Slashdot Mirror
Flawed Online Tutorials Led To Vulnerabilities In Software (helpnetsecurity.com)
An anonymous reader quotes Help Net Security:
Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. The researchers identified popular tutorials by inputting search terms such as "mysql tutorial", "php search form", "javascript echo user input", etc. into Google Search. The first five results for each query were then manually reviewed and evaluated for SQLi and XSS vulnerabilities by following the Open Web Application Security Project's Guidelines. This resulted in the discovery of 9 tutorials containing vulnerable code (6 with SQLi, 3 with XSS).
The researchers then checked for the code in GitHub repositories, and concluded that "there is a substantial, if not causal, link between insecure tutorials and web application vulnerabilities." Their paper is titled "Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery."
The researchers then checked for the code in GitHub repositories, and concluded that "there is a substantial, if not causal, link between insecure tutorials and web application vulnerabilities." Their paper is titled "Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery."
So, I know how everyone feels. If something goes bad code wise, it goes bad for all of us, whether we update or not thanks to a thousand apps running the same single API. Open source used to destroy open source only to kill the desktop because they can't invent a new architecture fast enough to sell new computers. And, the new ones now aren't that much different, if not less powerful than the ones five years ago. So, the Google and Window$ come up with as many apps that need Internet to work as they can to lock you into their bs. And now, Mark Shuttleworth wants to focus on cloud computing for Ubuntu as well. They're killing the desktop and money is the only reason. More problems from bad code means more money to fix or replace computers. I like how they say things like open source to describe their server based software. Ok, but what good does that do for the average person? Do we all buy our own servers? Companies using open source to destroy privacy and control on desktops and AI to destroy encryption. That's the future.