In this chapter, Mallory wreaks havoc on Alice, Bob, and Charlie with a half dozen attacks. These attacks, and their countermeasures, are not as complicated as the attacks I cover later. Each attack in this chapter follows a pattern: Mallory abuses a system or user with malicious input. These attacks arrive as many different forms of input: package dependencies, YAML, XML, HTTP, and SQL. The goals of these attacks include data corruption, privilege escalation, and unauthorized data access. Input validation is the antidote for every one of these attacks.
Many of the attacks I cover in this chapter are injection attacks. (You learned about injection attacks in the previous chapter.) In a typical injection attack, malicious input is injected into, and immediately executed by, a running system. For this reason, programmers have a tendency to overlook the atypical scenario I start with in this chapter. In this scenario, the injection happens upstream, at build time; the execution happens downstream, at runtime.