不过这还不是我见过的最严重的安全漏洞。但这至少是我自己发现的最糟糕的情况:

一个非常成功的在线有声读物商店在成功认证后使用cookie存储当前用户的身份信息。但你可以很容易地在cookie中更改用户ID，并访问其他账户并在这些账户上购物。

整个经典ASP购物车“Comersus”。整个事情是意大利面条代码的混乱，所有的SQL语句都是成熟的SQL注入，因为没有做任何过滤。可悲的是，我不幸地处理了近两年的“申请”，这绝对是一场噩梦!

社会工程:

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

从bash.org

我们有一个旧的计算机集群，在我工作的一个实验室里没有运行。几个本科生认为，让它运行起来会很有趣，这样他们就可以学习一点并行计算了。他们让它运行起来，结果证明它非常有用。

One day I came in and was checking out the stats...It was running at 100%. Now this was a 24 node cluster and there were only 3 of us that ever used it so it was a little strange that it was running at this load. I started playing with it, trying to figure out what was loading it...turned out someone had gained access and was using it as their own little porn server and spammer. I asked the undergrads what kind of security they put on it, they looked at me and said "Security? We didn't think it would need any."

我给它加了个密码，就这样。把它用作色情服务器的人原来是一个本科生的朋友。

去了一个汽车经销商的付费网站，会员费很高。只要用“test”作为用户名，用“Test1”作为密码。我进去了。

"Pedo mellon a minno"， "与朋友交谈，然后进入"，在摩瑞亚的大门上。