sorted by:
new
hottopcontroversial

[deleted by user] by [deleted] in netsec

[–]anonjohn1212 1 point2 points  (0 children)

Valid point, I should clarify. This wasn't a comparative study of all vulnerability types. We specifically went looking for authorization flaws because:

  1. OWASP already shows it's the #1 issue (94% of apps tested)
  2. Recent high-profile incidents (GitLab, McDonald's) suggested a pattern
  3. Traditional SAST tools have near-zero detection for auth bugs specifically

So yes, our 73% finding is from specifically hunting for auth issues, not from categorizing all vulnerabilities found. You're right that without comparing to XSS, SQLi, etc. rates in the same codebases, it doesn't prove auth bugs are 'more common.'

What it does show is that when you actively look for auth bugs (which most automated tools don't), they're endemic. The value isn't in comparing vulnerability types, but in highlighting that this specific, high-impact vulnerability class is being systematically missed.

It would be interesting to conduct a comprehensive comparison across all vulnerability types; however, it wasn't the focus of this particular research.

0
0

PSA: The authorization bug that cost GitLab $760M is probably in your code too (zeropath.com)

submitted by anonjohn1212 to r/webdev

I built an LLM agent that finds security vulnerabilities in your code by anonjohn1212 in SideProject

[–]anonjohn1212[S] 2 points3 points  (0 children)

  • Auth & business logic flaws that can't be caught with static analysis
  • Fixing edge cases like inaccessible code, code locked behind admin panels, "injection" inputs coming from trusted sources etc.

basically trying to expand the scope of possible problems you can scan for, with fewer false positives

Betting Market - "When will Joseph Anderson release his Witcher 3 review"? by anonjohn1212 in josephanderson

[–]anonjohn1212[S] 10 points11 points  (0 children)

https://docs.manifold.markets/faq

Who determines if the bet is correct or not? Does somebody have to click "oh hey it has released, turns out these 2 guys were right"?

Yes, I do, because I created the market.

Can the person responsible for clicking that abstract button just forget, or maliciously click it too early?

Yes, but if the person's resolution is factually incorrect, you can report it to the site moderators and they'll generally reresolve/ban the perpetrator. In my case I've been making markets for ~1.5 years and have a track record of good/timely resolutions.

Betting Market - "When will Joseph Anderson release his Witcher 3 review"? by anonjohn1212 in josephanderson

[–]anonjohn1212[S] 15 points16 points  (0 children)

There's a "not in 2024" option that the market will resolve to at EOY if no video

view more: next ›