This is a list of reports currently notified to Awooga.
| Title | Links | Issues | Description | Source |
|---|---|---|---|---|
| iOS Login and Signup Screen tutorial : Swift + XCode 6 + iOS 8 + JSON | Primary link | password-inadequate-hashing |
Remarkably, the PHP API code uses parameterisation via the MySQLi engine, and so at first glance is safe with regards to SQL injection. However the self-assembly of the JSON response string is risky, and MD5 is no longer regarded as a suitable hash for password storage. |
Repo: 1 |
| PHP Change Password Script | Primary link | sql-injection password-clear deprecated-library |
A site with a large number of scripts featuring SQL injection vulnerabilities. A number of articles, including this one, incorrectly advise programmers to store passwords in plain text. |
Repo: 1 |
| Dynamic Star Rating with PHP and jQuery | Primary link | sql-injection deprecated-library |
A site with a large number of vulnerable scripts, including many that are live on the author's own server. |
Repo: 1 |
| Simple Login using a MySQL database | Primary link | sql-injection password-clear |
SQL injection and unhashed/unsalted user passwords from what looks like an unvetted community coder site. The author has been notified. |
Repo: 1 |
| Create secure login script in PHP | Primary link | password-clear deprecated-library sql-needs-parameterisation |
Tweeted to author about library and parameterisation, and about hashing, but received no response. |
Repo: 1 |
| Creating a Login System in PHP (Tutorial) | Primary link [ Secondary link ] | password-clear sql-needs-parameterisation |
Tweeted to author, received no response. |
Repo: 1 |
| Android MultiCast Push Notifications using GCM [Greeting App] | Primary link | sql-injection deprecated-library |
An Android tutorial presenting a PHP/MySQL API with legacy library and SQL injection issues. |
Repo: 1 |
| Develop a Complete Android Login Registration System with PHP, MySQL | Primary link | sql-injection password-inadequate-hashing deprecated-library |
The usual SQL injection flaws in this one, the author has been notified. Also, the password hashing isn't strong enough. Looks like the login can be bypassed by changing the target user's password |
Repo: 1 |
| Tutorial Make a Simple Website E-Commerce with PHP MySql and Bootstrap | Primary link | sql-injection |
The problem here is the zipfile, which contains SQL injection flaws. I've let the author know, to no avail. |
Repo: 1 |
| Login Form Using Ajax and jQuery | Primary link | sql-injection password-clear deprecated-library |
Usual complement of SQL injection and unhashed password issues. |
Repo: 1 |
| Android Login and Registration with PHP, MySQL and SQLite | Primary link | sql-injection password-inadequate-hashing deprecated-library |
Same security issues as a number of Android API tutorials I've seen. |
Repo: 1 |
| PHP Login Script with Session | Primary link | sql-injection password-clear deprecated-library |
A site with a large number of scripts featuring SQL injection vulnerabilities. A number of articles, including this one, incorrectly advise programmers to store passwords in plain text. |
Repo: 1 |
| Youtube like rating script jquery php | Primary link | sql-injection deprecated-library variable-injection |
It's worth disabling JavaScript for this site - the whole page uses JavaScript to redirect to an advertiser's site. PHP code features variable as well as SQL injection. Have contacted the author, and the author has undertaken to fix it. |
Repo: 1 |
| Demo Facebook like Button Application Using PHP, MySQL, jQuery and Ajax | Primary link | sql-injection deprecated-library |
Uses legacy library, similar SQL injection vulns to other MySQL tutorials on this domain. |
Repo: 1 |
| Live Username Availability Check using PHP and jQuery AJAX | Primary link | sql-injection deprecated-library |
A site with a large number of vulnerable scripts, including many that are live on the author's own server. |
Repo: 1 |
| Facebook Style Like Unlike using PHP jQuery | Primary link | sql-injection deprecated-library |
A site with a large number of vulnerable scripts, including many that are live on the author's own server. |
Repo: 1 |
| Android Push Notifications using Google Cloud Messaging (GCM), PHP and MySQL | Primary link | sql-injection deprecated-library |
Another tutorial site recommending the use of the deprecated MySQL library, and with several SQL injection vulnerabilities in the code. I have let the author know, as usual. |
Repo: 1 |
| Implement MySQL-based transactions with a new set of PHP extensions | Primary link | sql-injection |
Uses modern MySQLi library, but no parameterisation - vulnerable to SQL injections. Tweeted to publisher to no avail. |
Repo: 1 |
| PHP CRUD with Search and Pagination using jQuery AJAX | Primary link | sql-injection deprecated-library |
A site with a large number of vulnerable scripts, including many that are live on the author's own server. |
Repo: 1 |
| PHP Voting System with jQuery AJAX | Primary link | sql-injection deprecated-library |
A site with a large number of vulnerable scripts, including many that are live on the author's own server. |
Repo: 1 |