 High | SQL Injection |
CWE-89
|
SqlInjectionLesson8.java:138
| 2 | 2025-01-08 11:32am |
 Vulnerable Code
|
|
|
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; |
|
|
|
try { |
|
Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); |
|
statement.executeUpdate(logQuery); |
2 Data Flow/s detected
View Data Flow 1
|
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { |
|
return injectableQueryConfidentiality(name, auth_tan); |
|
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { |
|
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; |
|
public static void log(Connection connection, String action) { |
|
action = action.replace('\'', '"'); |
|
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; |
|
statement.executeUpdate(logQuery); |
View Data Flow 2
|
public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { |
|
return injectableQueryIntegrity(name, auth_tan); |
|
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { |
|
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; |
|
SqlInjectionLesson8.log(connection, query); |
|
public static void log(Connection connection, String action) { |
|
action = action.replace('\'', '"'); |
|
String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; |
|
statement.executeUpdate(logQuery); |
 Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior SQL Injection Training
● Videos
▪ Secure Code Warrior SQL Injection Video
● Further Reading
▪ OWASP SQL Injection Prevention Cheat Sheet
▪ OWASP SQL Injection
▪ OWASP Query Parameterization Cheat Sheet
|
| |
| High | SQL Injection |
CWE-89
|
SqlInjectionLesson5a.java:62
| 1 | 2025-01-08 11:32am |
Vulnerable Code
|
protected AttackResult injectableQuery(String accountName) { |
|
String query = ""; |
|
try (Connection connection = dataSource.getConnection()) { |
|
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; |
|
try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) { |
|
ResultSet results = statement.executeQuery(query); |
1 Data Flow/s detected
|
public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) { |
|
return injectableQuery(account + " " + operator + " " + injection); |
|
protected AttackResult injectableQuery(String accountName) { |
|
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; |
|
ResultSet results = statement.executeQuery(query); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior SQL Injection Training
● Videos
▪ Secure Code Warrior SQL Injection Video
● Further Reading
▪ OWASP SQL Injection Prevention Cheat Sheet
▪ OWASP SQL Injection
▪ OWASP Query Parameterization Cheat Sheet
|
| |
| High | SQL Injection |
CWE-89
|
Assignment5.java:60
| 1 | 2025-01-08 11:32am |
Vulnerable Code
|
} |
|
if (!"Larry".equals(username_login)) { |
|
return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build(); |
|
} |
|
try (var connection = dataSource.getConnection()) { |
|
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); |
1 Data Flow/s detected
|
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { |
|
PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior SQL Injection Training
● Videos
▪ Secure Code Warrior SQL Injection Video
● Further Reading
▪ OWASP SQL Injection Prevention Cheat Sheet
▪ OWASP SQL Injection
▪ OWASP Query Parameterization Cheat Sheet
|
| |
| High | Path/Directory Traversal |
CWE-22
|
ProfileUploadBase.java:47
| 3 | 2025-01-08 11:32am |
Vulnerable Code
|
|
|
try { |
|
uploadDirectory.mkdirs(); |
|
var uploadedFile = new File(uploadDirectory, fullName); |
|
uploadedFile.createNewFile(); |
|
FileCopyUtils.copy(file.getBytes(), uploadedFile); |
3 Data Flow/s detected
View Data Flow 1
|
public AttackResult uploadFileHandler(@RequestParam("uploadedFile") MultipartFile file, @RequestParam(value = "fullName", required = false) String fullName) { |
|
return super.execute(file, fullName); |
|
protected AttackResult execute(MultipartFile file, String fullName) { |
|
FileCopyUtils.copy(file.getBytes(), uploadedFile); |
View Data Flow 2
|
public AttackResult uploadFileHandler(@RequestParam("uploadedFileRemoveUserInput") MultipartFile file) { |
|
return super.execute(file, file.getOriginalFilename()); |
|
protected AttackResult execute(MultipartFile file, String fullName) { |
|
FileCopyUtils.copy(file.getBytes(), uploadedFile); |
View Data Flow 3
|
public AttackResult uploadFileHandler( |
|
return super.execute(file, fullName != null ? fullName.replace("../", "") : ""); |
|
protected AttackResult execute(MultipartFile file, String fullName) { |
|
FileCopyUtils.copy(file.getBytes(), uploadedFile); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
| |
| High | Server Side Request Forgery |
CWE-918
|
SSRFTask2.java:53
| 1 | 2025-01-08 11:32am |
Vulnerable Code
|
} |
|
|
|
protected AttackResult furBall(String url) { |
|
if (url.matches("http://ifconfig.pro")) { |
|
String html; |
|
try (InputStream in = new URL(url).openStream()) { |
1 Data Flow/s detected
|
public AttackResult completed(@RequestParam String url) { |
|
protected AttackResult furBall(String url) { |
|
try (InputStream in = new URL(url).openStream()) { |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Server Side Request Forgery Training
● Videos
▪ Secure Code Warrior Server Side Request Forgery Video
|
| |
| High | Path/Directory Traversal |
CWE-22
|
ProfileUploadRetrieval.java:93
| 1 | 2025-01-08 11:32am |
Vulnerable Code
|
if (catPicture.getName().toLowerCase().contains("path-traversal-secret.jpg")) { |
|
return ResponseEntity.ok() |
|
.contentType(MediaType.parseMediaType(MediaType.IMAGE_JPEG_VALUE)) |
|
.body(FileCopyUtils.copyToByteArray(catPicture)); |
|
} |
|
if (catPicture.exists()) { |
1 Data Flow/s detected
|
var id = request.getParameter("id"); |
|
var catPicture = new File(catPicturesDirectory, (id == null ? RandomUtils.nextInt(1, 11) : id) + ".jpg"); |
|
if (catPicture.exists()) { |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
| |
| High | Deserialization of Untrusted Data |
CWE-502
|
InsecureDeserializationTask.java:56
| 1 | 2025-01-08 11:32am |
Vulnerable Code
|
|
|
b64token = token.replace('-', '+').replace('_', '/'); |
|
|
|
try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) { |
|
before = System.currentTimeMillis(); |
|
Object o = ois.readObject(); |
1 Data Flow/s detected
|
public AttackResult completed(@RequestParam String token) throws IOException { |
|
b64token = token.replace('-', '+').replace('_', '/'); |
|
try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) { |
|
Object o = ois.readObject(); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Deserialization of Untrusted Data Training
● Videos
▪ Secure Code Warrior Deserialization of Untrusted Data Video
● Further Reading
▪ OWASP Deserialization Cheat Sheet
▪ OWASP Top Ten 2017 A8: Insecure Deserialization
▪ OWASP Deserialization of untrusted data
|
| |
| High | SQL Injection |
CWE-89
|
SqlInjectionLesson6a.java:67
| 3 | 2025-01-08 11:32am |
Vulnerable Code
|
if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) { |
|
usedUnion = false; |
|
} |
|
try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, |
|
ResultSet.CONCUR_READ_ONLY)) { |
|
ResultSet results = statement.executeQuery(query); |
3 Data Flow/s detected
View Data Flow 1
|
public AttackResult completed(@RequestParam String userid_6a) { |
|
return injectableQuery(userid_6a); |
|
public AttackResult injectableQuery(String accountName) { |
|
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; |
|
ResultSet results = statement.executeQuery(query); |
View Data Flow 2
|
public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) { |
|
AttackResult attackResult = lesson6a.injectableQuery(userId); |
|
public AttackResult injectableQuery(String accountName) { |
|
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; |
|
ResultSet results = statement.executeQuery(query); |
View Data Flow 3
|
public AttackResult attack(@RequestParam("userid_sql_only_input_validation_on_keywords") String userId) { |
|
userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); |
|
AttackResult attackResult = lesson6a.injectableQuery(userId); |
|
public AttackResult injectableQuery(String accountName) { |
|
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; |
|
ResultSet results = statement.executeQuery(query); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior SQL Injection Training
● Videos
▪ Secure Code Warrior SQL Injection Video
● Further Reading
▪ OWASP SQL Injection Prevention Cheat Sheet
▪ OWASP SQL Injection
▪ OWASP Query Parameterization Cheat Sheet
|
| |
| High | Path/Directory Traversal |
CWE-22
|
ProfileZipSlip.java:54
| 2 | 2025-01-08 11:32am |
Vulnerable Code
|
|
|
Files.createDirectories(uploadDirectory.toPath()); |
|
|
|
try { |
|
var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename()); |
|
FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile()); |
2 Data Flow/s detected
View Data Flow 1
|
public AttackResult uploadFileHandler(@RequestParam("uploadedFileZipSlip") MultipartFile file) { |
|
return processZipUpload(file); |
|
private AttackResult processZipUpload(MultipartFile file) { |
|
FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile()); |
View Data Flow 2
|
public AttackResult uploadFileHandler(@RequestParam("uploadedFileZipSlip") MultipartFile file) { |
|
return processZipUpload(file); |
|
private AttackResult processZipUpload(MultipartFile file) { |
|
var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename()); |
|
FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile()); |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Path/Directory Traversal Training
● Videos
▪ Secure Code Warrior Path/Directory Traversal Video
● Further Reading
▪ OWASP Path Traversal
▪ OWASP Input Validation Cheat Sheet
|
| |
| High | Deserialization of Untrusted Data |
CWE-502
|
VulnerableComponentsLesson.java:52
| 1 | 2025-01-08 11:32am |
Vulnerable Code
|
|
|
try { |
|
if (!StringUtils.isEmpty(payload)) { |
|
payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<"); |
|
} |
|
contact = (Contact) xstream.fromXML(payload); |
1 Data Flow/s detected
|
AttackResult completed(@RequestParam String payload) { |
Secure Code Warrior Training Material
● Training
▪ Secure Code Warrior Deserialization of Untrusted Data Training
● Videos
▪ Secure Code Warrior Deserialization of Untrusted Data Video
● Further Reading
▪ OWASP Deserialization Cheat Sheet
▪ OWASP Top Ten 2017 A8: Insecure Deserialization
▪ OWASP Deserialization of untrusted data
|
High
Medium
Low