AppSec Blog

Top 25 Series - Rank 13 - PHP File Inclusion

Last year, when we got going with our web honeypot, we quickly found that file PHP file inclusion vulnerabilities are by far the #1 exploit the honeypot was exposed to [1]. In part, this may have been due to us heavily emulating PHP applications. But many of the exploits didn't match any of the installed … Continue reading Top 25 Series - Rank 13 - PHP File Inclusion


Top 25 Series - Rank 12 - Buffer Access with Incorrect Length Value

Buffer Access with Incorrect Length Value (CWE-805) is in close relationship with Classic buffer overflow (CWE-120). Class buffer overflow is caused by copying buffer without checking for length. Buffer Access with Incorrect Length when length is in consideration but the actual length defined is not sufficient. The end result of this vulnerability is buffer overflow. … Continue reading Top 25 Series - Rank 12 - Buffer Access with Incorrect Length Value


Top 25 Series - Rank 11 - Hardcoded Credentials

Talking about hard coded credentials to other developers, one of the first questions to come up is "where else to keep them?". A hard coded credential is usually a password used to obtain administrative access to software, or a password used by this same software to establish outbound connections, for example to connect to a … Continue reading Top 25 Series - Rank 11 - Hardcoded Credentials


Top 25 Series - Rank 7 - Path Traversal

In October 2001, the DShield.org site was just about a year old, I was alerted to a flood of reports hitting the site. Looking at the reports in more detail, I found out that most of them are due to blocked ICMP packets being reported to the site. Further investigation revealed that the reports where … Continue reading Top 25 Series - Rank 7 - Path Traversal


Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision

During a code review I came across code that looked like this: // for testing only String testId = request.getParameter("secretId"); if (testId != null && !testId.equals("")) id = testId; else id = codeToLookupTheRealId(); This code allows a malicious user to perform an access control bypass attack by simply supplying the "secretId" parameter in the request. … Continue reading Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision