Friday , 17 August 2018
Home >> S >> Software >> Online developer tutorials are spreading XSS and SQL injection flaws

Online developer tutorials are spreading XSS and SQL injection flaws

SECURITY BODS have revealed that insecure code is being introduced into open source and other software developments via code used in popular online developer tutorials.

The researchers, from across three universities in Germany and Trend Micro, checked the PHP code bases of more than 64,000 projects on Github and uncovered more than 100 vulnerabilities that they believe might have been introduced as a result of developers picking up the code that they used from online tutorials.

“The web is replete with tutorial-style content on how to accomplish programming tasks. Unfortunately, even top-ranked tutorials suffer from severe security vulnerabilities, such as cross-site scripting (XSS), and SQL injection (SQLi),” suggested the researchers in their paper.

“Assuming that these tutorials influence real-world software development, we hypothesize that code snippets from popular tutorials can be used to bootstrap vulnerability discovery at scale.”

Identifying the most popular online tutorials for tools such as the MySQL database, PHP and Javascript via Google, the researchers then cross-checked the content of these tutorials with standard guidelines.

Related: JavaScript and Java are Blighty’s most-wanted but there’s a skills gap in AWS

“Among the top five results (30 in total), we found nine tutorials that contain vulnerable code: six tutorials with SQLi, and three tutorials with XSS,” warned the researchers.

In total, the researchers claim to have uncovered a total of 117 vulnerabilities.

“We manually verified a total of 117 vulnerabilities in our data set. Of these, 8 vulnerabilities were replicas of code from a popular SQL tutorial that we found on the first Google results page.

“Although all of the eight vulnerabilities were found among non popular code repositories, the finding shows that ad hoc code re-use is a reality. We are in the process of notifying the tutorial authors about our findings.

“Our hope is that the presented vulnerabilities are fixed in a timely manner, so that developers borrowing code from these tutorials in the future will not inherit the same vulnerabilities in their code.

“Eighty per cent of the discovered vulnerabilities were SQLi vulnerabilities, and the rest were XSS and path-traversal vulnerabilities.” µ



  • <!–

  • Save this article

  • –>

==[ Click Here 1X ] [ Close ]==