In his talk at DeepSec 2013 Shay Chen (Hacktics ASC, Ernst & Young) explains attacks originating from backends: "Although applications without security flaws are still considered a fairy tale, the implementation of application security mechanisms is improving.
Authentication enforcement procedures, privilege enforcement layers, input validation mechanisms, web application firewalls and a wide variety of security controls have become an integral part of many applications.
This is where session puzzling and session race conditions (TSRC) come in.
These under-emphasized attack patterns are designed to allow both new and traditional attack vectors to bypass security mechanisms and attack the application from a trusted resource: the session attributes and database values – *locations that are rarely validated*.
Their detection process, however, was tedious, long, and in many cases, even arbitrary… until now.
The release of the Diviner project enhances the detection process, helping pen-testers to identify these exposures, bypass traditional security mechanisms, and justify the implementation of designated session variable overloading prevention mechanisms."