web applications are becoming more and more complex. They often work as the Internet-facing interface to a variety of business-critical resources on the back end, containing networked resources such as web services, back-end web servers, mail servers, and local resources such as file systems and interfaces to the OS.
Usually, the app server works as a discretionary access control layer for these backend elements. Any attacker can perform a successful attack that could execute arbitrary interfere with a backend component could possibly break the complete access control model that is implemented by the web app, enabling unauthorized access to sensitive information and functionality.
When data is transferred from one element to another, it is defined by several sets of APIs and interfaces. Data that is deemed “secure” by the core application may be insecure within the forward element, which may support various encodings, escape chars, and string terminators.
Further, the forward element may hold much more functionality than what the app commonly requests. Attackers can take advantage of an injection flaw and can frequently go beyond simply breaking the application’s access control. They can exploit the extra functionality supported by the back-end element to compromise key components of the company’s infrastructure.