Use of Obsolete Methods
The use of deprecated or obsolete functions may indicate neglected code. As programming languages evolve, functions occasionally become obsolete due to:Advances in the language Improved ...
Rx iT World Hacking Tutorial
Unsafe use of Reflection
This vulnerability is caused by unsafe use of the reflection mechanisms in programming languages like Java or C#. An attacker may be able to create unexpected control flow paths through the ...
Unsafe function call from a signal handler
There are several functions which - under certain circumstances, if used in a signal handler - may result in the corruption of memory, allowing for exploitation of the process. Consequences...
Unsafe Mobile Code
Mobile code, such as a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in ...
Java Native Interface (JNI)
Improper use of the Java Native Interface (JNI) can render Java applications vulnerable to security flaws in other languages. Unsafe JNI errors occur when a Java application uses JNI to call code ...
Unrestricted File Upload
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code ...
String termination errors
Relying on proper string termination may result in a buffer overflow. String termination errors occur when:Data enters a program via a function that does not null terminate its output. ...
Session Variable Overloading
Session Variable Overloading (also known as Session Puzzling) is an application level vulnerability which can enable an attacker to perform a variety of malicious actions not limited to:...
Process Control
Executing commands from an untrusted source or in an untrusted environment can cause an application to execute malicious commands on behalf of an attacker. Process control vulnerabilities take two ...
Privacy Violation
Mishandling private information, such as customer passwords or social security numbers, can compromise user privacy, and is often illegal. Privacy violations occur when:Private user ...
Poor Logging Practice
Loggers should be declared to be static and final. It is good programming practice to share a single logger object between all of the instances of a particular class and to use the same logger for ...
Password Plaintext Storage
Storing a password in plaintext may result in a system compromise. Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A ...
Hardcoded passwords
Hardcoded passwords may compromise system security in a way that cannot be easily remedied. It is never a good idea to hardcode a password. Not only does hardcoding a password allow all of the ...
PHP Object Injection
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path ...
Missing XML Validation
Failure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input. Most successful attacks begin with a violation of the programmer's assumptions. By ...
Missing Error Handling
A web application must define a default error page for 404 errors, 500 errors, and to catch java.lang. Throwable exceptions prevent attackers from mining information from the application container's ...
Memory leak
A memory leak is an unintentional form of memory consumption whereby the developer fails to free an allocated block of memory when no longer needed. The consequences of such an issue depend on the ...
Insufficient Session-ID Length
The WebLogic deployment descriptor should specify a session identifier length of at least 128 bits. A shorter session identifier leaves the application open to brute-force session guessing attacks. ...
Insecure Transport
The application configuration should ensure that SSL is used for all access controlled pages. If an application uses SSL to guarantee confidential communication with client browsers, the application ...
Applications require temporary files
Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows® API. Most of these functions are vulnerable to various forms of ...
