This is the rock-solid principle on which the whole of the corporation’s galaxy-wide success is founded. Their fundamental design flaws are completely hidden by their superficial design flaws.
This chapter takes a look at common design flaws. We explore possibilities where an application may be used against itself. Up until this point, we have focused on manipulating the basic structure of web applications. We’ve taken apart HTTP and HTML, decoded encodings, and automated some of our methods. Now, we will focus on higher-level problems.
There are two kinds of security defects in the world: bugs and flaws. The difference between them is important to how we test and how we report our findings. The difference also factors into how they get fixed.
Bugs are the simplest kind of security problem. They’re a very local mistake. The software was specified and designed correctly, but the developer made a mistake in the implementation. Bugs can typically be fixed by applying a very localized change to a small subset of the software. Redesigning or changing requirements is not necessary. Many of the most popular security issues are bugs: SQL injection, cross-site scripting, buffer overflows, code injection, etc. All of these can be the result of bugs.
The other kind of security defect—flaws—are the result of a mistake in the design or requirements. The developer could write the code correctly and implement exactly what the design calls for, but there ...