mathcal{P} $ in the future. | ||
Ligne 30: | Ligne 30: | ||
* Phase two: determine data pattern to inject | * Phase two: determine data pattern to inject | ||
- | It will of course not be a blind and random data building like fuzzing, data should be carefully crafted depending on the inputs type and probably location. The building of the set of data patterns is challenging.\\ | + | It will of course not be a blind and random data building like fuzzing, data should be carefully crafted depending on the parameters langage |
For now, we only know it is finite. | For now, we only know it is finite. | ||
One way to build it is to start with an alphabet and some syntactic rules to combine each element in the alphabet in a meaningful fashion for security. | One way to build it is to start with an alphabet and some syntactic rules to combine each element in the alphabet in a meaningful fashion for security. | ||
- | * Phase three: inject sensibly the data patterns in all inputs | + | * Phase three: inject sensibly the data patterns in all visible parameters |
Inject. | Inject. |