AppSec Blog

Top 25 Series - Rank 12 - Buffer Access with Incorrect Length Value

Buffer Access with Incorrect Length Value (CWE-805) is in close relationship with Classic buffer overflow (CWE-120). Class buffer overflow is caused by copying buffer without checking for length. Buffer Access with Incorrect Length when length is in consideration but the actual length defined is not sufficient. The end result of this vulnerability is buffer overflow. … Continue reading Top 25 Series - Rank 12 - Buffer Access with Incorrect Length Value


Top 25 Series - Rank 11 - Hardcoded Credentials

Talking about hard coded credentials to other developers, one of the first questions to come up is "where else to keep them?". A hard coded credential is usually a password used to obtain administrative access to software, or a password used by this same software to establish outbound connections, for example to connect to a … Continue reading Top 25 Series - Rank 11 - Hardcoded Credentials


Top 25 Series - Rank 7 - Path Traversal

In October 2001, the DShield.org site was just about a year old, I was alerted to a flood of reports hitting the site. Looking at the reports in more detail, I found out that most of them are due to blocked ICMP packets being reported to the site. Further investigation revealed that the reports where … Continue reading Top 25 Series - Rank 7 - Path Traversal


Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision

During a code review I came across code that looked like this: // for testing only String testId = request.getParameter("secretId"); if (testId != null && !testId.equals("")) id = testId; else id = codeToLookupTheRealId(); This code allows a malicious user to perform an access control bypass attack by simply supplying the "secretId" parameter in the request. … Continue reading Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision


Top 25 Series - Rank 5 - Improper Access Control (Authorization)

Foursquare is a mobile app that lets you "check in" to a location and tell your friends about it. If you check in someplace often enough you can, among other things, become the "mayor" of that location. If you're the mayor you can even sometimes win free food [1]. Normally, people are supposed to actually … Continue reading Top 25 Series - Rank 5 - Improper Access Control (Authorization)