https://www.secdev.uk/blog/tags/owasp-a03/ Recent content in OWASP A03 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 01 Feb 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-02-01-xss-is-not-just-a-javascript-problem/ Sat, 01 Feb 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-02-01-xss-is-not-just-a-javascript-problem/ <p>Cross-site scripting gets framed as a front-end problem a lot, something that happens in JavaScript and gets fixed with JavaScript. But the more I dug into this, the clearer it became that XSS vulnerabilities almost always originate on the server side, in whatever language is generating the HTML. I&rsquo;ve found XSS in Python templates, Java JSPs, Go&rsquo;s <code>html/template</code> misuse, Rust web frameworks, and server-rendered JavaScript. The language you write your backend in determines which XSS patterns you&rsquo;ll run into and which ones will sneak past your review.</p> https://www.secdev.uk/blog/technology/2025-01-18-command-injection-beyond-os-system/ Sat, 18 Jan 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-01-18-command-injection-beyond-os-system/ <p>When most developers hear &ldquo;command injection,&rdquo; they think of <code>os.system()</code> in Python or <code>Runtime.exec()</code> in Java. Those are the textbook examples, and most teams know to avoid them. But the more I researched this topic, the more I realised that command injection surfaces through dozens of less obvious APIs across every language, subprocess pipes, shell expansions, backtick operators, and even seemingly safe exec functions that become dangerous with the wrong arguments. This is one of my favourite vulnerability classes to dig into because the attack surface is so much wider than people realise. Let me walk you through command injection patterns across seven languages, from the obvious to the genuinely subtle.</p> https://www.secdev.uk/blog/technology/2025-01-04-sql-injection-across-languages/ Sat, 04 Jan 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-01-04-sql-injection-across-languages/ <p>SQL injection is one of those vulnerability classes that refuses to go away, no matter how much the industry talks about it. I&rsquo;ve been digging into how it manifests across different languages, Python, Java, Go, and JavaScript, and the root cause is always the same: untrusted input reaches a SQL query without proper parameterization. But the way developers introduce it varies wildly depending on the framework, ORM, and idioms of each language. In this post, I want to walk through real examples across these four languages, showing both the obvious patterns that any reviewer would catch and the subtle ones that slip through code review more often than you&rsquo;d expect.</p>