Successfully reported this slideshow.
Your SlideShare is downloading. ×

compsec_incomplete_mediation.pptx

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
08ui.pptx
08ui.pptx
Loading in …3
×

Check these out next

1 of 5 Ad
Advertisement

More Related Content

Recently uploaded (20)

Advertisement

compsec_incomplete_mediation.pptx

  1. 1. Ambo University Computer Security
  2. 2. Incomplete Mediation Incomplete mediation occurs when the application accepts incorrect data from the user What happens if someone fills in: DOB: 98764874236492483649247836489236492 •Buffer overflow? DOB: ’; DROP DATABASE clients; •SQL injection?
  3. 3. Cont…  If data exchanged between components of the system (such as client and server) is compromised or altered system may fail.  Example: Form data submitted from a web browser may be altered before reaching the server  The data is exchanged between a web client and server as part of URL (in GET mode). This URL may be intercepted by an adversary and be changed, thus server receiving unexpected input.  http://www.wiu.edu/users/mfbg/submit?user=‘binto’&operation=‘v iewaccount’  An adversary can intercept this and change the operation into, say, “changepassword”, or much worse, something invalid. This confuses the server and the server may shutdown.
  4. 4. Time-Of-Check To Time-Of-Use (TOCTTOU) Also known as “race condition” errors A race condition attack happens when a computing system that’s designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously. This technique takes advantage of a time gap between the moment a service is initiated and the moment a security control takes effect.
  5. 5. Cont… This attack, which depends on multithreaded applications, can be delivered in one of two ways: interference caused by untrusted processes (essentially a piece of code that slips into a sequence between steps of a secure programs), and interference caused by a trusted process, which may have the "same'' privileges. Without proper controls, different processes can interfere with each other.

×