AppSec Blog

Spot the Vuln - Rabbit

Silly rabbit,why you sweatin me? TuPac Shakur Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is … Continue reading Spot the Vuln - Rabbit


Safer Software through Secure Frameworks

We have to make it easier for developers to build secure apps, especially Web apps. We can't keep forcing everybody who builds an application to understand and plug all of the stupid holes in how the Web works on their own - and to do this perfectly right every time. It's not just wasteful: it's … Continue reading Safer Software through Secure Frameworks


Spot the Vuln - Third - SQL Injection

Details Affected Software: Ninja Announcements Fixed in Version: 1.3 Issue Type: SQL Injection Original Code: Found Here Details Lots of potential issues here, but we'll focus on what was patched. Here we have a basic SQL injection vulnerability. The bug is the most simple example of tracing a variable from assignment to usage. On line … Continue reading Spot the Vuln - Third - SQL Injection


Spot the Vuln - Third

Sullivan's Law: When given the choice between two alternatives, always pick the third! Patrick H. Sullivan Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where … Continue reading Spot the Vuln - Third


Spot the Vuln - Action - Defense in Depth

Details Affected Software: PixelPost Fixed in Version: ? Issue Type: Insecure password reset functionality Original Code: Found Here Details This week's bug is more of a design issue as opposed to an implementation issue. I actually first heard about this code from SkullSecurity's excellent articles on "Hacking Crappy Password Resets" articles published in late March. … Continue reading Spot the Vuln - Action - Defense in Depth