AppSec Blog

ASP.Net 4: Change the Default Encoder

In ASP.Net 4.0, Microsoft added the ability to override the default encoder. This is specifically focused on the HTMLEncode, HTMLAttributeEncode, and URLEncode functionality. These functions are used, in the eyes of security, to help mitigate cross-site scripting (XSS). The problem with the built in .Net routines is that they are built on a black-list methodology, … Continue reading ASP.Net 4: Change the Default Encoder


Spot the Vuln - Writing

Writing is a struggle against silence. Carlos Fuentes Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution … Continue reading Spot the Vuln - Writing


Spot the Vuln - Imagination - XSS and XSRF

Details Affected Software: Zeus C&C Fixed in Version: ? Issue Type: XSS and XSRF Original Code: Found Here Details This week's bugs affected Zeus C&C 1.1.0.0. The file we're looking at is mod.bcmds.php. The first thing that popped out at me was the named constant "QUERY_STRING" that's being used in various places in code. Although … Continue reading Spot the Vuln - Imagination - XSS and XSRF


Spot the Vuln - Imagination

I am enough of an artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. Albert Einstein Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take … Continue reading Spot the Vuln - Imagination


Spot the Vuln - Shape - SQL Injection

Details Affected Software: Zunkerbot C&C Fixed in Version: Not Patched Issue Type: SQL Injection Original Code: Found Here Details This week's bug affects the task.php for the Zunkerbot C&C. Looking at line 5, we see that magic quotes is set: set_magic_quotes_runtime(1); Obviously, this was done by the malware author to prevent SQL injection attacks. Assuming … Continue reading Spot the Vuln - Shape - SQL Injection