Hi list, NGS Software is pleased to make available a new whitepaper about second-order code injection attacks. Abstract: "Many forms of code injection targeted at web-based applications (for instance cross-site scripting and SQL injection) rely upon the instantaneous execution of the embedded code to carry out the attack (e.g. stealing a user's current session information or executing a modified SQL query). In some cases it may be possible for an attacker to inject their malicious code into a data storage area that may be executed at a later date or time. Depending upon the nature of the application and the way the malicious data is stored or rendered, the attacker may be able to conduct a second-order code injection attack. A second-order code injection attack can be classified as the process in which malicious code is injected into a web-based application and not immediately executed, but instead is stored by the application (e.g. temporarily cached, logged, stored in a database) and then later retrieved, rendered and executed by the victim." The paper can be accessed from: http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf Cheers, Gunter ------------------------------------------------------ G u n t e r O l l m a n n, MSc(Hons), BSc Professional Services Director Next Generation Security Software Ltd. First Floor, 52 Throwley Way Tel: +44 (0)208 401 0089 Sutton, Surrey, SM1 4BF, UK Fax: +44 (0)208 401 0076 http://www.nextgenss.com ------------------------------------------------------
