AppSec Blog

Spot the Vuln - Writing

Writing is a struggle against silence. Carlos Fuentes Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution … Continue reading Spot the Vuln - Writing


Spot the Vuln - Imagination - XSS and XSRF

Details Affected Software: Zeus C&C Fixed in Version: ? Issue Type: XSS and XSRF Original Code: Found Here Details This week's bugs affected Zeus C&C 1.1.0.0. The file we're looking at is mod.bcmds.php. The first thing that popped out at me was the named constant "QUERY_STRING" that's being used in various places in code. Although … Continue reading Spot the Vuln - Imagination - XSS and XSRF


Spot the Vuln - Imagination

I am enough of an artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. Albert Einstein Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take … Continue reading Spot the Vuln - Imagination


Spot the Vuln - Shape - SQL Injection

Details Affected Software: Zunkerbot C&C Fixed in Version: Not Patched Issue Type: SQL Injection Original Code: Found Here Details This week's bug affects the task.php for the Zunkerbot C&C. Looking at line 5, we see that magic quotes is set: set_magic_quotes_runtime(1); Obviously, this was done by the malware author to prevent SQL injection attacks. Assuming … Continue reading Spot the Vuln - Shape - SQL Injection


Spot the Vuln - Shape

I was scared I was going to have some weird shape to my head and I was pleased that I didn't. Edward Furlong Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the … Continue reading Spot the Vuln - Shape