AppSec Blog: Category - Spot the Vuln

Spot the Vuln - Character - Cross Site Scripting

Details Affected Software: PhotoSmash Fixed in Version: 1.0.5 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description Once again, we see the familiar pattern of the developer taking user/attacker controlled values and using those values to build HTML markup. Line 76 is the start of a large echo statement which writes a couple … Continue reading Spot the Vuln - Character - Cross Site Scripting


Spot the Vuln - Character

Knowledge will give you power, but character respect. - Bruce Lee Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every … Continue reading Spot the Vuln - Character


Spot the Vuln - Reasoning - Cross Site Scripting

Details Affected Software: FreePBX Fixed in Version: 2.9 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description To be honest, I was a little confused by this week's patch. There are several XSS bugs in this code. Originally, the vulnerable code would take a tainted $_REQUEST value (a value from a GET, POST, … Continue reading Spot the Vuln - Reasoning - Cross Site Scripting


Spot the Vuln - Reasoning

Man is a reasoning rather than a reasonable animal. - Alexander Hamilton. Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. … Continue reading Spot the Vuln - Reasoning


Spot the Vuln - Radical - Cross Site Scripting

Details Affected Software: BezahlCode-Generator Fixed in Version: 1.1 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description A couple straightforward XSS bugs. $_REQUEST will create an associative array which contains the contents of $_GET, $_POST, and $_COOKIE which are all user/attacker controllable. These variables are then used to create HTML markup. Security bugs … Continue reading Spot the Vuln - Radical - Cross Site Scripting