AppSec Blog: Author - Frank Kim

Top 25 Series - Rank 15 - Improper Check for Unusual or Exceptional Conditions

CWE-754 happens when "software does not check or improperly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software." [1] Take the following snippet of Java code as an example: private static final int ROLE_ADMIN = 0; private static final int ROLE_USER = 1; … Continue reading Top 25 Series - Rank 15 - Improper Check for Unusual or Exceptional Conditions


Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision

During a code review I came across code that looked like this: // for testing only String testId = request.getParameter("secretId"); if (testId != null && !testId.equals("")) id = testId; else id = codeToLookupTheRealId(); This code allows a malicious user to perform an access control bypass attack by simply supplying the "secretId" parameter in the request. … Continue reading Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision


Top 25 Series - Rank 5 - Improper Access Control (Authorization)

Foursquare is a mobile app that lets you "check in" to a location and tell your friends about it. If you check in someplace often enough you can, among other things, become the "mayor" of that location. If you're the mayor you can even sometimes win free food [1]. Normally, people are supposed to actually … Continue reading Top 25 Series - Rank 5 - Improper Access Control (Authorization)


Following a Trail of Breadcrumbs - A Design Flaw in Yahoo! Mail

It's my pleasure to post this guest blog from my colleague and fellow security professional, Khash Kiani, about an interesting design flaw in Yahoo! Mail. Intent The ultimate goal of this exercise was to reveal a few fundamental design flaws with the authentication mechanism of Yahoo! Mail, more specifically its password reset scheme. The exercise … Continue reading Following a Trail of Breadcrumbs - A Design Flaw in Yahoo! Mail


Top 25 Series - Rank 2 - SQL Injection

Item #2 in this year's Top 25 is CWE-89 [1]. It is officially called Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection'). There are many public examples that show the devastating impact that SQL Injection can have including the Mass SQL Injection attacks that began in 2008 [2,3,4] as well as … Continue reading Top 25 Series - Rank 2 - SQL Injection