EditWYSIWYGAttach PDF Raw View►More Actions▼More Actions


Restore topic to revision: You will be able to review the topic before saving it to a new revision

Copy text and form data to a new topic (no attachments will be copied though).
Name of copy:
You will be able to review the copied topic before saving

Rename/move topic... scans links in all public webs (recommended)
Rename/move topic... scans links in CBI_ComputerSecurity web only
Delete topic... scans links in all public webs (recommended)
Delete topic... scans links in CBI_ComputerSecurity web only

Revision Date Username Comment
730 May 2014 - 17:17ThomasMisa 
625 Feb 2014 - 10:05norqu036? 
516 Feb 2014 - 17:51norqu036? 
414 Feb 2014 - 15:14norqu036? 
314 Feb 2014 - 13:14norqu036? 
214 Feb 2014 - 11:54norqu036? 
113 Feb 2014 - 18:26norqu036? 

Render style:     Context:


 History: r7 < r6 < r5 < r4 < r3
[X] Hide this message.
Notice: On June 30, 2016, UMWiki service will be decommissioned. If you have information in UMWIki that needs to be preserved, you should make plans to move it before that date. Google Sites is anticipated to be the most popular and appropriate alternative for users because it offers a more modern and user-friendly interface and unlimited capacity. To learn more about the features of Google Sites and other alternatives, and to identify which one best fits your needs, see the University’s Website Solution Selection Guide. If you have concerns or would like help regarding this change and your options, please contact Technology Help at help@umn.edu
You are here: UMWiki>CBI_ComputerSecurity Web>Mechanisms>MechanismsIncompleteMediation (revision 4)

Current Activitieslock Who is Who?lock People Programs Publications CSHW_2014 Systems Events Mechanisms

Incomplete Mediation

Incomplete mediation occurs when a computer program leaves sensitive data in an exposed, uncontrolled condition. The vulnerability occurs primarily in the form of web URLs that expose data in such a way that user-made alterations to the URL allow the user to manipulate the program or website. For example, if a website returned the URL http://www.somesite.com/subpage/userinput&phone=8885551212&date=20070101 in response to a particular request, the user could manipulate what clearly looks like a phone number and date in the URL. Depending on how robust the particular program is, this might result in one of several outcomes. The program might simply crash. It might also return an error if some sort of error condition has been programmed in. It also might return some sort of default condition, or any other number of states. However, it might also allow the user to manipulate the program to some desired and malicious effect.

In the example URL above, for instance, a malicious user might try different phone numbers or dates and therefore might be able to access the personal information of other users, assuming that the phone number and date strings are used as identifying information. In another example,

Edit | WYSIWYG | Attach |  PDF |  History: r7 < r6 < r5 < r4 < r3 |  Backlinks |  Raw View | More topic actions...
Topic revision: r4 - 14 Feb 2014 - 15:14:59 - norqu036
 
Signed in as lewi0740 (NicLewis) | Sign out
UMWiki UMWiki
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding UMWiki? Send feedback