Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery

Good help is hard to find.  The Internet is full of advice but it can be difficult to know what is good advice, and what is dangerous.  This is true for advice around programming computer code as well. A group of researchers from Germany wanted to find out how much of an impact bad advice could have for computer security.  They looked for tutorials online that contained examples or advice that were vulnerable attack and then tried to find where those pieces of bad code had been implemented in software.  They looked for the pieces on a sharing website for open source software and found that nearly in nearly 65,000 programs analysed there were 117 vulnerabilities that look like they could have been taken from the tutorials.  This work shows part of the problems for developers when they are looking for solutions but also points to a manner in which vulnerabilities could be detected, by looking for code based on these bad tutorials.

Cite:

Unruh, T., Shastry, B., Skoruppa, M., Maggi, F., Rieck, K., Seifert, J. P., & Yamaguchi, F. (2017). Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery. arXiv preprint arXiv:1704.02786.

 

Source:

https://arxiv.org/pdf/1704.02786.pdf