Re: [SC-L] Insecure Java Code Snippets
The NIST SAMATE Reference Dataset has mainly C code in it, but there is also Java, C++, and PHP. There's a search function that allows you to search by programming language to find what you want. http://samate.nist.gov/SRD/ -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com -Original Message- From: sc-l-boun...@securecoding.org on behalf of Brad Andrews Sent: Wed 06-May-09 13:41 To: sc-l@securecoding.org Subject: [SC-L] Insecure Java Code Snippets Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a "find the bug" like the old C-Lint ads. Does anyone know of a source of something like this. Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Seeking vulnerable server-side scripts
I heard that http://www.twitter.com is a fun one, too. LITTERED with major vulns. - Jim - Original Message - From: "security curmudgeon" To: "Jeremy Epstein" Cc: Sent: Wednesday, May 06, 2009 7:17 AM Subject: Re: [SC-L] Seeking vulnerable server-side scripts > > : There are several applications designed specifically for this: > : > : Mutillidae > : > http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 > : > : Foundstone's Hacme Bank and Hacme Travel > : http://www.foundstone.com/us/resources-free-tools.asp > : > : WebGoat > : http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project > : > : > : I believe there are more, but those are the first to come to mind. > > A couple more: > > Stanford SecuriBench > http://suif.stanford.edu/~livshits/securibench/ > > w3af's "moth" > http://sourceforge.net/project/showfiles.php?group_id=170274 > http://sourceforge.net/mailarchive/forum.php?thread_name=cdfaf8b20905051759o76a0f6f1o171928dd9b1d5e30%40mail.gmail.com&forum_name=w3af-develop > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Seeking vulnerable server-side scripts
Use google codesearch: http://www.google.com/codesearch?hl=en&lr=&q=select.*from.*%5C%24_%28GET%7CPOST%7CCOOKIES%29+lang%3Aphp&btnG=Search http://www.google.com/codesearch?hl=en&lr=&q=input.*type%3Dhidden.*%3D.*%5C%24_%28GET%7CPOST%7CCOOKIE%29&btnG=Search http://www.google.com/codesearch?hl=en&lr=&q=fopen%5C%28.*%5C%24_GET&btnG=Search http://www.google.com/codesearch?hl=en&lr=&q=%5C+file%5C%28.*%5C%24_POST&btnG=Search http://www.google.com/codesearch?hl=en&lr=&q=file_get_contents%5C%28.*%5C%24_GET&btnG=Search - Jon On May 6, 2009, at 1:17 PM, security curmudgeon wrote: > > : There are several applications designed specifically for this: > : > : Mutillidae > : > http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 > : > : Foundstone's Hacme Bank and Hacme Travel > : http://www.foundstone.com/us/resources-free-tools.asp > : > : WebGoat > : http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project > : > : > : I believe there are more, but those are the first to come to mind. > > A couple more: > > Stanford SecuriBench > http://suif.stanford.edu/~livshits/securibench/ > > w3af's "moth" > http://sourceforge.net/project/showfiles.php?group_id=170274 > http://sourceforge.net/mailarchive/forum.php?thread_name=cdfaf8b20905051759o76a0f6f1o171928dd9b1d5e30%40mail.gmail.com&forum_name=w3af-develop > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com > ) > as a free, non-commercial service to the software security community. > ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
On Wed, 6 May 2009, Brad Andrews wrote: > Does anyone know of a source of insecure Java snippets? I would like > to get some for a monthly meeting of leading technical people. My > idea was to have a "find the bug" like the old C-Lint ads. CWE has many snippets like this for various languages, but primarily C and Java: 1) Load the CWE full dictionary (CWE-2000): http://cwe.mitre.org/data/definitions/2000.html 2) Click the "Slice" link in the top right 3) Go get lunch while your browser loads (well it's 10 to 30 seconds but that's a lunch in Internet time) 4) Search for "Java Example:" 5) Tell c...@mitre.org if you notice any errors or oddities I stopped counting at 50 snippets. If you speak XSLT, you can easily construct a query to pull out the Demonstrative_Example elements that look a little like: Demonstrative_Example//Example_Body//Block//Code_Example_Language = Java For a little less data, you can use the CWE Java view (CWE-660): http://cwe.mitre.org/data/definitions/660.html but this doesn't include language-independent issues like XSS and SQL injection. I'd love to hear from others who have repositories like this. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
We keep a big catalog here: http://www.fortify.com/vulncat On 5/6/09 10:41 AM, "Brad Andrews" wrote: > > > > Does anyone know of a source of insecure Java snippets? I would like > to get some for a monthly meeting of leading technical people. My > idea was to have a "find the bug" like the old C-Lint ads. > > Does anyone know of a source of something like this. > > Brad > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
Any Java Education book, like Cay Hortsman's Core Java. Seriously. - Jim - Original Message - From: "Brad Andrews" To: Sent: Wednesday, May 06, 2009 7:41 AM Subject: [SC-L] Insecure Java Code Snippets > > > Does anyone know of a source of insecure Java snippets? I would like > to get some for a monthly meeting of leading technical people. My > idea was to have a "find the bug" like the old C-Lint ads. > > Does anyone know of a source of something like this. > > Brad > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Seeking vulnerable server-side scripts
Jeremy, CVE is littered with these kinds of issues, for PHP especially. The scripts are often open source, fully-functional packages that just happen to have lots of security issues. Sometimes the root cause is buried fairly deep in the code, but the people who find these bugs often care only about the attack. The CVE descriptions are often straightforward. To find the best options, I'd grab CVEs that mention scripts ending in a .php extension, select the ones with both milw0rm and Secunia references, then examine the milw0rm reference to see if the researcher lists a download URL for the product (this is probably 25% or more of all milw0rms, so you won't have to look very hard). While you'll get a lot of XSS, SQL injection, and file inclusion, you'll also get more subtle issues like eval injection, file upload, redirect-without-exit, static code injection, variable extraction, and other issues that affect most interpreted languages (although the vuln research emphasis is on PHP). Since CVE descriptions are well-formed for well-known vuln types, you could find the weird ones pretty quickly. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Seeking vulnerable server-side scripts
Hi Jeremy, : I'm experimenting (on paper initially) with a technique for improving : resiliency of web applications, and to do so am looking for examples : of server side scripts (PHP, Perl, whatever) that have security : vulnerabilities, to see if the technique would work. If you have : If there are repositories of such things, please excuse the newbie : question and point me in the right direction! There are several applications designed specifically for this: Mutillidae http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 Foundstone's Hacme Bank and Hacme Travel http://www.foundstone.com/us/resources-free-tools.asp WebGoat http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project I believe there are more, but those are the first to come to mind. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Seeking vulnerable server-side scripts
: There are several applications designed specifically for this: : : Mutillidae : http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 : : Foundstone's Hacme Bank and Hacme Travel : http://www.foundstone.com/us/resources-free-tools.asp : : WebGoat : http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project : : : I believe there are more, but those are the first to come to mind. A couple more: Stanford SecuriBench http://suif.stanford.edu/~livshits/securibench/ w3af's "moth" http://sourceforge.net/project/showfiles.php?group_id=170274 http://sourceforge.net/mailarchive/forum.php?thread_name=cdfaf8b20905051759o76a0f6f1o171928dd9b1d5e30%40mail.gmail.com&forum_name=w3af-develop ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Insecure Java Code Snippets
Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a "find the bug" like the old C-Lint ads. Does anyone know of a source of something like this. Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Seeking vulnerable server-side scripts
Greetings, I'm experimenting (on paper initially) with a technique for improving resiliency of web applications, and to do so am looking for examples of server side scripts (PHP, Perl, whatever) that have security vulnerabilities, to see if the technique would work. If you have scripts you'd be willing to share, please contact me off-list. The scripts don't have to be open source; I'm happy to take scripts that are not for redistribution (but I can't sign formal NDAs). The ideal scenario would include enough of the infrastructure (scripts, descriptions of the environment) and a description of the vulnerability... but again, I'll take what I can get for now. The important thing is that the scripts be server-side and written in an interpreted scripting language; I'm not looking for server-side C or Java programs. If there are repositories of such things, please excuse the newbie question and point me in the right direction! Thanks, --Jeremy 703-989-8907 (mobile) jeremy.j.epst...@gmail.com P.S. Yes, you may forward this message to other people, but I'd appreciate not sending it to other lists without checking with me first. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___