Re: [SC-L] Insecure Java Code Snippets

2009-05-06 Thread Goertzel, Karen [USA]
The NIST SAMATE Reference Dataset has mainly C code in it, but there is also Java, C++, and PHP. There's a search function that allows you to search by programming language to find what you want. http://samate.nist.gov/SRD/ -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.698.7454 goer

Re: [SC-L] Seeking vulnerable server-side scripts

2009-05-06 Thread Jim Manico
I heard that http://www.twitter.com is a fun one, too. LITTERED with major vulns. - Jim - Original Message - From: "security curmudgeon" To: "Jeremy Epstein" Cc: Sent: Wednesday, May 06, 2009 7:17 AM Subject: Re: [SC-L] Seeking vulnerable server-side scripts > > : There are several

Re: [SC-L] Seeking vulnerable server-side scripts

2009-05-06 Thread jrose
Use google codesearch: http://www.google.com/codesearch?hl=en&lr=&q=select.*from.*%5C%24_%28GET%7CPOST%7CCOOKIES%29+lang%3Aphp&btnG=Search http://www.google.com/codesearch?hl=en&lr=&q=input.*type%3Dhidden.*%3D.*%5C%24_%28GET%7CPOST%7CCOOKIE%29&btnG=Search http://www.google.com/codesearch?hl=en&l

Re: [SC-L] Insecure Java Code Snippets

2009-05-06 Thread Steven M. Christey
On Wed, 6 May 2009, Brad Andrews wrote: > Does anyone know of a source of insecure Java snippets? I would like > to get some for a monthly meeting of leading technical people. My > idea was to have a "find the bug" like the old C-Lint ads. CWE has many snippets like this for various languages,

Re: [SC-L] Insecure Java Code Snippets

2009-05-06 Thread Brian Chess
We keep a big catalog here: http://www.fortify.com/vulncat On 5/6/09 10:41 AM, "Brad Andrews" wrote: > > > > Does anyone know of a source of insecure Java snippets? I would like > to get some for a monthly meeting of leading technical people. My > idea was to have a "find the bug" like

Re: [SC-L] Insecure Java Code Snippets

2009-05-06 Thread Jim Manico
Any Java Education book, like Cay Hortsman's Core Java. Seriously. - Jim - Original Message - From: "Brad Andrews" To: Sent: Wednesday, May 06, 2009 7:41 AM Subject: [SC-L] Insecure Java Code Snippets > > > Does anyone know of a source of insecure Java snippets? I would like > to ge

Re: [SC-L] Seeking vulnerable server-side scripts

2009-05-06 Thread Steven M. Christey
Jeremy, CVE is littered with these kinds of issues, for PHP especially. The scripts are often open source, fully-functional packages that just happen to have lots of security issues. Sometimes the root cause is buried fairly deep in the code, but the people who find these bugs often care only a

Re: [SC-L] Seeking vulnerable server-side scripts

2009-05-06 Thread security curmudgeon
Hi Jeremy, : I'm experimenting (on paper initially) with a technique for improving : resiliency of web applications, and to do so am looking for examples : of server side scripts (PHP, Perl, whatever) that have security : vulnerabilities, to see if the technique would work. If you have : If the

Re: [SC-L] Seeking vulnerable server-side scripts

2009-05-06 Thread security curmudgeon
: There are several applications designed specifically for this: : : Mutillidae : http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 : : Foundstone's Hacme Bank and Hacme Travel : http://www.foundstone.com/us/resources-free-tools.asp : : WebGoat : h

[SC-L] Insecure Java Code Snippets

2009-05-06 Thread Brad Andrews
Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a "find the bug" like the old C-Lint ads. Does anyone know of a source of something like this. Brad _

[SC-L] Seeking vulnerable server-side scripts

2009-05-06 Thread Jeremy Epstein
Greetings, I'm experimenting (on paper initially) with a technique for improving resiliency of web applications, and to do so am looking for examples of server side scripts (PHP, Perl, whatever) that have security vulnerabilities, to see if the technique would work. If you have scripts you'd be w