AppSec Blog

Four Attacks on OAuth - How to Secure Your OAuth Implementation

This article briefly introduces an emerging open-protocol technology, OAuth, and presents scenarios and examples of how insecure implementations of OAuth can be abused maliciously. We examine the characteristics of some of these attack vectors, and discuss ideas on countermeasures against possible attacks on users or applications that have implemented this protocol. An Introduction to the … Continue reading Four Attacks on OAuth - How to Secure Your OAuth Implementation


Spot the Vuln - Flag

Every normal man must be tempted, at times, to spit upon his hands, hoist the black flag, and begin slitting throats. ~H.L. Mencken Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the … Continue reading Spot the Vuln - Flag


Spot the Vuln - Character - Cross Site Scripting

Details Affected Software: PhotoSmash Fixed in Version: 1.0.5 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description Once again, we see the familiar pattern of the developer taking user/attacker controlled values and using those values to build HTML markup. Line 76 is the start of a large echo statement which writes a couple … Continue reading Spot the Vuln - Character - Cross Site Scripting


Taming the Beast - The Floating Point DoS Vulnerability

Originally posted as Taming the Beast The recent multi-language numerical parsing DOS bug has been named the "Mark of the Beast". Some claim that this bug was first reported as early as 2001.This is a significant bug in (at least) PHP and Java. Similar issues have effected Ruby in the past. This bug has left … Continue reading Taming the Beast - The Floating Point DoS Vulnerability


Spot the Vuln - Character

Knowledge will give you power, but character respect. - Bruce Lee Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every … Continue reading Spot the Vuln - Character