Home
Solutions
Public missions & guidelines

Secure Coding Made Practical

Explore secure coding guidelines to understand and mitigate software vulnerabilities like the OWASP Top 10, and dive into guided training Missions to practices in real-world app simulations.

Book a demo
Public missions
Guidelines

Browse all missions

Table of contents
SQL InjectionSpring MvcRequestMatchersTrojan Source - Using Components From Untrusted SourcesPsychic signatures - Using Known Vulnerable ComponentsApache Path Traversal - Using Known Vulnerable ComponentsCodestashbin - Insecure Password Reset FunctionLog4j - Using  Known Vulnerable ComponentsCross-site scripting (XSS) in ‘ChatterGPT’
View More
Increase productivity
SQL Injection
We received reports from a user that they were able to exploit an SQL Injection vulnerability in the transaction search feature of the internet bank solution. They stated that they were able to view transactions that belong to other users and pointed out that this vulnerability could allow an attacker to do all sorts of nasty stuff to the database like dropping tables, viewing data from other tables, inserting data etc. Try your hand at replicating what the user did in this mission.
Increase productivity
Spring MvcRequestMatchers
In March 2023, Spring released a fix for an internally discovered vulnerability, called CVE-2023-20860, where the use of a double wildcard ** in mvcRequestMatchers could cause a pattern mismatch between Spring Security and Spring MVC. This could ultimately lead to users gaining unauthorized access to certain endpoints. We've set up a very simplified banking application with a few endpoints. Follow the instructions and try to reproduce the impact of this access control vulnerability.
Increase productivity
Trojan Source - Using Components From Untrusted Sources
One of our Viking Bank developers naively copied some code from an untrusted source on the internet, which potentially contains vulnerable components, to help write an admin authorization check to manage credit cards. We've noticed that users have been changing their credit card limit, even though only admins should have this privilege. We think there's something up with that code. Try out the mission to investigate the code.
Increase productivity
Psychic signatures - Using Known Vulnerable Components
CVE-2022-21449 has the coolest alias for a vulnerability, Psychic Signatures in Java. How did it get that name? It's a reference to Doctor Who's psychic papers. When shown to someone, these blank pieces of paper would be filled in with what they'd expect to see. Something similar happened in the Java (versions 15 till 18) implementation of the ECDSA algorithm, which has an effect on the signature verification of JWTs. We can submit an invalid signature, but Java will think it's valid. Want to see how it works? Let's get started.
Increase productivity
Apache Path Traversal - Using Known Vulnerable Components
On October 4th 2021, the Apache team released version 2.4.49 of Apache to address a path traversal and Remote Code Execution vulnerability in Apache 2.4.48, also known as CVE-2021-41773. On October 7th 2021, they released version 2.4.51 due to the fix in the 2.4.50 hotfix not being complete. This vulnerability was tracked as CVE-2021-42013. Try out this mission to see for yourself how this vulnerability can be exploited.
Increase productivity
Codestashbin - Insecure Password Reset Function
CodeStashBin is one of the world's largest code version control hosting companies. Rumour has it that the forgot password process is flawed with an insecure password reset function vulnerability. It might be possible to change a privileged user's password and gain access to their account. Jump into this mission to investigate the issue.
Increase productivity
Log4j - Using Known Vulnerable Components
The announcement early December 2021 of a 0-day exploit (CVE-2021-44228) in the very popular logging library Log4j, dropped a bombshell in the Java community. The exploit, dubbed Log4Shell affects Log4j v2 versions 2.0-beta9 to 2.14.1, and could lead to remote code execution. We've set up an environment to mock the exploit, so you can see the impact first hand. Try it now.
Increase productivity
Cross-site scripting (XSS) in ‘ChatterGPT’
This mission reveals the familiar interface of a popular LLM, and utilizes a real code snippet generated in late November 2023. Users can interpret this snippet and investigate any potential security pitfalls if it were to be used for its intended purpose.

Browse all guidelines

Browse By:
Hide Filters
Show Filters  
Clear Filters
Tag
Topic
View More

Insufficient Logging and Monitoring

Best practices:

Audit logging for sensitive functions
Error logging
Storing logs in a centralized location
Retain logs for a defined amount of time
Regularly audit logs for PII

Logging and monitoring are often an afterthought when something has already gone wrong, but really, failure to ensure there is proper logging and monitoring can be very costly. On one extreme, when an incident occurs (be it security-related or not), having few or no logs at all makes it impossible to figure out what’s actually happened. On the other extreme, logging too much data can lead to privacy issues which can then lead to issues with regulators. Read our guideline for best practices to avoid insufficient logging and monitoring.

View guidelines

Using Components with Known Vulnerabilities

{
 "dependencies": {
   "foo": "1.0.0 - 2.9999.9999",
   "bar": ">=1.0.2 <2.1.2"
 }
}

Most applications make use of large amounts of third-party components. These components provide everything from logging, templating, database access, and more. This makes developing software much easier and saves a lot of time. But they're also made by people, which means some will inevitably contain vulnerabilities. Read the guideline to find out more.

View guidelines

SQL Injection

import mysql.connector
db = mysql.connector.connect
#Bad Practice. Avoid this! This is just for learning.
(host="localhost", user="newuser", passwd="pass", db="sample")
cur = db.cursor()
name = raw_input('Enter Name: ')
cur.execute("SELECT * FROM sample_data WHERE Name = '%s';" % name) for row in cur.fetchall(): print(row)
db.close()

SQL injection (SQLi) injects code into SQL statements to attack and gather important information from an application. It is a web security vulnerability. It is the most common technique of hacking that manipulates the database and extracts crucial information from it.

View guidelines

Server-Side Request Forgery

ts
let url = request.params.url;

let response = http.get(url);
let render = response.render();

return render.export();

Server-Side Request Forgery vulnerabilities occur when a user is able to cause an application to make HTTP requests to an attacker-determined domain. If an application has access to private/internal networks, an attacker could also cause the application to make requests to internal servers. We’ll take a closer look at this with some examples to better understand what it looks like in action in this guideline.

View guidelines

Security Misconfiguration

Many frameworks also have a set of endpoints that can be enabled which allows for monitoring of the application, whether that's in a production or test/dev environment. These can include:

Metrics (Prometheus)
Logs
Environment information
Path/Url Mappings

Security Misconfiguration is somewhat of an umbrella term that covers common vulnerabilities that come into play because of an application’s configuration settings, rather than bad code. It’s a wide-ranging subject and it’s heavily dependent on factors like your technology stack. Often times addressing these issues is something that seems simple, like changing a configuration file or even a single line of code, but the impact and consequences of these vulnerabilities can be severe. Read our guideline to learn more about this vulnerability and how to mitigate it.

View guidelines

Password Storage

Feature Cryptographic hash Password hash Speed Very fast Intentionally slow Work factor can be adjusted No Yes

If your application authenticates users, chances are, it’s also going to deal with passwords. Handling user passwords is a really big deal and handling them appropriately is an even bigger one. It's hard to imagine a scenario worse than an application being attacked and user passwords being leaked across the internet for all to see. How can passwords be stored safely and according to best practices? Let’s take a look at a few ways.

View guidelines

Security misconfiguration - XXE detailed

xml
<?xml version="1.0" ?>
<!DOCTYPE outerElement [
   <!ENTITY externalEntity SYSTEM  "file:///etc/passwd" > ]>
<outerElement>&externalEntity;</outerElement>

The “XML eXternal Entities” (XXE) vulnerability class is a Security Misconfiguration involving XML parsers. The XML standard includes ways of referencing “entities”, such as files and URLs. It’s often the default for parsers to fully resolve external entities which means that XML documents can lead to the disclosure of files and other sensitive information to potential attackers. Read the full guideline for more information.

View guidelines

Mass Assignment

html
<form method="POST">
     <input name="Id" type="hidden" value="666">
     <input name="Name" type="text" value="Bad guy">
     <input name="EmailAddress" type="text" value="hacker@attacker.com">
     <input name="IsAdmin" type="hidden" value="true">
     <input type="submit">
</form>  

Mass Assignment is a vulnerability where API endpoints don’t restrict which properties of their associated object can be modified by a user. This vulnerability can occur when making use of a library/framework that allows for the automatic binding of HTTP parameters onto a model that then goes on to be used without any validation. The use of the automatic binding from a request onto an object can be extremely helpful at times, but it can also lead to security issues if the model has properties that aren’t meant to be accessible to the user. Read the guideline for more details.

View guidelines

Injection - Path Traversal

pseudo
let baseFolder = "/var/www/api/documents/"; 
let path = baseFolder + request.params.filename;

return file.read(path);

Path Traversal is another pretty common type of injection vulnerability. They tend to happen when the construction of a URI (be it for a URL, file path, or otherwise) doesn’t properly ensure that the fully resolved path isn’t pointing outside the root of the intended path. The impact of a path traversal vulnerability heavily depends on the context of where the traversal occurs, and the overall hardening that’s been done. Read the guideline to learn more.

View guidelines

Injection - XSS

```html
<!--- UNSAFE: The htmlSnippet will get interpreted without any escaping --->
@Html.Raw(htmlSnippet)
```

Cross-Site Scripting, also known as XSS, is another type of injection vulnerability that leads to the evaluation of an attacker-controlled script in another user's browser. XSS can also be considered an HTML/JavaScript injection vulnerability. Let’s look at the types of XSS you can encounter.

View guidelines

File Upload

public string UploadProfilePicture(FormFile uploadedFile)
{
    // Generate path to save the uploaded file at
    var path = $"./uploads/avatars/{request.User.Id}/{uploadedFile.FileName}";

    // Save the file
    var localFile = File.OpenWrite(path);
    localFile.Write(uploadedFile.ReadToEnd());
    localFile.Flush();
    localFile.Close();

    // Update the profile picture 
    UserProfile.UpdateUserProfilePicture(request.User, path)

    return path;
}

It’s very common that applications will, at some point or another, need to allow users to upload a file (either for use or just for storage) somewhere within the application. While it seems simple enough, how this function is implemented can be pretty critical due to the potential risks associated with how file uploads are handled. Read the guideline for more information.

View guidelines

Injection 101

Some of the most common injection types include:

SQL Injection
Cross-Site Scripting (HTML/Javascript injection)
Path Traversal (Path/Url injection)
Command Injection
Code Injection

One of the most well-known classes of vulnerabilities tends to be injection vulnerabilities, especially, and surprising no one, the undisputed poster-child: SQL Injection. It’s hard to avoid hearing about SQL injection in the tech world, so we’re just going to talk about it. Read on to get a short introduction to injection flaws.

View guidelines

Authentication and Authorization

cs

// Ensure the default behaviour is to authenticate requests, and check if they are admin
[Authenticate]
[Authorize("Admin")]
public class SecureController : Controller
{

}

public class MyController : SecureController
{

    // Overrides the Authorize attribute inherited to allow any user to access the page

View guidelines

Command Injection

let ip = request.params.ipAddress;

system("ping " + ip);

Let’s look at Command Injection by itself. We’re mostly going to focus on a few different examples so it’s easier to see what it looks like in action. So, as a quick refresher, Command Injection vulnerabilities occur when user input uses part of an operating system command. Read the guideline for more information.

View guidelines

Developer-driven coding.

Securely.

Contact us today and make software security an intrinsic part of your development process.

Book a demo
Connect
Facebook
X
LinkedIn
Company
About UsPartnersCareersTrust centerContact usEventsGuidelinesPress kitStore
Product
CoursesMissionsTournamentsAssessmentsTrainingSCW for GitHubSCW for JiraIntegrationsLearning resourcesRelease notesPlans
Solutions
GovernmentRetailFinance and bankingInsuranceTechnologyAutomotiveHealthcareEngineering teamsSecurity teamsC-Suite
Resources
Resource hubBlogVideosBrochureWhitepapersCase studiesReportsInfographicseBooksWebinarsGuides
Sydney
Boston
Portland
London
Bruges
Reykjavík
Copyright © 2015-2023 Secure Code Warrior Limited.
Privacy Policy| Cookie Policy | Accessibility | Legal | Site Map