Greetings all. I'm on a bit of a mission to understand software security better, in a Java environment. My particular focus right now is to try to find--and understand--real examples of how code fails in practice. I've read extensive stuff about "don't do this" on a bunch of topics, and I've looked at a number of resources (e.g. metasploit) that would potentially show me how to *perform* an attack (with the goal of penetration testing one's own software, one hopes!) but what I'd really like to see now is examples of how real code has actually failed. E.g. how did the struts code permit remote code execution? I'm hoping some of you might be able to point me at such resources, either individual case studies, or perhaps whole data sets, that describe some of these.
I will add that I already found the OWASP web goat, and am trying to get into that. But I am hoping for specific, described, examples of real failures "in the wild", ideally (for impact's sake) associated with known dramatic breaches (Equifax, anyone?!)
The most common one I've seen is when naive programmers create dynamic queries using string concatenation instead of using parameterized queries. This, of course, opens you up to SQL injection attacks.
Sorry I can't give you anything more exotic but there's a good reason these two are perpetual top-ranked vulnerabilities: they're the kind of traps that naive programmers can easily fall into and apparently, there are many naive programmers.
Thanks for this Junilu, yes, I mostly am aware of what one shouldn't do (thanks to OWASP) and the advised fixes. I'm really looking for real examples. I find that the canned "see how this breaks" examples always look so obvious that one feels only a fool would make such a mistake, and seeing a mistake that one knows was actually made, rather than an illustration, would be far more convincing.
But anyway, thanks again, and fwiw, I worked through the entire OWASP WebGoat project, which involves some lessons, followed by some "go ahead, try to break this deliberately" vulnerable code. I will say that while still not "real code" it was a fun and valuable exercise that I can recommend to anyone who has 24-40 hours for tinkering! YMMV of course, perhaps some will break it completely in less than that, but I suspect three days of fairly dedicated time is probably about right for version 25, where many of the hints are missing, misleading, or otherwise leave you do some "real" hacking (i.e. being imaginative and trying several alternative approaches while looking for clues
Beware the other head of science - it bites! Nibble on this message: