AppSec Blog: Category - Spot the Vuln

Spot the Vuln - Invincible - Cross Site Scripting

Details Affected Software: WPhone Plug-in Fixed in Version: 1.5.2 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Details This bug is a straightforward XSS bug. Once again, we see the familiar $_SERVER['PHP_SELF'] variable being echoed back to the user without any encoding. The fix is simple, remove the value for the ACTION form … Continue reading Spot the Vuln - Invincible - Cross Site Scripting


Spot the Vuln - Invincible

In ancient times skillful warriors first made themselves invincible, and then watched for vulnerability in their opponents. Sun Tzu Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try … Continue reading Spot the Vuln - Invincible


Spot the Vuln - Curiosity - SQL Injection

Details Affected Software: Comment-Rating Plugin Fixed in Version: 2.9.24 Issue Type: SQL Injection (SQLi) Original Code: Found Here Details This week's vulnerability is was a tricky one. The bug patched in this change list affected the Comment-Rating plugin for WordPress (fixed in 2.9.24). Let's take the bug step by step. First, the application takes a … Continue reading Spot the Vuln - Curiosity - SQL Injection


Spot the Vuln - Flag - Cross Site Scripting

Details Affected Software: Drupal Core Fixed in Version: 6.1 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Details This week's cross site scripting vulnerability is somewhat unusual in that it exists in javascript, rather than server side. The checkPlain function is used to output encode data fetched via Ajax/XHR (for instance, dynamically loading … Continue reading Spot the Vuln - Flag - Cross Site Scripting


Spot the Vuln - Flag

Every normal man must be tempted, at times, to spit upon his hands, hoist the black flag, and begin slitting throats. ~H.L. Mencken Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the … Continue reading Spot the Vuln - Flag