Incomplete mediation occurs when the application
accepts incorrect data from the user
What happens if someone fills in:
DOB: ’; DROP DATABASE clients;
If data exchanged between components of the system (such as
client and server) is compromised or altered system may fail.
Example: Form data submitted from a web browser may be altered
before reaching the server
The data is exchanged between a web client and server as part
of URL (in GET mode). This URL may be intercepted by an
adversary and be changed, thus server receiving unexpected
An adversary can intercept this and change the operation into,
say, “changepassword”, or much worse, something invalid. This
confuses the server and the server may shutdown.
Time-Of-Check To Time-Of-Use (TOCTTOU)
Also known as “race condition” errors
A race condition attack happens when a
computing system that’s designed to
handle tasks in a specific sequence is forced
to perform two or more operations
This technique takes advantage of a time
gap between the moment a service is
initiated and the moment a security control
This attack, which depends on multithreaded
applications, can be delivered in one of two ways:
interference caused by untrusted processes
(essentially a piece of code that slips into a
sequence between steps of a secure programs),
and interference caused by a trusted process,
which may have the "same'' privileges.
Without proper controls, different processes can
interfere with each other.