Subtle software security bugs in webapps

Question

Im doing research on the capabilities of static analysis and at the moment I'm in the process of gathering code-snippets which contain subtle vulnerabilities.

By that I mean not the obvious XSS and SQLI, but more subtle ones like below:

$url = htmlspecialchars($_GET["url"]);
echo "<a href=$url>Click here to continue</a>";

$url = htmlspecialchars($_GET["url"]);
echo "<a href='$url'>Click here to continue</a>";

$filename = $_GET["filename"];
$safeFile = str_replace("../", "", $filename);
include("home/test/traversal/" . $safeFile . ".php");

Obviously, first two are XSS and last one is arbitrary file inclusion. Can you provide me with more of such examples. Language preferably php, java, c# or vb, but if you have examples in other languages, that's also fine.

Btw, this is not a game of bypassing the analyzer with nifty tricks, but a global analysis of what is and what is not detected by different analyzers. So on purpose obscured code to fool the analyser is not what I'm looking for.

Another example is

$query = mysql_real_escape($_GET["id"]);
mysql_query("SELECT * FROM prods WHERE id=" . $query);

or

$safeVal = htmlspecialchars($_GET['val']);
echo "<a href='#' $safeVal>Click here</a>

Answer 1

Cases in which escaping or other measures are used, but where there is still a vulnerability:

• Bug #49687 utf8_decode xml_utf8_decode vuln
• Request #47694 escapeshellcmd() considered harmful?
• Request #39863 file_exists() silently truncates after a null byte