Before you progress further, a word of warning from the author:
A roiling fog of air most foul
whorls, reeking and despoiled
o’er cackles, screams and fearful groans
where hard-pressed Devops toil
In boardrooms, booths, and server farms
stout hearts and minds are fraught
for scraping, slithering, clanking
now the Hallowe’en ghouls cavort
Too late doth upper management bewail
a-shuddering in fear
“oh, why we didn’t scan the site,
‘fore terrors of the night drew near!”
For – lo! – advancing through the gloom,
enwreathed in fetid mist,
crawl spirits, spiders, fiends, and ghouls –
the AppCheck Halloween Dread List!
Grim legion of unhallowed bugs –
of defects, gremlins, flaws
all spooky threats to smooth runnings
and “home by half past four”s
First stomps the awful IDOR beast
a terror beyond foul
and from its gaping, toothless maw
lets forth a fearsome growl:
“You gave me access to file A
but file B did I take:
your access perms are screwed, me boy
(check line 67 for the mistake)”
Next, wreathed in murk of cauldron fumes
doth a curs-ed scourge appear
oh! fiend most foul and terrible
brave hearts are seized by fear
“Reflected”, “Stored” – yes, it’s XSS
whom on JavaScript doth prey;
Our fair trust model undermined,
the SOP in disarray
Yet e’en cruel XSS cowers low
it cringes, grovels, bows
as monstrous SQLi slinks near –
to screams blood-curdling now
The wraith, vampiric SQLi
seeks yet to quench its thirst;
it longs and lusts to steal data –
unless you stake it first
Command Injection – loathsome beast! –
enslaves, corrupts, subverts – and how –
perverted spawn of Frankenstein
(That host of yours? His now.)
Your virtuous image webserver
late home to ‘We Love Cats’
turns now against its maker;
a botnet-slave begat
The lurking horror CSRF
a sly and wily trickster
she’s write-only, a one-trick show
but you’d be best to fear ‘er
A pinch of social engineering,
two shakes of excess trust
and shifty CSRF slides in;
Your bank balance? Now dust
This spooky corps of terrors lurk
online, shrouded in shade:
harbingers of toil and pain,
our Top Ten list they made
So ne’er mind the skeletons –
the werewolves, goblins, fae –
its webapp vulns that you should fear
so get scanning today!
Let AppCheck check under the bed and in the closet (by which of course we mean your website, applications, network and Infrastructure). While vulnerabilities are scary, unlike ghosts they are very real.
Rather than hide under the duvet and hoping they go away, why not get a free vulnerability check of your website, applications, network and infrastructure?
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)