• Initial data supplied by the user (and its validity)
• Reading of additional values from the database during the processing
• Storing of the final result into the database

• memcpy(), bcopy(), memccpy(), and memmove() Similar to the strn* family of functions (they copy/move source data to destination memory/variable, limited by a maximum value). Like the strn* family, you should evaluate each use to determine if the maximum value specified is larger than the destination variable/memory has allocated.
• sprintf(), snprintf(), vsprintf(), vsnprintf(), swprintf(), and vswprintf() Allow you to compose multiple variables into a final text string.You should determine that the sum of the variable sizes (as specified by the given format) does not exceed the maximum size of the destination variable. For snprintf() and vsnprintf(), the maximum value should not be larger than the destination variable’s size.
• gets() and fgets() Read in a string of data from various file descriptors. Both can possibly read in more data than the destination variable was allocated to hold.The fgets() function requires a maximum limit to be speci- fied; therefore, you must check that the fgets() limit is not larger than the destination variable size.
• getc(), fgetc(), getchar(), and read() Used in a loop have a potential chance of reading in too much data if the loop does not properly stop reading in data after the maximum destination variable size is reached.You will need to analyze the logic used in controlling the total loop count to determine how many times the code loops using these functions.

printf("%s",user_string_data); 

printf(user_string_data); 

void log_error (char *error){ 
    char message[1024]; 
    snprintf(message,1024,"Error: %s",error); 
    fprintf(LOG_FILE,message); 
} 

• C/C++ Calls to printf(), fprintf(), output streams, and so on.
• ASP Calls to Response.Write and Response.BinaryWrite that contain user variables, and direct variable output using <%=variable%> syntax.
• Perl Calls to print, printf, syswrite, and write that contain variables holding user-supplied data.
• PHP Calls to print, printf, and echo that contain variables that may hold user-supplied data.
• TCL Calls to puts that contain variables that may hold user-supplied data.

• Printing sensitive information (passwords, credit card numbers) in full display Many applications do not transmit full credit card numbers; rather, they show only the last four or five digits. Passwords should be obfuscated so a bypasser cannot spot the actual password on a user’s terminal.
• Displaying application configuration information, server configuration information, environment variables, and so on Doing so may aid an attacker in subverting your security measures. Providing concise details may help an attacker infer misconfigurations or lead him to specific vulnerabilities.
• Revealing too much information in error messages This is a particularly sinful area. Failed database connections typically spit out connection details that include database host address, authentication details, and target tables. Failed queries can expose table layout information, such as field names and data types (or even expose the entire SQL query). Failed file inclusion may disclose file paths (virtual or real), which allows an attacker to determine the layout of the application.
• Avoiding the use of public debugging mechanisms in production applications By "public" we mean any debugging information possibly provided to the user.Writing debugging information to a log on the application server is quite acceptable; however, none of that information should be shown to (or be accessible by) the user.

• C/C++ Compiling a definitive list of all file system functions in C/C++ is definitely a challenge, due to the amount of external libraries and functions available.Therefore, for starters, you should look at calls to the function: open(), fopen(), creat(), mknod(), catopen(), dbm_open(), opendir(), unlink(), link(), chmod(), stat(), lstat(), mkdir(), readlink(), rename(), rmdir(), symlink(), chdir(), chroot(), utime(), truncate(), and glob().
• ASP Calls to Server.CreateObject() that create Scripting.FileSystemObject objects. Access to the file system is controlled via the use of the Scripting.FileSystemObject; so if the application doesn’t use this object, you don’t have to worry about file system vulnerabilities.The MapPath function is typically used in conjunction with file system access, and thus serves as a good indicator that the ASP page does somehow interact with the file system on some level.
  • Uses of the ChooseContent method of an IISSample.ContentRotator object (look for Server.CreateObject() calls for IISSample.ContentRotator).
• Perl Calls to the functions chmod, chown, link, lstat, mkdir, readlink, rename, rmdir, stat, symlink, truncate, unlink, utime, chdir, chroot, dbmopen, open, sysopen, opendir, and glob.
• Look for uses of the IO::* and File::* modules; each of these modules provides (numerous) ways to interact with the file system and should be closely observed (you can quickly find uses of module functions by searching for the IO:: and File:: prefix).

• PHP Calls to the functions opendir(), chdir(), dir(), chgrp(), chmod(), chown(), copy(), file(), fopen(), get_meta_tags(), link(), mkdir(), readfile(), rename(), rmdir(), symlink(), unlink(), gzfile(), gzopen(), readgz- file(), fdf_add_template(), fdf_open(), and fdf_save().
• One interesting thing to keep in mind is that PHP’s fopen has what is referred to as a "fopen URL wrapper."This allows you to open a "file" contained on another site by using the command such as fopen("http://www.neohapsis. com/","r").This compounds the problem because an attacker can trick your application into opening a file contained on another server (and thus, probably controlled by him).
• Python Calls to the open function.
• If the os module is imported, you need to look for the functions os.chdir, os.chmod, os.chown, os.link, os.listdir, os.mkdir, os.mkfifo, os.remove, os.rename, os.rmdir, os.symlink, os.unlink, and os.utime.

• Java Check to see if the application imports any of the following packages: java.io.*, java.util.zip.*, or java.util.jar. If so, the application can possibly use one of the file streams contained in the package for interacting with a file. Luckily, however, all file usage depends on the File class contained in java.io.Therefore, you really only need to look for the creation of new File classes (File variable = new File ...)
• The File class itself has many methods that need to be checked: mkdir, renameTo.
• TCL Check all uses of the file* commands (which will appear as two words, file operation, where the operation will be a specific file operation, such as rename).
• Uses of the glob and open functions.
• JSP Use of the <%@include file=’filename’%> statement. However, the file inclusion specified happens at compile time, which means the filename cannot be altered by user data. However, keeping tabs on what files are being included in your application is wise.
• Use of the jsp:forward and jsp:include tags. Both load other files/pages for continued processing and accept dynamic filenames.
• SSI Uses of the <!—#include file=""—> (or <!—#include virtual=""— >) tags.
• ColdFusion Uses of the CFFile and CFInclude tags.

• C/C++ The exec* family of functions (exec(), execv(), execve(), and so on) control.
• Perl Review all calls to system, exec, `` (backticks), qx//, and <> (the globbing function).
• The open call supports what’s known as "magic" open, allowing external programs to be executed if the filename parameter begins or ends with a pipe ("|") character.You’ll need to check every open call to see if a pipe is used, or more importantly, if it’s possible that tainted data passed to the open call contain the pipe character.There are also various open command functions contained in the Shell, IPC::Open2, and IPC::Open3 modules.You will need to trace the use of these module’s functions if your program imports them.
• TCL Calls to the exec command.
• PHP Calls to fopen() and popen().
• Python Check to see if the os (or posix) module is loaded. If so, you should check each use of the os.exec* family of functions: os.exec, os.execve, os.execle, os.execlp, os.execvp, and os.execvpe. Also check for os.popen and os.system (or possibly posix.popen and posix.system).
• You should be wary of functionality available in the rexec module; if this module is imported, you should carefully review all uses of rexec.* commands.
• SSI Use of the <!—#exec command=""—> tag.
• Java Check to see if the java.lang package is imported. If so, check for uses of Runtime.exec().
• PHP Calls to the functions exec(), passthru(), and system().
• ColdFusion Use of the CFExecute and CFServlet tag.

• TCL Uses of the eval and expr commands.
• Perl Uses of the eval function and do, and any regex operation with the e modifier.
• Python Uses of the commands exec, compile, eval, execfile, and input.
• ASP Certain ASP interpreters may have Eval, Execute, and ExecuteGlobal available.

• Perl import, require, use, and do
• Python import and __import__
• ASP Server.CreateObject(), and the <OBJECT runat="server"> tag when found in global.asa
• JSP jsp:useBean
• Java URLClassLoader and JarURLConnection from the java.net package; ClassLoader, Runtime.load, Runtime.loadLibrary, System.load, and System.loadLibrary from the java.lang package
• TCL load, source, and package require
• ColdFusion CFObject

• Connection setup
• Tampering with queries

• C/C++ Unfortunately, no "standard" library exists for accessing various external databases.Therefore, you will have to do a little legwork on your own and determine what function(s) are used to establish a connection to the database and what function(s) are used to prepare/perform a query on the database. After that’s determined, you just search for all uses of those target functions.
• PHP Calls to the functions ifx_connect(), ifx_pconnect(), ifx_prepare(), ifx_query(), msql_connect(), msql_pconnect(), msql_db_query(), msql_query(), mysql_connect(), mysql_db_query(), mysql_pconnect(), mysql_query(), odbc_connect(), odbc_exec(), odbc_pconnect(), odbc_prepare(), ora_logon(), ora_open(), ora_parse(), ora_plogon(), OCILogon(), OCIParse(), OCIPLogon(), pg_connect(), pg_exec(), pg_pconnect(), sybase_connect(), sybase_pconnect(), and sybase_query().
• ASP Database connectivity is handled by the ADODB.* objects.This means that if your script doesn’t create an ADODB.Connection or ADODB.Recordset object via the Server.CreateObject function, you don’t have to worry about your script containing ADO vulnerabilities. If your script does create ADODB objects, you need to look at the Open methods of the created objects.
• Java Java uses the JDBC (Java DataBase Connectivity) interface stored in the java.sql module. If your application uses the java.sql module, you need to look at the uses of the createStatement() and execute() methods.
• Perl Perl can use the generic database-independent DBI module, or the database-specific DB::* modules.The functions exported by each module widely vary, so you should determine which (if any) of the modules are loaded and find the appropriate functions.
• Cold Fusion The CFInsert, CFQuery, and CFUpdate tags handle interactions with the database.

• Perl and C/C++ Uses of the connect command indicate the application is making outbound network connections."Connect" is a common name that may be found in other languages as well.
• Uses of the accept command means the application is potentially listening for inbound network connections. Accept is also a common name that may be found in other languages.
• PHP Uses of the functions imap_open, imap_popen, ldap_connect, ldap_add, mcal_open, fsockopen, pfsockopen, ftp_connect, and ftp_login, mail.
• Python Uses of the socket.*, urllib.*, and ftplib.* modules.
• ASP Use of the Collaborative Data Objects (CDO) CDONTS.* objects; in particular, watch for CDONTS.Attachment, CDONTS.NewMail AttachFile, and AttachURL. An attacker might be able to trick your application into attaching a file you don’t want to be sent out.This is similar to the file system-based vulnerabilities described earlier.
• Java The inclusion of the java.net.* package(s), and especially for the use of ServerSocket (which means your application is listening for inbound requests). Also, keep a watch for the inclusion of java.rmi.*. RMI is Java’s remote method invocation, which is functionally similar to CORBA’s.
• ColdFusion Look for the tags CFFTP, CFHTTP, CFLDAP, CFMail, and CFPOP.

• Tracing a program’s execution from start to finish is too time intensive.
• You can save time by instead going directly to problem areas.
• This approach allows you to skip benign application processing/ calculation logic.

• Uses of popular and mature programming language can help you audit the code.
• Certain programming languages may have features that aid you in efficiently reviewing the code.

• Review how user data is collected.
• Check for buffer overflows.
• Analyze program output.
• Review file system interaction.
• Audit external component use.

• Examine database queries and connections.
• Track use of network communications.

• Use tools such as UNIX grep, GNU less, the DOS find command, UltraEdit, or SourceEdit to look for the functions previously listed.