When an attacker can control what is returned by the server, the victim becomes vulnerable to security issues such as Cross Site Scripting. In the case of HTTP servers, this is a well known issue and therefore modern web servers do not exhibit this behavior by default. However this is not the case with other kinds of servers such as SMTP (Simple Mail Transfer Protocol) or FTP (File Transfer Protocol) servers, often these servers will echo back error messages containing user input. When this user input can be controlled by the attacker, bad things can happen.
Download the paper in PDF format here.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.