AppSec Blog

Apple iOS Push Notifications: Security Implications, Abuse Scenarios, and Countermeasures

This is a guest post from security researcher Nitesh Dhanjani. Nitesh will be giving a talk on "Hacking and Securing Next Generation iPhone and iPad Apps" at SANS AppSec 2011. Millions of iOS users and developers have come to rely on Apple's Push Notification Service (APN). In this article, I will briefly introduce details of … Continue reading Apple iOS Push Notifications: Security Implications, Abuse Scenarios, and Countermeasures


Spot the Vuln - Light

To send light into the darkness of men's hearts - such is the duty of the artist. - Schumann Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try … Continue reading Spot the Vuln - Light


Spot the Vuln - Money - SQL Injection

Details Affected Software: Surfnet IDS Fixed in Version: 1.03.07 Issue Type: SQL Injection Original Code: Found Here Description There were a couple of SQL injection bugs here. Beginning at line 35, we see that the Surfnet IDS developers have accepted three POST parameters and have assigned tainted values to three different variables: $keyname, $vlanid, $action. … Continue reading Spot the Vuln - Money - SQL Injection


Spot the Vuln - Money

Money won't buy happiness, but it will pay the salaries of a large research staff to study the problem. - Bill Vaughan Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable … Continue reading Spot the Vuln - Money


Spot the Vuln - Wood - SQL injection

Details Affected Software: WordPress Core Fixed in Version: 2.2 Issue Type: SQL Injection Original Code: Found Here Description This is a fairly straight forward SQL Injection bug here. First, although we can't see exactly where $args[] is set, we have some strong clues that it contains user/attacker controlled data. For example, the first function on … Continue reading Spot the Vuln - Wood - SQL injection