Reputation: 5113
Im doing research on the capabilities of static analysis and at the moment I'm in the process of gathering code-snippets which contain subtle vulnerabilities.
By that I mean not the obvious XSS and SQLI, but more subtle ones like below:
$url = htmlspecialchars($_GET["url"]);
echo "<a href=$url>Click here to continue</a>";
$url = htmlspecialchars($_GET["url"]);
echo "<a href='$url'>Click here to continue</a>";
$filename = $_GET["filename"];
$safeFile = str_replace("../", "", $filename);
include("home/test/traversal/" . $safeFile . ".php");
Obviously, first two are XSS and last one is arbitrary file inclusion. Can you provide me with more of such examples. Language preferably php, java, c# or vb, but if you have examples in other languages, that's also fine.
Btw, this is not a game of bypassing the analyzer with nifty tricks, but a global analysis of what is and what is not detected by different analyzers. So on purpose obscured code to fool the analyser is not what I'm looking for.
Another example is
$query = mysql_real_escape($_GET["id"]);
mysql_query("SELECT * FROM prods WHERE id=" . $query);
or
$safeVal = htmlspecialchars($_GET['val']);
echo "<a href='#' $safeVal>Click here</a>
Upvotes: 0
Views: 94
Reputation: 75689
Cases in which escaping or other measures are used, but where there is still a vulnerability:
Upvotes: 1