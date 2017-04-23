Flawed Online Tutorials Led To Vulnerabilities In Software (helpnetsecurity.com) 17
An anonymous reader quotes Help Net Security: Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. The researchers identified popular tutorials by inputting search terms such as "mysql tutorial", "php search form", "javascript echo user input", etc. into Google Search. The first five results for each query were then manually reviewed and evaluated for SQLi and XSS vulnerabilities by following the Open Web Application Security Project's Guidelines. This resulted in the discovery of 9 tutorials containing vulnerable code (6 with SQLi, 3 with XSS).
The researchers then checked for the code in GitHub repositories, and concluded that "there is a substantial, if not causal, link between insecure tutorials and web application vulnerabilities." Their paper is titled "Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery."
Researchers from several German universities have checked the PHP codebases of over 64,000 projects
The researchers identified popular tutorials by inputting search terms such as "mysql tutorial"
Ah, I see where they went wrong. They should have searched for "real mysql tutorial."
How do you figure that Rust will somehow be better? Bad code can be written in any language, including Rust!
^^^^ This.
Pick your favorite super-safe language (if it even exists yet) and I'll personally show you how to write bad code. Really, really bad, unsafe code.
I'm not saying that I've made every mistake in the book but I've probably added a few.
That's deprecated, now we use really really for sure this time mysql. It's webscale.
People learn not by memorizing but by looking at examples.
Most of the people working in Web-related jobs are not security experts, their job is to get things done as quickly and cheaply as possible. You might think in terms of huge corporations were IT is divided in groups, each working on specific parts of the whole. At the smaller scale though, the same person responsible for the front-end with HTML, CSS and Javascript has to work on the back-end with PHP and MySQL. The second their code does what it's su
I would love to hear the explanation of how a general purpose language would protect you against attacks like that, clearly called out in the article.
You're doing the snowflake thing, blaming everyone else for the coders' incompetence and unsuitability for the job. Some dweeb wrote a tutorial and because it's not ready to be cut and pasted into production code, that's the tutorial writer's fault.
NB: Not everyone can code.
If a bridge collapses, do you blame the production workers who followed the plans exactly as they were or do you blame the engineer who was too lazy to make the proper calculations and didn't get the tests done for the bedrock foundation, etc?
You're doing the popular "snowflake attack" thing here, when in fact you're the snowflake thinking that everyone is as good as you are. The thing is, as I said, it's not everyone's job to be a security expert. We should expect security to be part of the tools instead o
People learn not by memorizing but by looking at examples.
This very true, especially in programming. The result is that bad code gets propagated with the best of intentions.
I do fault many of the tutorial writers for not mentioning stuff like cleaning up form data and the like. They should learn what they're doing before they try to teach it.
I believe it.
I've come across countless tutorials that cover things like capturing and using form field input, but almost NEVER see a single word in them about sanitizing data, or guarding against bad, malformed, or malicious data.
It's just, "Here's how ya get the data, now go jam it in the database or print it right to the screen!" Fuck me.
And in all fairness, as a PHP user, I've seen a *lot* of PHP tutorials that were bad, stupidly dangerous, or just plain wrong. One of the most egregious was a "tutorial" that showed sending the entire SQL statement to the server as a GET parameter. That's right, some guy actually coded his shot so that it sent a live SQL statement in the URL, and then blithely processed the attached variables without so much as a how-de-do.
Later I saw code that did this exact thing used in various scripts (guestbooks, registration forms, comment forms), probably based on this epically flawed "tutorial".
I've seen similarly bad tutorials about templating. The way they teach how to cut your basic HTML and CSS apart in chunks is complete nonsense. They're showing people to always copy a whole empty framework and call cut-out parts all over the place. And then inside those cut-out parts, call out other parts. I've seen this done five levels deep.
It still works, but trying to way your way around all is extremely tedious. And if you need to make a change to the basic original framework, you're out of luck becaus
The underlying problem is that too many programmers are willing to copy and paste code rather than think through what they need to code.
Remember the left-pad crisis that broke the Internet because a developer removed his npm packages over a dispute? How hard is to write a left-pad function [haneycodes.net]?
