Greetings all. I'm on a bit of a mission to understand software security better, in a Java environment. My particular focus right now is to try to find--and understand--real examples of how code fails in practice. I've read extensive stuff about "don't do this" on a bunch of topics, and I've looked at a number of resources (e.g. metasploit) that would potentially show me how to *perform* an attack (with the goal of penetration testing one's own software, one hopes!) but what I'd really like to see now is examples of how real code has actually failed. E.g. how did the struts code permit remote code execution? I'm hoping some of you might be able to point me at such resources, either individual case studies, or perhaps whole data sets, that describe some of these.
I will add that I already found the OWASP web goat, and am trying to get into that. But I am hoping for specific, described, examples of real failures "in the wild", ideally (for impact's sake) associated with known dramatic breaches (Equifax, anyone?!)
The most common one I've seen is when naive programmers create dynamic queries using string concatenation instead of using parameterized queries. This, of course, opens you up to SQL injection attacks.
Sorry I can't give you anything more exotic but there's a good reason these two are perpetual top-ranked vulnerabilities: they're the kind of traps that naive programmers can easily fall into and apparently, there are many naive programmers.
The best ideas are the crazy ones. If you have a crazy idea and it works, it's really valuable.—Kent Beck
Thanks for this Junilu, yes, I mostly am aware of what one shouldn't do (thanks to OWASP) and the advised fixes. I'm really looking for real examples. I find that the canned "see how this breaks" examples always look so obvious that one feels only a fool would make such a mistake, and seeing a mistake that one knows was actually made, rather than an illustration, would be far more convincing.
But anyway, thanks again, and fwiw, I worked through the entire OWASP WebGoat project, which involves some lessons, followed by some "go ahead, try to break this deliberately" vulnerable code. I will say that while still not "real code" it was a fun and valuable exercise that I can recommend to anyone who has 24-40 hours for tinkering! YMMV of course, perhaps some will break it completely in less than that, but I suspect three days of fairly dedicated time is probably about right for version 25, where many of the hints are missing, misleading, or otherwise leave you do some "real" hacking (i.e. being imaginative and trying several alternative approaches while looking for clues
If you send is by car it's a shipment, but if by ship it's cargo. This tiny ad told me:
Devious Experiments for a Truly Passive Greenhouse!