AppSec Blog

Spot the Vuln - Character - Cross Site Scripting

Details Affected Software: PhotoSmash Fixed in Version: 1.0.5 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description Once again, we see the familiar pattern of the developer taking user/attacker controlled values and using those values to build HTML markup. Line 76 is the start of a large echo statement which writes a couple … Continue reading Spot the Vuln - Character - Cross Site Scripting


Taming the Beast - The Floating Point DoS Vulnerability

Originally posted as Taming the Beast The recent multi-language numerical parsing DOS bug has been named the "Mark of the Beast". Some claim that this bug was first reported as early as 2001.This is a significant bug in (at least) PHP and Java. Similar issues have effected Ruby in the past. This bug has left … Continue reading Taming the Beast - The Floating Point DoS Vulnerability


Spot the Vuln - Character

Knowledge will give you power, but character respect. - Bruce Lee Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every … Continue reading Spot the Vuln - Character


Spot the Vuln - Reasoning - Cross Site Scripting

Details Affected Software: FreePBX Fixed in Version: 2.9 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description To be honest, I was a little confused by this week's patch. There are several XSS bugs in this code. Originally, the vulnerable code would take a tainted $_REQUEST value (a value from a GET, POST, … Continue reading Spot the Vuln - Reasoning - Cross Site Scripting


Spot the Vuln - Reasoning

Man is a reasoning rather than a reasonable animal. - Alexander Hamilton. Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. … Continue reading Spot the Vuln - Reasoning