AppSec Blog

Spot the Vuln - Light - Cross Site Scripting

Details Affected Software: FreeNAS Fixed in Version: 0.69.3 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description The code sample for this week contained a couple XSS vulnerabilities. Although not essential for exploitation, its also interesting to note that this response is within an SVG image. You can see this by examining the … Continue reading Spot the Vuln - Light - Cross Site Scripting


Five Key Design Decisions That Affect Security in Web Applications

By Krishna Raja and Rohit Sethi (@rksethi) Senior developers and architects often make decisions related to application performance or other areas that have significant ramifications on the security of the application for years to come. Some decisions are obvious: How do we authenticate users? How do we restrict page access to authorized users? Others, however, … Continue reading Five Key Design Decisions That Affect Security in Web Applications


Apple iOS Push Notifications: Security Implications, Abuse Scenarios, and Countermeasures

This is a guest post from security researcher Nitesh Dhanjani. Nitesh will be giving a talk on "Hacking and Securing Next Generation iPhone and iPad Apps" at SANS AppSec 2011. Millions of iOS users and developers have come to rely on Apple's Push Notification Service (APN). In this article, I will briefly introduce details of … Continue reading Apple iOS Push Notifications: Security Implications, Abuse Scenarios, and Countermeasures


Spot the Vuln - Light

To send light into the darkness of men's hearts - such is the duty of the artist. - Schumann Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try … Continue reading Spot the Vuln - Light


Spot the Vuln - Money - SQL Injection

Details Affected Software: Surfnet IDS Fixed in Version: 1.03.07 Issue Type: SQL Injection Original Code: Found Here Description There were a couple of SQL injection bugs here. Beginning at line 35, we see that the Surfnet IDS developers have accepted three POST parameters and have assigned tainted values to three different variables: $keyname, $vlanid, $action. … Continue reading Spot the Vuln - Money - SQL Injection