Im doing research on the capabilities of static analysis and at the moment I'm in the process of gathering code-snippets which contain subtle vulnerabilities.
By that I mean not the obvious XSS and SQLI, but more subtle ones like below:
$url = htmlspecialchars($_GET["url"]);
echo "<a href=$url>Click here to continue</a>";
$url = htmlspecialchars($_GET["url"]);
echo "<a href='$url'>Click here to continue</a>";
$filename = $_GET["filename"];
$safeFile = str_replace("../", "", $filename);
include("home/test/traversal/" . $safeFile . ".php");
Obviously, first two are XSS and last one is arbitrary file inclusion. Can you provide me with more of such examples. Language preferably php, java, c# or vb, but if you have examples in other languages, that's also fine.
Btw, this is not a game of bypassing the analyzer with nifty tricks, but a global analysis of what is and what is not detected by different analyzers. So on purpose obscured code to fool the analyser is not what I'm looking for.
Thanks!
edit: Another example is
$query = mysql_real_escape($_GET["id"]);
mysql_query("SELECT * FROM prods WHERE id=" . $query);
or
$safeVal = htmlspecialchars($_GET['val']);
echo "<a href='#' $safeVal>Click here</a>