Unsafe Input; Beyond the Obvious and Poisoning the Cache
Probably the most fundamental tenet of Web Application Security is that you cannot trust user input. However, beyond the basics this principle can extend into some unexpected places. We'll discuss what bad actors can potentially achieve if they can provide input which "slips under the radar", with some illustrations including recent vulnerabilities from Drupal contrib. We'll look at how caching - which is an essential component of most web application's performance - can be abused.