views:

39

answers:

1

Im doing research on the capabilities of static analysis and at the moment I'm in the process of gathering code-snippets which contain subtle vulnerabilities.

By that I mean not the obvious XSS and SQLI, but more subtle ones like below:

$url = htmlspecialchars($_GET["url"]);
echo "<a href=$url>Click here to continue</a>";

$url = htmlspecialchars($_GET["url"]);
echo "<a href='$url'>Click here to continue</a>";

$filename = $_GET["filename"];
$safeFile = str_replace("../", "", $filename);
include("home/test/traversal/" . $safeFile . ".php");

Obviously, first two are XSS and last one is arbitrary file inclusion. Can you provide me with more of such examples. Language preferably php, java, c# or vb, but if you have examples in other languages, that's also fine.

Btw, this is not a game of bypassing the analyzer with nifty tricks, but a global analysis of what is and what is not detected by different analyzers. So on purpose obscured code to fool the analyser is not what I'm looking for.

Thanks!

edit: Another example is

$query = mysql_real_escape($_GET["id"]);
mysql_query("SELECT * FROM prods WHERE id=" . $query);

or

$safeVal = htmlspecialchars($_GET['val']);
echo "<a href='#' $safeVal>Click here</a>
+1  A: 

Cases in which escaping or other measures are used, but where there is still a vulnerability:

Sjoerd
Thanks for the input :)
Henri