AppSec Blog: Category - Spot the Vuln

Spot the Vuln - Bases - Cross Site Scripting

Details Affected Software: Ask Apache Password Protect Fixed in Version: 4.6 Issue Type: Cross Site Scripting Original Code: Found Here Details Pretty straightforward XSS here. On line 150we see that the author calls print_r on $_SERVER. $_SERVER is full of tainted variables and print_r will print all of tainted values resulting in XSS. The developers … Continue reading Spot the Vuln - Bases - Cross Site Scripting


Spot the Vuln - Bases

I have only one superstition. Touch all the bases when I hit a home run. Babe Ruth Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify … Continue reading Spot the Vuln - Bases


Spot the Vuln - Assassins - Cross Site Scripting

Details Affected Software: WordPress Core Fixed in Version: 2.2-alpha Issue Type: Cross Site Scripting Original Code: Found Here Details A couple of bugs affecting WordPress core here. On line 73, we see that $_SERVER['REQUEST_URI'] is passed to add_query_arg(). From the provided code sample, it's difficult to see that this results in XSS. The developers addressed … Continue reading Spot the Vuln - Assassins - Cross Site Scripting


Spot the Vuln - Assassins

I do not like assassins, or men of low character. Gene Hackman Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. … Continue reading Spot the Vuln - Assassins


Spot the Vuln - Fall - Cross Site Scripting

Details Affected Software: Cubed Fixed in Version: 1.0 RC2 Issue Type: Cross Site Scripting Original Code: Found Here Details This week's patch is a good one. The code sample was basically a library that only contained functions. While there isn't a blatant vulnerability in the library, there is a startling function called "PrepDataForScript". Looking at … Continue reading Spot the Vuln - Fall - Cross Site Scripting