Null
passwords can compromise security.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
var storedPassword:String = null;
var temp:String;
if ((temp = readPassword()) != null) {
storedPassword = temp;
}
if(Utils.verifyPassword(userPassword, storedPassword))
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for userPassword
.null
to password variables is never a good idea as it might enable attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
string storedPassword = null;
string temp;
if ((temp = ReadPassword(storedPassword)) != null) {
storedPassword = temp;
}
if (Utils.VerifyPassword(storedPassword, userPassword)) {
// Access protected resources
...
}
...
ReadPassword()
fails to retrieve the stored password due to a database error or other problem, then an attacker can easily bypass the password check by providing a null
value for userPassword
.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
string storedPassword = null;
string temp;
if ((temp = ReadPassword(storedPassword)) != null) {
storedPassword = temp;
}
if(Utils.VerifyPassword(storedPassword, userPassword))
// Access protected resources
...
}
...
ReadPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for userPassword
.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
char *stored_password = NULL;
readPassword(stored_password);
if(safe_strcmp(stored_password, user_password))
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for user_password
.null
to password variables is never a good idea as it might enable attackers to bypass password verification or it might indicate that resources are protected by an empty password.null
to password variables is a bad idea because it can allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
String storedPassword = null;
String temp;
if ((temp = readPassword()) != null) {
storedPassword = temp;
}
if(Utils.verifyPassword(userPassword, storedPassword))
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for userPassword
.null
, reads credentials from an Android WebView store if they have not been previously rejected by the server for the current request, and uses them to setup authentication for viewing protected pages.
...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
String username = null;
String password = null;
if (handler.useHttpAuthUsernamePassword()) {
String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
username = credentials[0];
password = credentials[1];
}
handler.proceed(username, password);
}
});
...
Example 1
, if useHttpAuthUsernamePassword()
returns false
, an attacker will be able to view protected pages by supplying a null
password.null
password.null
:
...
var password=null;
...
{
password=getPassword(user_data);
...
}
...
if(password==null){
// Assumption that the get didn't work
...
}
...
null
to password variables because it might enable attackers to bypass password verification or indicate that resources are not protected by a password.null
password.
{
...
"password" : null
...
}
null
password. Null
passwords can compromise security.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
NSString *stored_password = NULL;
readPassword(stored_password);
if(safe_strcmp(stored_password, user_password)) {
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for user_password
.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
<?php
...
$storedPassword = NULL;
if (($temp = getPassword()) != NULL) {
$storedPassword = $temp;
}
if(strcmp($storedPassword,$userPassword) == 0) {
// Access protected resources
...
}
...
?>
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for userPassword
.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
.
DECLARE
password VARCHAR(20);
BEGIN
password := null;
END;
null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
storedPassword = NULL;
temp = getPassword()
if (temp is not None) {
storedPassword = temp;
}
if(storedPassword == userPassword) {
// Access protected resources
...
}
...
getPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for userPassword
.nil
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.nil
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
@storedPassword = nil
temp = readPassword()
storedPassword = temp unless temp.nil?
unless Utils.passwordVerified?(@userPassword, @storedPassword)
...
end
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for @userPassword
.nil
as a default value when none is specified. In this case you also need to make sure that the correct number of arguments are specified in order to make sure a password is passed to the function.null
to password variables is a bad idea because it can allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
ws.url(url).withAuth("john", null, WSAuthScheme.BASIC)
...
null
password. Null
passwords can compromise security.nil
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
var stored_password = nil
readPassword(stored_password)
if(stored_password == user_password) {
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for user_password
.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
and uses it to connect to a database.
...
Dim storedPassword As String
Set storedPassword = vbNullString
Dim con As New ADODB.Connection
Dim cmd As New ADODB.Command
Dim rst As New ADODB.Recordset
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=" & storedPassword &";"
...
Example 1
succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
* Default username for FTP connection is "scott"
* Default password for FTP connection is "tiger"
...
...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...
...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...
...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...
...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...
...
* Default username for database connection is "scott"
* Default password for database connection is "tiger"
...
...
<!-- Default username for database connection is "scott" -->
<!-- Default password for database connection is "tiger" -->
...
...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...
...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...
...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...
...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...
...
-- Default username for database connection is "scott"
-- Default password for database connection is "tiger"
...
...
# Default username for database connection is "scott"
# Default password for database connection is "tiger"
...
...
#Default username for database connection is "scott"
#Default password for database connection is "tiger"
...
...
<config>
<!-- Default username/password is scott/tiger -->
<username></username>
<password></password>
</config>
...
...
'Default username for database connection is "scott"
'Default password for database connection is "tiger"
...
...
*Get the report that is to be deleted
r_name = request->get_form_field( 'report_name' ).
CONCATENATE `C:\\users\\reports\\` r_name INTO dsn.
DELETE DATASET dsn.
...
..\\..\\usr\\sap\\DVEBMGS00\\exe\\disp+work.exe
", the application will delete a critical file and immediately crash the SAP system.
...
PARAMETERS: p_date TYPE string.
*Get the invoice file for the date provided
CALL FUNCTION 'FILE_GET_NAME'
EXPORTING
logical_filename = 'INVOICE'
parameter_1 = p_date
IMPORTING
file_name = v_file
EXCEPTIONS
file_not_found = 1
OTHERS = 2.
IF sy-subrc <> 0.
* Implement suitable error handling here
ENDIF.
OPEN DATASET v_file FOR INPUT IN TEXT MODE.
DO.
READ DATASET v_file INTO v_record.
IF SY-SUBRC NE 0.
EXIT.
ELSE.
WRITE: / v_record.
ENDIF.
ENDDO.
...
..\\..\\usr\\sap\\sys\\profile\\default.pfl
" instead of a valid date, the application will reveal all the default SAP application server profile parameter settings - possibly leading to more refined attacks.../../tomcat/conf/server.xml
", which causes the application to delete one of its own configuration files.Example 2: The following code uses input from a configuration file to determine which file to open and write to a "Debug" console or a log file. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var rName:String = String(params["reportName"]);
var rFile:File = new File("/usr/local/apfr/reports/" + rName);
...
rFile.deleteFile();
.txt
.
var fs:FileStream = new FileStream();
fs.open(new File(String(configStream.readObject())+".txt"), FileMode.READ);
fs.readBytes(arr);
trace(arr);
public class MyController {
...
public PageRerference loadRes() {
PageReference ref = ApexPages.currentPage();
Map<String,String> params = ref.getParameters();
if (params.containsKey('resName')) {
if (params.containsKey('resPath')) {
return PageReference.forResource(params.get('resName'), params.get('resPath'));
}
}
return null;
}
}
..\\..\\Windows\\System32\\krnl386.exe
", which will cause the application to delete an important Windows system file.Example 2: The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension ".txt".
String rName = Request.Item("reportName");
...
File.delete("C:\\users\\reports\\" + rName);
sr = new StreamReader(resmngr.GetString("sub")+".txt");
while ((line = sr.ReadLine()) != null) {
Console.WriteLine(line);
}
../../apache/conf/httpd.conf
", which will cause the application to delete the specified configuration file.Example 2: The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.
char* rName = getenv("reportName");
...
unlink(rName);
ifstream ifs(argv[0]);
string s;
ifs >> s;
cout << s;
...
EXEC CICS
WEB READ
FORMFIELD(FILE)
VALUE(FILENAME)
...
END-EXEC.
EXEC CICS
READ
FILE(FILENAME)
INTO(RECORD)
RIDFLD(ACCTNO)
UPDATE
...
END-EXEC.
...
..\\..\\Windows\\System32\\krnl386.exe
", which will cause the application to delete an important Windows system file.
<cffile action = "delete"
file = "C:\\users\\reports\\#Form.reportName#">
final server = await HttpServer.bind('localhost', 18081);
server.listen((request) async {
final headers = request.headers;
final path = headers.value('path');
File(path!).delete();
}
Example 1
, there is no validation of headers.value('path')
prior to performing delete functions on files.../../tomcat/conf/server.xml
", which causes the application to delete one of its own configuration files.Example 2: The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension
rName := "/usr/local/apfr/reports/" + req.FormValue("fName")
rFile, err := os.OpenFile(rName, os.O_RDWR|os.O_CREATE, 0755)
defer os.Remove(rName);
defer rFile.Close()
...
.txt
.
...
config := ReadConfigFile()
filename := config.fName + ".txt";
data, err := ioutil.ReadFile(filename)
...
fmt.Println(string(data))
../../tomcat/conf/server.xml
", which causes the application to delete one of its own configuration files.Example 2: The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension
String rName = request.getParameter("reportName");
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();
.txt
.
fis = new FileInputStream(cfg.getProperty("sub")+".txt");
amt = fis.read(arr);
out.println(arr);
Example 1
to the Android platform.
...
String rName = this.getIntent().getExtras().getString("reportName");
File rFile = getBaseContext().getFileStreamPath(rName);
...
rFile.delete();
...
../../tomcat/conf/server.xml
", which causes the application to delete one of its own configuration files.Example 2: The following code uses input from the local storage to determine which file to open and echo back to the user. If malicious users can change the contents of the local storage, they can use the program to read any file on the system that ends with the extension
...
var reportNameParam = "reportName=";
var reportIndex = document.indexOf(reportNameParam);
if (reportIndex < 0) return;
var rName = document.URL.substring(reportIndex+reportNameParam.length);
window.requestFileSystem(window.TEMPORARY, 1024*1024, function(fs) {
fs.root.getFile('/usr/local/apfr/reports/' + rName, {create: false}, function(fileEntry) {
fileEntry.remove(function() {
console.log('File removed.');
}, errorHandler);
}, errorHandler);
}, errorHandler);
.txt
.
...
var filename = localStorage.sub + '.txt';
function oninit(fs) {
fs.root.getFile(filename, {}, function(fileEntry) {
fileEntry.file(function(file) {
var reader = new FileReader();
reader.onloadend = function(e) {
var txtArea = document.createElement('textarea');
txtArea.value = this.result;
document.body.appendChild(txtArea);
};
reader.readAsText(file);
}, errorHandler);
}, errorHandler);
}
window.requestFileSystem(window.TEMPORARY, 1024*1024, oninit, errorHandler);
...
../../tomcat/conf/server.xml
", which causes the application to delete one of its own configuration files.Example 2: The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension
val rName: String = request.getParameter("reportName")
val rFile = File("/usr/local/apfr/reports/$rName")
...
rFile.delete()
.txt
.
fis = FileInputStream(cfg.getProperty("sub").toString() + ".txt")
amt = fis.read(arr)
out.println(arr)
Example 1
to the Android platform.
...
val rName: String = getIntent().getExtras().getString("reportName")
val rFile: File = getBaseContext().getFileStreamPath(rName)
...
rFile.delete()
...
- (NSData*) testFileManager {
NSString *rootfolder = @"/Documents/";
NSString *filePath = [rootfolder stringByAppendingString:[fileName text]];
NSFileManager *fm = [NSFileManager defaultManager];
return [fm contentsAtPath:filePath];
}
../../tomcat/conf/server.xml
", which causes the application to delete one of its own configuration files.Example 2: The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension
$rName = $_GET['reportName'];
$rFile = fopen("/usr/local/apfr/reports/" . rName,"a+");
...
unlink($rFile);
.txt
.
...
$filename = $CONFIG_TXT['sub'] . ".txt";
$handle = fopen($filename,"r");
$amt = fread($handle, filesize($filename));
echo $amt;
...
../../tomcat/conf/server.xml
", which causes the application to delete one of its own configuration files.Example 2: The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension
rName = req.field('reportName')
rFile = os.open("/usr/local/apfr/reports/" + rName)
...
os.unlink(rFile);
.txt
.
...
filename = CONFIG_TXT['sub'] + ".txt";
handle = os.open(filename)
print handle
...
../../tomcat/conf/server.xml
", which causes the application to delete one of its own configuration files.Example 2: The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension
rName = req['reportName']
File.delete("/usr/local/apfr/reports/#{rName}")
.txt
.
...
fis = File.new("#{cfg.getProperty("sub")}.txt")
amt = fis.read
puts amt
../../tomcat/conf/server.xml
", which causes the application to delete one of its own configuration files.Example 2: The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension
def readFile(reportName: String) = Action { request =>
val rFile = new File("/usr/local/apfr/reports/" + reportName)
...
rFile.delete()
}
.txt
.
val fis = new FileInputStream(cfg.getProperty("sub")+".txt")
val amt = fis.read(arr)
out.println(arr)
func testFileManager() -> NSData {
let filePath : String = "/Documents/\(fileName.text)"
let fm : NSFileManager = NSFileManager.defaultManager()
return fm.contentsAtPath(filePath)
}
..\conf\server.xml
", which causes the application to delete one of its own configuration files.Example 2: The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with adequate privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension
Dim rName As String
Dim fso As New FileSystemObject
Dim rFile as File
Set rName = Request.Form("reportName")
Set rFile = fso.GetFile("C:\reports\" & rName)
...
fso.DeleteFile("C:\reports\" & rName)
...
.txt
.
Dim fileName As String
Dim tsContent As String
Dim ts As TextStream
Dim fso As New FileSystemObject
fileName = GetPrivateProfileString("MyApp", "sub", _
"", value, Len(value), _
App.Path & "\" & "Config.ini")
...
Set ts = fso.OpenTextFile(fileName,1)
tsContent = ts.ReadAll
Response.Write tsContent
...
doExchange()
.
try {
doExchange();
}
catch (RareException e) {
// this can never happen
}
RareException
were to ever be thrown, the program would continue to execute as though nothing unusual had occurred. The program records no evidence indicating the special situation, potentially frustrating any later attempt to explain the program's behavior.DoExchange()
.
try {
DoExchange();
}
catch (RareException e) {
// this can never happen
}
RareException
were to ever be thrown, the program would continue to execute as though nothing unusual had occurred. The program records no evidence indicating the special situation, potentially frustrating any later attempt to explain the program's behavior.doExchange()
.
try {
doExchange();
}
catch (RareException e) {
// this can never happen
}
RareException
were to ever be thrown, the program would continue to execute as though nothing unusual had occurred. The program records no evidence indicating the special situation, potentially frustrating any later attempt to explain the program's behavior.doExchange()
.
try {
doExchange();
}
catch (exception $e) {
// this can never happen
}
RareException
were to ever be thrown, the program would continue to execute as though nothing unusual had occurred. The program records no evidence indicating the special situation, potentially frustrating any later attempt to explain the program's behavior.open()
.
try:
f = open('myfile.txt')
s = f.readline()
i = int(s.strip())
except:
# This will never happen
pass
RareException
were to ever be thrown, the program would continue to execute as though nothing unusual had occurred. The program records no evidence indicating the special situation, potentially frustrating any later attempt to explain the program's behavior.
...
uid = 'scott'.
password = 'tiger'.
WRITE: / 'Default username for FTP connection is: ', uid.
WRITE: / 'Default password for FTP connection is: ', password.
...
pass = getPassword();
...
trace(id+":"+pass+":"+type+":"+tstamp);
Example 1
logs a plain text password to the file system. Although many developers trust the file system as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.
...
ResetPasswordResult passRes = System.resetPassword(id1, true);
System.Debug('New password: '+passRes.getPassword());
...
pass = GetPassword();
...
dbmsLog.WriteLine(id+":"+pass+":"+type+":"+tstamp);
Example 1
logs a plain text password to the file system. Although many developers trust the file system as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.get_password()
function returns the user-supplied plain text password associated with the account.
pass = get_password();
...
fprintf(dbms_log, "%d:%s:%s:%s", id, pass, type, tstamp);
Example 1
logs a plain text password to the file system. Although many developers trust the file system as a safe storage location for any and all data, it should not be trusted implicitly, particularly when privacy is a concern.
...
MOVE "scott" TO UID.
MOVE "tiger" TO PASSWORD.
DISPLAY "Default username for database connection is: ", UID.
DISPLAY "Default password for database connection is: ", PASSWORD.
...
Session.pword
variable contains the plain text password associated with the account.
<cflog file="app_log" application="No" Thread="No"
text="#Session.uname#:#Session.pword#:#type#:#Now()#">
Example 1
logs a plain text password to the file system. Although many developers trust the file system as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.
var pass = getPassword();
...
dbmsLog.println(id+":"+pass+":"+type+":"+tstamp);
Example 1
logs a plain text password to the file system. Although many developers trust the file system as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.GetPassword()
function, which returns user-supplied plain text password associated with the account.
pass = GetPassword();
...
if err != nil {
log.Printf('%s: %s %s %s', id, pass, type, tsstamp)
}
Example 1
logs a plain text password to the application eventlog. Although many developers trust the eventlog as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.
pass = getPassword();
...
dbmsLog.println(id+":"+pass+":"+type+":"+tstamp);
Example 1
logs a plain text password to the file system. Although many developers trust the file system as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.
...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
String username = credentials[0];
String password = credentials[1];
Intent i = new Intent();
i.setAction("SEND_CREDENTIALS");
i.putExtra("username", username);
i.putExtra("password", password);
view.getContext().sendBroadcast(i);
}
});
...
SEND_CREDENTIALS
action will receive the message. The broadcast is not even protected with a permission to limit the number of recipients, although in this case we do not recommend using permissions as a fix.
localStorage.setItem('password', password);
pass = getPassword()
...
dbmsLog.println("$id:$pass:$type:$tstamp")
Example 1
logs a plain text password to the file system. Although many developers trust the file system as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.
...
webview.webViewClient = object : WebViewClient() {
override fun onReceivedHttpAuthRequest(view: WebView,
handler: HttpAuthHandler, host: String, realm: String
) {
val credentials = view.getHttpAuthUsernamePassword(host, realm)
val username = credentials!![0]
val password = credentials[1]
val i = Intent()
i.action = "SEND_CREDENTIALS"
i.putExtra("username", username)
i.putExtra("password", password)
view.context.sendBroadcast(i)
}
}
...
SEND_CREDENTIALS
action will receive the message. The broadcast is not even protected with a permission to limit the number of recipients, although in this case we do not recommend using permissions as a fix.
locationManager = [[CLLocationManager alloc] init];
locationManager.delegate = self;
locationManager.desiredAccuracy = kCLLocationAccuracyBest;
locationManager.distanceFilter = kCLDistanceFilterNone;
[locationManager startUpdatingLocation];
CLLocation *location = [locationManager location];
// Configure the new event with information from the location
CLLocationCoordinate2D coordinate = [location coordinate];
NSString *latitude = [NSString stringWithFormat:@"%f", coordinate.latitude];
NSString *longitude = [NSString stringWithFormat:@"%f", coordinate.longitude];
NSLog(@"dLatitude : %@", latitude);
NSLog(@"dLongitude : %@",longitude);
NSString *urlWithParams = [NSString stringWithFormat:TOKEN_URL, latitude, longitude];
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:urlWithParams]];
[request setHTTPMethod:@"GET"];
[[NSURLConnection alloc] initWithRequest:request delegate:self];
NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
// Add password to user defaults
[defaults setObject:@"Super Secret" forKey:@"passwd"];
[defaults synchronize];
getPassword()
function that returns user-supplied plain text password associated with the account.
<?php
$pass = getPassword();
trigger_error($id . ":" . $pass . ":" . $type . ":" . $tstamp);
?>
Example 1
logs a plain text password to the application eventlog. Although many developers trust the eventlog as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.OWA_SEC.get_password()
function returns the user-supplied plain text password associated with the account, which is then printed to the HTTP response.
...
HTP.htmlOpen;
HTP.headOpen;
HTP.title (.Account Information.);
HTP.headClose;
HTP.bodyOpen;
HTP.br;
HTP.print('User ID: ' ||
OWA_SEC.get_user_id || '');
HTP.print('User Password: ' ||
OWA_SEC.get_password || '');
HTP.br;
HTP.bodyClose;
HTP.htmlClose;
...
getPassword()
function that returns user-supplied plain text password associated with the account.
pass = getPassword();
logger.warning('%s: %s %s %s', id, pass, type, tsstamp)
Example 1
logs a plain text password to the application eventlog. Although many developers trust the eventlog as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.get_password()
function returns the user-supplied plain text password associated with the account.
pass = get_password()
...
dbms_logger.warn("#{id}:#{pass}:#{type}:#{tstamp}")
Example 1
logs a plain text password to the file system. Although many developers trust the file system as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.
val pass = getPassword()
...
dbmsLog.println(id+":"+pass+":"+type+":"+tstamp)
Example 1
logs a plain text password to the file system. Although many developers trust the file system as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.
import CoreLocation
...
var locationManager : CLLocationManager!
var seenError : Bool = false
var locationFixAchieved : Bool = false
var locationStatus : NSString = "Not Started"
seenError = false
locationFixAchieved = false
locationManager = CLLocationManager()
locationManager.delegate = self
locationManager.locationServicesEnabled
locationManager.desiredAccuracy = kCLLocationAccuracyBest
locationManager.startUpdatingLocation()
...
if let location: CLLocation! = locationManager.location {
var coordinate : CLLocationCoordinate2D = location.coordinate
let latitude = NSString(format:@"%f", coordinate.latitude)
let longitude = NSString(format:@"%f", coordinate.longitude)
NSLog("dLatitude : %@", latitude)
NSLog("dLongitude : %@",longitude)
let urlString : String = "http://myserver.com/?lat=\(latitude)&lon=\(longitude)"
let url : NSURL = NSURL(string:urlString)
let request : NSURLRequest = NSURLRequest(URL:url)
var err : NSError?
var response : NSURLResponse?
var data : NSData = NSURLConnection.sendSynchronousRequest(request, returningResponse: &response, error:&err)
} else {
println("no location...")
}
let defaults : NSUserDefaults = NSUserDefaults.standardUserDefaults()
// Add password to user defaults
defaults.setObject("Super Secret" forKey:"passwd")
defaults.synchronize()
getPassword
function returns the user-supplied plain text password associated with the account.
pass = getPassword
...
App.EventLog id & ":" & pass & ":" & type & ":" &tstamp, 4
...
Example 1
logs a plain text password to the application eventlog. Although many developers trust the eventlog as a safe storage location for data, it should not be trusted implicitly, particularly when privacy is a concern.
...
PageReference ref = ApexPages.currentPage();
Map<String,String> params = ref.getParameters();
HttpRequest req = new HttpRequest();
req.setEndpoint(params.get('url'));
HTTPResponse res = new Http().send(req);
http
or https
such as:
string url = Request.Form["url"];
HttpClient client = new HttpClient();
HttpResponseMessage response = await client.GetAsync(url);
http
or https
like:
char *url = maliciousInput();
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, url);
CURLcode res = curl_easy_perform(curl);
http
or https
such as:
...
final server = await HttpServer.bind('localhost', 18081);
server.listen((request) async {
final headers = request.headers;
final url = headers.value('url');
final client = IOClient();
final response = await client.get(Uri.parse(url!));
...
}
http
or https
such as:
url := request.Form.Get("url")
res, err =: http.Get(url)
...
http
or https
like:
String url = request.getParameter("url");
CloseableHttpClient httpclient = HttpClients.createDefault();
HttpGet httpGet = new HttpGet(url);
CloseableHttpResponse response1 = httpclient.execute(httpGet);
http
or https
like:
var http = require('http');
var url = require('url');
function listener(request, response){
var request_url = url.parse(request.url, true)['query']['url'];
http.request(request_url)
...
}
...
http.createServer(listener).listen(8080);
...
http
or https
like:
val url: String = request.getParameter("url")
val httpclient: CloseableHttpClient = HttpClients.createDefault()
val httpGet = HttpGet(url)
val response1: CloseableHttpResponse = httpclient.execute(httpGet)
http
or https
like:
$url = $_GET['url'];
$c = curl_init();
curl_setopt($c, CURLOPT_POST, 0);
curl_setopt($c,CURLOPT_URL,$url);
$response=curl_exec($c);
curl_close($c);
http
or https
like:
url = request.GET['url']
handle = urllib.urlopen(url)
http
or https
like:
url = req['url']
Net::HTTP.get(url)
http
or https
like:
def getFile(url: String) = Action { request =>
...
val url = request.body.asText.getOrElse("http://google.com")
ws.url(url).get().map { response =>
Ok(s"Request sent to $url")
}
...
}
http
or https
like:Example 2: Few examples of how an attacker that has control over the
POST /checkDetails HTTP/1.1
url=https://example.com/product/1
url
parameter can tamper the request in Example 1.
POST /checkDetails HTTP/1.1
url=https://localhost.com/admin
POST /checkDetails HTTP/1.1
url=file:///etc/passwd
http
or https
like:
...
public String inputValue {
get { return inputValue; }
set { inputValue = value; }
}
...
String queryString = 'SELECT Id FROM Contact WHERE (IsDeleted = false AND Name like \'%' + inputValue + '%\')';
result = Database.query(queryString);
...
SELECT Id FROM Contact WHERE (IsDeleted = false AND Name like '%inputValue%')
inputValue
does not contain a single-quote character. If an attacker enters the string name') OR (Name like '%
for inputValue
, then the query becomes the following:
SELECT Id FROM Contact WHERE (IsDeleted = false AND Name like '%name') OR (Name like '%%')
name') OR (Name like '%
condition causes the where clause to use the LIKE '%%'
condition, which will force the query to output all possible ID values, since it becomes logically equivalent to the much simpler query:
SELECT Id FROM Contact WHERE ... OR (Name like '%%')