- Brute Force
- Insufficient Authentication
- Weak Password Recovery Validation
- Credential/Session Prediction
- Insufficient Authorization
- Insufficient Session Expiration
- Session Fixation
3. Client-side Attacks
- Content Spoofing
- Cross-site Scripting
4. Command Execution
- Buffer Overflow
- Format String Attack
- LDAP Injection
- OS Commanding
- SQL Injection
- SSI Injection
- XPath Injection
5. Information Disclosure
- Directory Indexing
- Information Leakage
- Path Traversal
- Predictable Resource Location
6. Logical Attacks
- Abuse of Functionality
- Denial of Service
- Insufficient Anti-automation
- Insufficient Process Validation
Abuse of Functionality
Abuse of Functionality is an attack technique that uses a web site's
own features and functionality to consume, defraud, or circumvents
access controls mechanisms. Some functionality of a web site,
possibly even security features, may be abused to cause unexpected
behavior. When a piece of functionality is open to abuse, an attacker
could potentially annoy other users or perhaps defraud the system
entirely. The potential and level of abuse will vary from web site to
web site and application to application.
Abuse of Functionality techniques are often intertwined with other
categories of web application attacks, such as performing an
encoding attack to introduce a query string that turns a web search
function into a remote web proxy. Abuse of Functionality attacks are
also commonly used as a force multiplier. For example, an attacker
can inject a Cross-site Scripting snippet into a web-chat session and
then use the built-in broadcast function to propagate the malicious
code throughout the site.
In a broad view, all effective attacks against computer-based systems
entail Abuse of Functionality issues. Specifically, this definition
describes an attack that has subverted a useful web application for a
malicious purpose with little or no modification to the original function.
Examples of Abuse of Functionality include: a) Using a web site's
search function to access restricted files outside of a web directory, b)
Subverting a file upload subsystem to replace critical internal
configuration files, and c) Performing a DoS by flooding a web-login
system with good usernames and bad passwords to lock out
legitimate users when the allowed login retry-limit is exceeded. Other
real-world examples are described below.
Matt Wright FormMail
The PERL-based web application "FormMail" was normally used to
transmit user-supplied form data to a preprogrammed e-mail address.
The script offered an easy to use solution for web site's to gather
feedback. For this reason, the FormMail script was one of the most
popular CGI programs on-line. Unfortunately, this same high degree
of utility and ease of use was abused by remote attackers to send e-
mail to any remote recipient. In short, this web application was
transformed into a spam-relay engine with a single browser web
An attacker merely has to craft an URL that supplied the desired e-
mail parameters and perform an HTTP GET to the CGI, such as:
An email would be dutifully generated, with the web server acting as
the sender, allowing the attacker to be fully proxied by the web-
application. Since no security mechanisms existed for this version of
the script, the only viable defensive measure was to rewrite the script
with a hard-coded e-mail address. Barring that, site operates were
forced to remove or replace the web application entirely.
Macromedia's Cold Fusion
Sometimes basic administrative tools are embedded within web
applications that can be easily used for unintended purposes. For
example, Macromedia's Cold Fusion by default has a built-in module
for viewing source code that is universally accessible. Abuse of this
module can result in critical web application information leakage.
Often these types of modules are not sample files or extraneous
functions, but critical system components. This makes disabling
these functions problematic since they are tied to existing web
Smartwin CyberOffice Shopping Cart Price Modification
Abuse of functionality is performed when an attacker alters data in an
unanticipated way in order to modify the behavior of the web
application. For example, the CyberOffice shopping cart can be
abused by changing the hidden price field within the web form. The
web page is downloaded normally, edited and then resubmitted with
the prices set to any desired value.
"FormMail Real Name/Email Address CGI Variable Spamming Vulnerability"
"CA Unicenter pdmcgi.exe View Arbitrary File"
"PeopleSoft PeopleBooks Search CGI Flaw"
"iisCART2000 Upload Vulnerability"
"PROTEGO Security Advisory #PSA200401"
"Price modification possible in CyberOffice Shopping Cart"
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $99.00 for a second Abuse of Functionality attack vulnerability test.