https://www.secdev.uk/blog/tags/cwe-78/ Recent content in CWE-78 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 06 Dec 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-12-06-the-art-of-the-subtle-bug/ Sat, 06 Dec 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-12-06-the-art-of-the-subtle-bug/ <p>The vulnerabilities that cause real breaches are rarely the textbook examples. They&rsquo;re the ones that survive multiple rounds of code review, pass SAST scans, and sit in production for years. The more I researched these nuanced bugs, the more I realised what makes them dangerous: they exploit assumptions reviewers make about language behaviour, framework internals, or data flow boundaries. This post dissects the patterns that make a vulnerability subtle and walks through real examples that show why even experienced reviewers still miss them.</p> https://www.secdev.uk/blog/technology/2025-01-18-command-injection-beyond-os-system/ Sat, 18 Jan 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-01-18-command-injection-beyond-os-system/ <p>When most developers hear &ldquo;command injection,&rdquo; they think of <code>os.system()</code> in Python or <code>Runtime.exec()</code> in Java. Those are the textbook examples, and most teams know to avoid them. But the more I researched this topic, the more I realised that command injection surfaces through dozens of less obvious APIs across every language, subprocess pipes, shell expansions, backtick operators, and even seemingly safe exec functions that become dangerous with the wrong arguments. This is one of my favourite vulnerability classes to dig into because the attack surface is so much wider than people realise. Let me walk you through command injection patterns across seven languages, from the obvious to the genuinely subtle.</p>