Chapter 80 Β· Examples

Application Security β€” Applied Examples

Real-world scenarios illustrating SQL injection from missing input validation, session hijacking via insecure cookies, SAST finding and missing vulnerabilities, code signing catching tampered software, and sandboxing containing a browser compromise.

Example 1 SQL Injection Through a Login Form With No Input Validation

A small e-commerce site has a login form with username and password fields. The developer wrote the authentication query as a string concatenation: SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'". There is no input validation β€” the application takes whatever the user types and places it directly into the SQL query.

An attacker enters ' OR '1'='1 in the username field and anything in the password field. The resulting query becomes: SELECT * FROM users WHERE username = '' OR '1'='1' AND password = 'anything'. Because '1'='1' is always true, the condition is satisfied for every row in the database. The query returns all user records, and the application authenticates the attacker as the first user β€” typically the administrator account.

The fix requires two things: input validation (reject usernames containing single quotes and SQL keywords) and parameterized queries (separate query structure from data entirely, so user input can never be interpreted as SQL). Input validation alone reduces attack surface; parameterized queries eliminate the injection vulnerability at its root.

Lesson: SQL injection is the direct consequence of treating user input as trusted data. Input validation β€” specifically rejecting characters with special meaning in SQL β€” reduces risk. Parameterized queries eliminate it. Both should be implemented. SAST tools can detect string concatenation in queries and flag it during development, before the application is ever deployed.
Example 2 Session Hijacking via an Insecure Cookie on a Hotel Wi-Fi Network

A traveler logs into a project management application from the hotel Wi-Fi. The application serves its login page over HTTPS, but after authentication it sets the session cookie without the Secure attribute and also serves some pages over plain HTTP. The session cookie is: Set-Cookie: session=a8f5f167f44f4964e6c998dee827110c β€” no Secure flag, no HttpOnly flag.

An attacker on the same hotel Wi-Fi is running a passive network capture. When the traveler navigates to an HTTP page within the application, the browser sends the session cookie in the request headers β€” unencrypted, in plaintext. The attacker captures the session token.

The attacker pastes the captured session cookie into their own browser using developer tools. The application accepts it β€” the session token is valid. The attacker is now authenticated as the traveler without ever knowing the password. They can read project data, send messages as the traveler, and access anything the traveler's account can reach.

The fix: set the Secure attribute on all session cookies so the browser never transmits them over HTTP. Also set HttpOnly to prevent JavaScript from reading the token. Serve the entire application over HTTPS β€” not just the login page.

Lesson: The Secure cookie attribute is not optional β€” it is a required control for any application with authenticated sessions. A session token transmitted over HTTP is equivalent to a password transmitted in plaintext. The Secure flag prevents this with a single attribute. The HttpOnly flag adds depth: even if the attacker gains JavaScript execution on the page, they cannot steal the session token.
Example 3 SAST Catches a Buffer Overflow but Misses a Cryptographic Flaw

A development team runs their C application through a SAST tool before release. The tool produces a report with 23 findings. Finding #1 flags line 847: a call to gets(buffer) to read user input. The SAST tool notes that gets() does not check buffer length and recommends replacing it with fgets(buffer, sizeof(buffer), stdin). The developer fixes this β€” a genuine buffer overflow vulnerability is eliminated.

Further down the report, findings #14–17 are false positives: the tool flagged a custom string handling function as potentially unsafe, but review confirms the function correctly validates length before any write operation. The developer marks these as false positives and moves on.

What the SAST tool does not flag: the application's password storage module uses MD5 to hash passwords without salting. MD5 is in the code, and SAST could flag it as a deprecated algorithm β€” but the tool in this case only flags known-unsafe function calls, not algorithm choices. Even if it did flag MD5, a more subtle issue is present: the implementation stores the MD5 hash but never adds a salt, making it vulnerable to rainbow table attacks. The "correct" implementation of an insecure algorithm, from a code pattern perspective, looks like valid code.

Lesson: SAST excels at finding code-pattern vulnerabilities (unsafe function calls, injection patterns, obvious hardcoded values). It fails at evaluating whether a cryptographic implementation is correct, whether authentication logic is sound, or whether business logic can be manipulated. A SAST result requires human review β€” both to eliminate false positives and to recognize what the tool cannot see. SAST is one tool in the security testing toolkit, not a complete solution.
Example 4 Code Signing Detects a Tampered Installer During a Supply Chain Attack

A software vendor distributes a popular network monitoring tool. An attacker compromises a third-party download mirror that hosts the installer. The attacker replaces the legitimate installer with a modified version that includes a remote access trojan embedded in the setup package alongside the legitimate software.

An IT administrator downloads the installer from the compromised mirror. When they double-click the file, Windows Authenticode runs before the installer executes. It extracts the code-signing signature from the file, decrypts it using the vendor's public key (from the CA-issued certificate), and computes a fresh hash of the installer binary. The hashes do not match β€” the file was modified after signing.

Windows displays a security warning: "Windows cannot verify the publisher of this driver software" / "The digital signature of this file cannot be verified." The administrator sees the warning, recognizes that the installer failed signature verification, does not proceed, and reports the incident. The download mirror is investigated and the compromised file is removed.

Without code signing, the tampered installer would have appeared identical to the legitimate one β€” same file name, same approximate size, similar behavior during installation. Code signing is the mechanism that makes this attack detectable without running the software.

Lesson: Code signing protects against supply chain tampering and impersonation attacks. It answers two questions before installation: is this from the claimed developer (authenticity), and has it been modified since release (integrity)? It does this without requiring the user to inspect the binary β€” the OS validates automatically. Always download from official sources and always verify that the signature validation succeeded.
Example 5 Mobile OS Sandboxing Contains a Compromised Browser

A user on a smartphone visits a malicious website that exploits a zero-day vulnerability in the mobile browser's JavaScript engine. The attacker achieves code execution within the browser process. From the attacker's perspective, they now control the browser app running on the device.

The attacker attempts to read the user's stored passwords from the password manager app. The mobile OS sandbox blocks this: the browser app has no permission to access another app's data storage. The attacker attempts to read emails from the mail client. Also blocked β€” separate sandbox. The attacker attempts to silently enable the microphone. The permission system requires explicit user grant; the browser was not granted microphone access.

What the attacker can access: the browser's own data β€” browsing history, cached pages, stored browser cookies, browser-saved autofill data. The damage is real, but it is bounded by the browser's sandbox. Without sandboxing, code execution in the browser would grant access to the entire device filesystem, all other app data, and all hardware.

The user and security team are alerted by the device's security monitoring. The browser process is terminated. Because the compromise was sandboxed, there is no persistence mechanism outside the browser β€” reinstalling the browser app eliminates the attacker's foothold.

Lesson: Sandboxing does not prevent exploitation β€” it contains it. The browser was still compromised. But the sandbox prevented that compromise from becoming a full device takeover. This is defense-in-depth at the OS level: the mobile platform assumes apps will sometimes be compromised and designs the permission model to limit the consequence. "Limit blast radius" is the principle behind every sandboxing implementation.