AppSec Blog

Five Key Design Decisions That Affect Security in Web Applications

By Krishna Raja and Rohit Sethi (@rksethi) Senior developers and architects often make decisions related to application performance or other areas that have significant ramifications on the security of the application for years to come. Some decisions are obvious: How do we authenticate users? How do we restrict page access to authorized users? Others, however, … Continue reading Five Key Design Decisions That Affect Security in Web Applications


Apple iOS Push Notifications: Security Implications, Abuse Scenarios, and Countermeasures

This is a guest post from security researcher Nitesh Dhanjani. Nitesh will be giving a talk on "Hacking and Securing Next Generation iPhone and iPad Apps" at SANS AppSec 2011. Millions of iOS users and developers have come to rely on Apple's Push Notification Service (APN). In this article, I will briefly introduce details of … Continue reading Apple iOS Push Notifications: Security Implications, Abuse Scenarios, and Countermeasures


Spot the Vuln - Light

To send light into the darkness of men's hearts - such is the duty of the artist. - Schumann Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try … Continue reading Spot the Vuln - Light


Spot the Vuln - Money - SQL Injection

Details Affected Software: Surfnet IDS Fixed in Version: 1.03.07 Issue Type: SQL Injection Original Code: Found Here Description There were a couple of SQL injection bugs here. Beginning at line 35, we see that the Surfnet IDS developers have accepted three POST parameters and have assigned tainted values to three different variables: $keyname, $vlanid, $action. … Continue reading Spot the Vuln - Money - SQL Injection


Spot the Vuln - Money

Money won't buy happiness, but it will pay the salaries of a large research staff to study the problem. - Bill Vaughan Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable … Continue reading Spot the Vuln - Money