Whodunit? Finding Security Vulnerabilities in Application Code - Security - News & Reviews - eWeek.com | eWeek

Whodunit? Finding Security Vulnerabilities in Application Code

Whodunit? Finding Security Vulnerabilities in Application Code
Écrit par
Brian Prince
Brian Prince
May 28, 2009
1 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus


Whodunit? Finding Security Vulnerabilities in Application Code

Whodunit? Finding Security Vulnerabilities in Application Code

by Brian Princecode provided by Veracode and Qualys


File/Path Manipulation

2

This occurs when the software allows user input to control or influence paths that are used in filesystem operations. This vulnerability could permit an attacker to access or change system files and other files critical to the application.


The Answer

3

The code is vulnerable to file/path manipulation because of insufficient input validation (cwe 20) on the fn parameter, which leads to arbitrary file retrieval.


Hands Off the Database

4

SQL injection is one of the most popular vectors of attack. When executed, the SQL statement fetches a different set of results from the database than the application would have originally requested. The attacker gains unauthorized access to or manipulates the data residing in the database on the server.


Advertisement

The Answer

5

The code is vulnerable to SQL injection because it creates an ad-hoc query using the employeeID parameter, which is untrusted.


Solving Cross-site Scripting

6

Cross-site scripting (XSS) remains one of the most common vulnerabilities affecting Web applications. If successful, an exploit could allow hackers to bypass access controls such as same origin policy.


The Answer

7

In this case, moving the to after the <meta> tag prevents XSS attacks that trick the browser into using UTF-7 to decode the payload when the page should be actually rendered as UTF-8.</p></div>

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.