It’s a race to the bottom. Or, we learn how to improve from studying mistakes, ala target practice. Either way you look at it, Zuk offers an Android app with all the fixings.
Download the MoshZuk Application: contains the following vulnerabilities:
Stack Overflow
Heap Overflow
SQL Injection
Command Injection
Format Strings
Double Free
Directory Traversal
Race Condition
Hardcoded Passwords
Bad code habits
Overblown permissions
Bad file permissionsThe best part is, we’ve specially constructed the vulnerabilities so it can be chained (extra points in this competition)
I look at it as the new Zuk standard for automated code analysis tests – the Zuk afikoman hunt. If a tool can’t find 100% it fails.
When the code is released it probably will be copied and used by developers who want to write apps but do not realize it was written to be vulnerable. The flip side is thus that attackers will create simple automation to quickly find and target apps ignorantly based on MoshZuk.