AppSec Blog: Author - Billy Rios

Spot the Vuln - Charming

It is absurd to divide people into good and bad. People are either charming or tedious. Oscar Wilde Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to … Continue reading Spot the Vuln - Charming


Spot the Vuln - Proportion - Cross Site Scripting

Details Affected Software: Lazyest-Gallery Fixed in Version: 0.9 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Details For most security issues, I give the developer the benefit of the doubt. It's tough to keep track of all the corner cases and security nuances. For this diff however, there is no excuse. First, let's … Continue reading Spot the Vuln - Proportion - Cross Site Scripting


Spot the Vuln - Proportion

Rocket science has been mythologized all out of proportion to its true difficulty. John Carmack Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the … Continue reading Spot the Vuln - Proportion


Spot the Vuln - Invincible - Cross Site Scripting

Details Affected Software: WPhone Plug-in Fixed in Version: 1.5.2 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Details This bug is a straightforward XSS bug. Once again, we see the familiar $_SERVER['PHP_SELF'] variable being echoed back to the user without any encoding. The fix is simple, remove the value for the ACTION form … Continue reading Spot the Vuln - Invincible - Cross Site Scripting


Spot the Vuln - Invincible

In ancient times skillful warriors first made themselves invincible, and then watched for vulnerability in their opponents. Sun Tzu Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try … Continue reading Spot the Vuln - Invincible