
Code Auditing and Reverse Engineering • Chapter 6 225
Realistically, you will want to look at every such function—but doing so
may require too much time. So we have compiled a list of the “higher
risk” functions with which remote attackers have been known to take
advantage of Web applications.
Because the attacker will masquerade as a user, we only need to look
at areas in the code that are influenced by the user. However, you also
have to consider other untrusted sources of input into your program that
influence program execution: external databases, third-party input, stored
session data, and so on.You must consider that another poorly coded
application ...