Tales of Terror [Readers Beware]

Before you progress further, a word of warning from the author:


  • The following article contains scares beyond any you can comprehend; and
  • It’s best read in your very best hammy Brian Blessed voice. Preferably with excessive use of an accompanying smoke machine.


A roiling fog of air most foul

whorls, reeking and despoiled

o’er cackles, screams and fearful groans

where hard-pressed Devops toil



In boardrooms, booths, and server farms

stout hearts and minds are fraught

for scraping, slithering, clanking

now the Hallowe’en ghouls cavort



Too late doth upper management bewail

a-shuddering in fear

“oh, why we didn’t scan the site,

‘fore terrors of the night drew near!”



For – lo! – advancing through the gloom,

enwreathed in fetid mist,

crawl spirits, spiders, fiends, and ghouls –

the AppCheck Halloween Dread List!



Grim legion of unhallowed bugs –

of defects, gremlins, flaws

all spooky threats to smooth runnings

and “home by half past four”s



First stomps the awful IDOR beast

a terror beyond foul

and from its gaping, toothless maw

lets forth a fearsome growl:



“You gave me access to file A

but file B did I take:

your access perms are screwed, me boy

(check line 67 for the mistake)”



Next, wreathed in murk of cauldron fumes

doth a curs-ed scourge appear

oh! fiend most foul and terrible

brave hearts are seized by fear



“Reflected”, “Stored” – yes, it’s XSS

whom on JavaScript doth prey;

Our fair trust model undermined,

the SOP in disarray



Yet e’en cruel XSS cowers low

it cringes, grovels, bows

as monstrous SQLi slinks near –

to screams blood-curdling now



The wraith, vampiric SQLi

seeks yet to quench its thirst;

it longs and lusts to steal data –

unless you stake it first



Command Injection – loathsome beast! –

enslaves, corrupts, subverts – and how –

perverted spawn of Frankenstein

(That host of yours? His now.)



Your virtuous image webserver

late home to ‘We Love Cats’

turns now against its maker;

a botnet-slave begat



The lurking horror CSRF

a sly and wily trickster

she’s write-only, a one-trick show

but you’d be best to fear ‘er



A pinch of social engineering,

two shakes of excess trust

and shifty CSRF slides in;

Your bank balance? Now dust



This spooky corps of terrors lurk

online, shrouded in shade:

harbingers of toil and pain,

our Top Ten list they made



So ne’er mind the skeletons –

the werewolves, goblins, fae –

its webapp vulns that you should fear

so get scanning today!




AppCheck ain’t afraid of no vulnerability


Let AppCheck check under the bed and in the closet (by which of course we mean your website, applications, network and Infrastructure). While vulnerabilities are scary, unlike ghosts they are very real.

Rather than hide under the duvet and hoping they go away, why not get a free vulnerability check of your website, applications, network and infrastructure?

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses

Get in touch

Please enable JavaScript in your browser to complete this form.