Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Insecure Java Code Snippets

From: rklists at gmail.com (Rohit Sethi)
Date: Thu, 7 May 2009 12:05:29 -0400
Brad, I recommend you approach this problem in reverse. Think of the
bug you want people to hunt for and then put together an appropriate
regular expressions in Google Code Search
(http://www.google.com/codesearch)

For instance "lang:java request getParameter .*price" might be a good
starting point.
After doing that search I found a few different possible vulns.

Once you find a vulnerability you can extract as much or as little
code out of it as you'd like. I use this often in class design.

Cheers,

Rohit

On Wed, May 6, 2009 at 6:49 PM, Brad Andrews <andrews at rbacomm.com> wrote:


I had the name wrong, it was PC-Lint.

See

http://www.gimpel.com/html/bugs.htm

That is what I am looking for, not just a general listing of bugs or
insecure code. ?I want bugs that are hard to find and formatted like
this. ?If I do create some and do it on my own (outside work), I will
try to submit them to OWASP, possibly starting a project on that.

Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. ?They can
be really hard to figure out, though maybe not by all the smart people
here! ?:)

Brad
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________





-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com
Previous By Date Next
Previous By Thread Next

Current thread: