在因特网上发布你的ELMAH错误日志怎么样?

不是最坏的，但也足以造成一些真正的损害。你会惊讶于这一点被忽视的频率有多高。特别是当人们使用这些流行的框架时，

yourwebapp.com/items/edit.php?id=4
yourwebapp.com/items/delete.php?id=4

不确定项的所有者是请求页面的人。 也就是说，你可以登录你的账户，然后在整个应用程序中编辑或删除任何人的项目。

一个简单的检查可以防止很多损坏。

$item = // find your item by the $_GET[ 'id' ];

if( $_SESSION[ 'user_id' ] != $item[ 'user_id' ] ){
  // kick em out they dont belong...
}

信不信由你，我最近在一个网站上发现了这个:

eval($_GET['code']);

服务器甚至没有安全模式…

The worst security hole I've seen was from a (very very bad) hosting company. And even worse it was just some months ago (summer 2010)! You had to first connect to your hosting package control panel (you needed valid credentials). Once logged in all you had to change was the id GET token from the URL and voilà, you're in the control panel of another user! You have access (save/edit/delete) to emails, files, databases. The ids were sequential so you only have to do +1 and you're in the next account. I hope someone have been fired for this!

这是我和他们一起经历过的众多WTF之一!幸运的是，我不是他们的顾客!

Windows 95可以选择需要密码才能解锁屏幕保护程序。然而，使用ctrl+alt+del你可以杀死屏幕保护程序。

我在The Daily WTF上看到过这个。

<script language="javascript">
<!--//
/*This Script allows people to enter by using a form that asks for a
UserID and Password*/
function pasuser(form) {
    if (form.id.value=="buyers") { 
        if (form.pass.value=="gov1996") {              
            location="http://officers.federalsuppliers.com/agents.html" 
        } else {
            alert("Invalid Password")
        }
    } else {  
        alert("Invalid UserID")
    }
}
//-->
</script>

恕我直言，没有什么比这更好的了。