AppSec Blog

Taming the Beast - The Floating Point DoS Vulnerability

Originally posted as Taming the Beast The recent multi-language numerical parsing DOS bug has been named the "Mark of the Beast". Some claim that this bug was first reported as early as 2001.This is a significant bug in (at least) PHP and Java. Similar issues have effected Ruby in the past. This bug has left … Continue reading Taming the Beast - The Floating Point DoS Vulnerability


Spot the Vuln - Character

Knowledge will give you power, but character respect. - Bruce Lee Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every … Continue reading Spot the Vuln - Character


Spot the Vuln - Reasoning - Cross Site Scripting

Details Affected Software: FreePBX Fixed in Version: 2.9 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description To be honest, I was a little confused by this week's patch. There are several XSS bugs in this code. Originally, the vulnerable code would take a tainted $_REQUEST value (a value from a GET, POST, … Continue reading Spot the Vuln - Reasoning - Cross Site Scripting


Spot the Vuln - Reasoning

Man is a reasoning rather than a reasonable animal. - Alexander Hamilton. Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. … Continue reading Spot the Vuln - Reasoning


Spot the Vuln - Radical - Cross Site Scripting

Details Affected Software: BezahlCode-Generator Fixed in Version: 1.1 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description A couple straightforward XSS bugs. $_REQUEST will create an associative array which contains the contents of $_GET, $_POST, and $_COOKIE which are all user/attacker controllable. These variables are then used to create HTML markup. Security bugs … Continue reading Spot the Vuln - Radical - Cross Site Scripting