https://www.secdev.uk/blog/tags/cwe-89/ Recent content in CWE-89 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 06 Dec 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-12-06-the-art-of-the-subtle-bug/ Sat, 06 Dec 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-12-06-the-art-of-the-subtle-bug/ <p>The vulnerabilities that cause real breaches are rarely the textbook examples. They&rsquo;re the ones that survive multiple rounds of code review, pass SAST scans, and sit in production for years. The more I researched these nuanced bugs, the more I realised what makes them dangerous: they exploit assumptions reviewers make about language behaviour, framework internals, or data flow boundaries. This post dissects the patterns that make a vulnerability subtle and walks through real examples that show why even experienced reviewers still miss them.</p> https://www.secdev.uk/blog/technology/2025-01-04-sql-injection-across-languages/ Sat, 04 Jan 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-01-04-sql-injection-across-languages/ <p>SQL injection is one of those vulnerability classes that refuses to go away, no matter how much the industry talks about it. I&rsquo;ve been digging into how it manifests across different languages, Python, Java, Go, and JavaScript, and the root cause is always the same: untrusted input reaches a SQL query without proper parameterization. But the way developers introduce it varies wildly depending on the framework, ORM, and idioms of each language. In this post, I want to walk through real examples across these four languages, showing both the obvious patterns that any reviewer would catch and the subtle ones that slip through code review more often than you&rsquo;d expect.</p>