AppSec Blog: Author - Billy Rios

07 Jan 2011

Spot the Vuln - Banks - Cross Site Scripting

0 comments Posted by Billy Rios
Filed under (no category specified)

Details Affected Software: PunBB Fixed in Version: 1.3 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description Passwords, passwords, passwords. For some reason, developers sometimes assume passwords values are safe and do not need encoding. In this example, the developers chose to encode username values (line 87) however, they assumed password values would … Continue reading Spot the Vuln - Banks - Cross Site Scripting

03 Jan 2011

Spot the Vuln - Banks

0 comments Posted by Billy Rios
Filed under Spot the Vuln

I have always been afraid of banks. - Andrew Jackson Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, … Continue reading Spot the Vuln - Banks

31 Dec 2010

Spot the Vuln - Tougher - SQL Injection

0 comments Posted by Billy Rios
Filed under Spot the Vuln

Details Affected Software: PunBB Fixed in Version: 1.3 Issue Type: SQL Injection (SQLi) Original Code: Found Here Description This week's bug was an old SQL injection bug that affected PunBB versions < 1.3. In short, a value is taken from an attacker/user controlled POST request and is used to build a SQL statement. This bug … Continue reading Spot the Vuln - Tougher - SQL Injection

27 Dec 2010

Spot the Vuln - Tougher

0 comments Posted by Billy Rios
Filed under Spot the Vuln

I survived because I was tougher than anybody else. - Bette Davis Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. … Continue reading Spot the Vuln - Tougher

24 Dec 2010

Spot the Vuln - Price - Cross Site Scripting

0 comments Posted by Billy Rios
Filed under Spot the Vuln

Details Affected Software: PunBB Fixed in Version: 2.1 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description This week's vulnerability was a XSS bug in PunBB. PunBB was taking an un-trusted value directly from the POST parameter ($_POST[''prune_sticky']) and echoing the un-trusted value directly into a value attribute for a hidden form input … Continue reading Spot the Vuln - Price - Cross Site Scripting

Share

Categories
Recent Posts
Archives
Links
Latest Blog Posts

Exploring the DevSecOps Toolchain
October 14, 2018 - 7:40 AM

Your Secure DevOps Questions Answered
September 13, 2018 - 6:55 PM

Continuous Opportunity - DevOps and Security
August 23, 2017 - 2:33 PM

View More »

Latest Tweets @sansdevsecops

Defending web apps? #DEV522 leverages hands-on labs to teach [...]
April 29, 2019 - 2:15 PM

The SANS Cloud &amp; DevOps Summit Call for Presentations is [...]
April 24, 2019 - 5:35 PM

Webcast | Terraforming #Azure: Not as Difficult as Planets - [...]
April 18, 2019 - 4:54 PM

Latest Papers

Adapting AppSec to a DevOps World
By Rebecca Deck

Runtime Application Self-Protection (RASP), Investigation of the Effectiveness of a RASP Solution in Protecting Known Vulnerable Target Applications
By Alexander Fry

One-Click Forensic Analysis: A SANS Review of EnCase Forensic
By Jake Williams

View More »

"The course used real code with simple scenarios illustrating a full attack scenario and how to fix the vulnerabilities."
- Jeffrey Bell, Lockheed Martin

"Great course with lots of info. I've gotten more out of Day 1 than I have in a complete week of some other classes."
- Chris Yokley, Baldwin County Commission

"Gives tangible ideas to put into practice to make your code and infrastructure more secure."
- Keith G. Tullius, II, Escambia County Sheriff's Office