在没有加密的数据库中存储信用卡信息(整个信息:号码+有效期+密码)。此外，该数据库被用作一种CRM，因此许多销售人员可以使用不安全的密码访问它。(自从我3年前离开公司后，他们就没换过名字。)

一个在线文档管理器怎么样，它允许设置你能记住的所有安全权限……

直到你进入下载页面……download.aspx吗?documentId = 12345

是的，documentId是数据库ID(自动递增)，您可以循环每个数字，任何人都可以获得所有公司文档。

当这个问题被提醒时，项目经理的回答是:好的，谢谢。但之前没有人注意到这一点，所以就让它保持现状吧。

有一家银行通过其网站提供一些服务。开发人员考虑了任何作为整个系统的有效用户登录的人，他们使用URL来识别账号，因此只需更改URL上的ID，就可以查看其他账户的余额。

对于认为身份验证和授权是一回事的web开发人员来说，这是非常糟糕的。

此外，银行不通过其网站转账也很好，否则有些人会很富有;-)

信不信由你，我最近在一个网站上发现了这个:

eval($_GET['code']);

服务器甚至没有安全模式…

I was going to earn my credit with the supervisor for my quite advanced graphics program at a SunOS / Solaris with instant messaging enabled where with zephyr.vars or whatever it was called you could make an image appear on your listed friend's screen like if you alowed me I could just send you an image that appeared on your display. While I was demoing the program I had written so that the supervisor could give me credit for it, one of my friends sitting close or in the next room made the photo big-mama.xxx appear on my screen. There was never any discussion or penalty because of the incident and I got credit for the project that for ½ second seemed like it was programmed to display big-mama.xxx instead of solving the problem. (Earlier) I updated perl scripts and waited for sysadmin to reflect the changes to ouside the FW. Then the database was gone and it was not a bug it was a feature since the data was stored with the source and therefore updating the source blanked the persistence.

物理访问或模拟登录提示或登录屏幕是另外两种困难的情况，不需要过多的算法技术，很容易理解物理访问提供了许多可能性，模拟登录提示是您可以在许多不同类型的计算机和环境上进行的事情。

简单地说

exec unchecked_parameter_from_the_web

在Python中解析用户给出的字典字面量。那真的很可怕。