Perfect request — let’s go language by language. I’ll show you 10 vulnerable coding patterns at the source-code level for each of PHP, Node.js, Java EE, and Python Flask. For each, I’ll give you:
- Code snippet (vulnerable)
- Why it’s dangerous (root cause)
- Underlying source-level mechanism (e.g., function/library behavior that creates the flaw)
🔴 PHP – 10 Vulnerable Patterns
- SQL Injection
$id = $_GET['id'];
$result = mysqli_query($conn, "SELECT * FROM users WHERE id = $id");
Cause: Direct interpolation of user input in SQL query → parsed by MySQL C parser (sql_parse.cc).
- XSS via Echo
echo "Welcome " . $_GET['name'];
Cause: echo directly writes to response without HTML escaping.
- File Inclusion
include($_GET['page'] . ".php");
Cause: include() executes arbitrary file contents as PHP code.
- Unrestricted File Upload
move_uploaded_file($_FILES['file']['tmp_name'], "uploads/" . $_FILES['file']['name']);
Cause: No MIME/extension validation, attacker uploads .php.
- Command Injection
system("ping " . $_GET['host']);
Cause: system() spawns /bin/sh, concatenated input is executed.
- Weak Hashing
$hash = md5($password);
Cause: md5() is cryptographically broken; rainbow tables precomputed.
- Session Fixation
session_id($_GET['sid']);
session_start();
Cause: Accepting attacker-controlled session IDs.
- Insecure Deserialization
$obj = unserialize($_POST['data']);
Cause: PHP unserialize() can invoke __wakeup/__destruct methods in attacker-crafted payload.
- Insecure Direct Object Reference (IDOR)
$file = "uploads/" . $_GET['file'];
readfile($file);
Cause: No access control check.
- Header Injection
header("Location: " . $_GET['url']);
Cause: Input with \n allows attacker to inject additional headers.
🟢 Node.js – 10 Vulnerable Patterns
- Eval Injection
app.get('/eval', (req, res) => {
eval(req.query.code);
});
Cause: V8 eval() runs arbitrary JavaScript.
- Prototype Pollution
let obj = {};
Object.assign(obj, JSON.parse(req.body.data));
Cause: __proto__ injection changes base Object prototype.
- NoSQL Injection (MongoDB)
User.findOne({ username: req.body.username });
Cause: Input { "$ne": null } bypasses authentication.
- Command Injection
child_process.exec("ls " + req.query.dir);
Cause: Input concatenated into shell command.
- Path Traversal
res.sendFile(__dirname + '/files/' + req.query.file);
Cause: ../ lets attacker escape directory.
- Insecure Cookie
res.cookie("sid", sid);
Cause: Missing HttpOnly, Secure, SameSite.
- Insecure Deserialization
let data = JSON.parse(req.body);
Cause: If used with libraries like serialize-javascript can rehydrate functions.
- Regex DoS
if (/^(a+)+$/.test(req.query.input)) { ... }
Cause: Catastrophic backtracking → event loop blocking.
- CORS Misconfiguration
res.setHeader("Access-Control-Allow-Origin", "*");
Cause: Any origin can access responses with credentials.
- XSS
res.send("Hello " + req.query.name);
Cause: No HTML encoding in res.send().
🟡 Java EE – 10 Vulnerable Patterns
- SQL Injection (JDBC)
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("SELECT * FROM users WHERE id=" + request.getParameter("id"));
Cause: Statement concatenates query string; parsed by JDBC driver.
- XSS
out.println("Welcome " + request.getParameter("name"));
Cause: Direct reflection into HTML.
- LDAP Injection
String filter = "(uid=" + request.getParameter("user") + ")";
ctx.search("ou=users,dc=example,dc=com", filter, controls);
Cause: Input expands LDAP search filter.
- Insecure Deserialization
ObjectInputStream in = new ObjectInputStream(request.getInputStream());
Object obj = in.readObject();
Cause: Attackers send gadget chains → readObject() execution.
- Command Injection
Runtime.getRuntime().exec("ping " + request.getParameter("host"));
Cause: OS command interpreter invoked.
- Path Traversal
File f = new File("/data/" + request.getParameter("file"));
Cause: Input like ../../etc/passwd.
- Weak Crypto
MessageDigest md = MessageDigest.getInstance("MD5");
Cause: Known collision vulnerabilities.
- Session Fixation
String sid = request.getParameter("JSESSIONID");
Cause: Reuses attacker’s session ID.
- Insecure Redirect
response.sendRedirect(request.getParameter("url"));
Cause: Open redirect.
- XXE Injection
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
Document doc = dbf.newDocumentBuilder().parse(uploadedXML);
Cause: XXE enabled by default → entity expansion.
🔵 Python Flask – 10 Vulnerable Patterns
- SQL Injection (SQLite)
@app.route("/user")
def user():
uid = request.args.get("id")
return db.execute("SELECT * FROM users WHERE id = " + uid).fetchall()
Cause: String interpolation passed to SQLite C parser.
- XSS
return f"Welcome {request.args['name']}"
Cause: Flask return sends raw HTML.
- Command Injection
os.system("ping " + request.args['host'])
Cause: User input concatenated into shell command.
- Path Traversal
return send_file("uploads/" + request.args['file'])
Cause: ../ traversal to arbitrary files.
- Insecure Pickle
data = pickle.loads(request.data)
Cause: Pickle executes arbitrary opcodes.
- Hardcoded Secrets
app.config['SECRET_KEY'] = "12345"
Cause: Predictable secret allows session forgery.
- CSRF Missing
@app.route("/transfer", methods=["POST"])
def transfer(): ...
Cause: No CSRF token validation.
- Debug Mode Enabled
app.run(debug=True)
Cause: Werkzeug debugger RCE.
- Weak Password Storage
hashlib.md5(password.encode()).hexdigest()
Cause: MD5 is weak; bcrypt/argon2 recommended.
- Insecure CORS
CORS(app, resources={r"/*": {"origins": "*"}})
Cause: Any origin can send requests.
✅ These snippets demonstrate source-level vulnerable patterns that map directly to language/runtime/library internals. They’re the exact kinds of issues that bug bounty hunters and auditors search for.