Vulnerabilities

In Zap BI

Injection

Forgery

Hijacking

Denial

Spam

Encryption

This just scratches the surface

Full list at OWASP

https://www.owasp.org/index.php/Category:Attack

Invalid input allowing a user to run code or access data that is otherwise unavailable

<script src="http://example.com/malicious.js"></script>

Some (not all) targets:

• Rich text objects
• MDX
• Resource names/descriptions
• AS member names
• Localization

Make CSRF requests to other sites

Inject hidden frames to "like" sites for pagerank

(known as clickjacking)

Read/write to ANYTHING on the page

(delete resources, mess with permissions, etc)

Ultimately Google will mark page as containing malware

Not sure if we're vulnerable

Consider searching for:

'); INSERT INTO (/*Whatever needed to give arbitrary admin privileges */); SELECT 0 FROM Dual WHERE '' = '

SQL injection probably won't work on our stuff

But XPath injection will

Known issue

We'll need to rely on cube security

Slicers especially need to be checked

Masquerading as another user to perform an otherwise inaccessible action

Someone sends me a link to a page with the following html while I'm logged in

<img src="http://zapDemo.com/GrantAdminAccess?username=MaliciousGuy101" />

MaliciousGuy101 now has admin access

Piggy backing on top of another user's session or credentials

Impersonating another user by using their session id

Probably Forms Authentication only

HTTPS solves this - ensure no insecure items sent

Causing the server load to increase to a point where it cannot function anymore

Just print something

Or go to print design mode

Or write a big query

Or import some massive thing