Great breakdown on finding bugs in an OAUTH flow
https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html
Only arguably appsec, but there is an artificial intelligence story writer that was determines to be too powerful to release into the wild, and it has been released into the wild
https://nakedsecurity.sophos.com/2019/11/11/ai-wordsmith-too-dangerous-to-be-released-has-been-released/
Remember when WordPress malware was all the rage? Well, not it is Slack Themes
https://fletchto99.dev/2019/november/slack-vulnerability/
I am a web guy, not an OS guy, so I learned a ton from this rootkit primer
https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/
That's the news, folks.
Microsoft has a really good article on using a semantic query language to find exploitable DOM XSS findings. Honestly the whole series is recommended, but the DOM XSS one here is particularly good.
https://msrc-blog.microsoft.com/2018/08/16/vulnerability-hunting-with-semmle-ql-part-1/
Google Project Zero revealed a UAF bug in Android a bit ago, and here is an awesome analysis of how it happened. Good reading for mobile devs especially, but I certainly learned stuff too.
https://dayzerosec.com/posts/analyzing-androids-cve-2019-2215-dev-binder-uaf/
In continuing supply chain news, Armor has a good article on Managed Service Providers being a strong candidate for Malware Distributers of the Year.
https://www.armor.com/reports/new-msps-compromised-reports-armor/
That's the news!
Lawfare has a good article by Jim Baker (former legal council for the FBI) on a new way to think about encryption. You'll agree with some, disagree with some, but it will make you think.
https://www.lawfareblog.com/rethinking-encryption
From the Standard Vulnerability List: "When a session ends, first select the session ID from the client, then delete the session information from the server, then finally return the user to the login page." Session management matters, people.
https://arstechnica.com/information-technology/2019/10/five-months-after-returning-rental-car-man-still-has-remote-control/
Google is doing its "we are the Web so we will decide how it works" thing again, and threatening to enable samesite by default in Chrome. Here's some analysis of that.
https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/
Speaking of Chrome nad running the web, here's El Reg's take on DNS over HTTPS:
https://www.theregister.co.uk/2019/10/29/chrome_dns_https/
Oh, and still speaking of Google and glass houses and stone throwing, there's an 0-day in Chrome.
https://www.bleepingcomputer.com/news/security/chrome-zero-day-bug-with-exploit-in-the-wild-gets-a-patch/
You know that stupid goose game your kid is playing? There is an insecure deserialization flaw in it.
https://pulsesecurity.co.nz/advisories/untitled-goose-game-deserialization
And finally, a good talk out of BSides Belfast about supply-chain attacks. Code review your open source libraries, folks!
https://www.infosecurity-magazine.com/news/bsidesbelfast-supply-chain/
Busy week! But that's the news.
Here's an interesting article on some non-JavaScript Cross-Site Scripting vectors.
https://x-c3ll.github.io/posts/CSS-Injection-Primitives/
Timely history lesson about the gradual movement of web application from primarily server-side to primarily client-side:
https://medium.com/young-coder/an-illustrated-beginners-guide-to-server-side-and-client-side-code-723cbb1db9ea
This isn't as new of an idea as the authors would like us to believe, but it is a good PoC of the CDN-related cache poisoning attack:
https://thehackernews.com/2019/10/cdn-cache-poisoning-dos-attack.html?m=1
Public disclosure of some bugs in AutoDesk discovered by binary fuzzing. Good way to get a look into this kind of testing - look breakdowns of CVEs.
https://fuzzit.dev/2019/10/25/discovery-and-analysis-of-2-dos-vulnerabilities-in-autodesk-fbx-1-unpatched/
PHP has a vector for remote code execution (combined with other known flaws) to patch if you can! Worth a read for the process, as well.
https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html
That's the news, folks.
Portswigger has some good research on a new angle for cross-site leak attacks:
https://portswigger.net/research/xs-leak-leaking-ids-using-focus
Serverless inftastructures are slipping through the cracks as far as security testing goes. Here's a new tool for Amazon Lambda - hopefully it leads to more.
https://www.darknet.org.uk/2019/10/lambdaguard-aws-lambda-serverless-security-scanner/
Mozilla isolated an interesting RCE bug in iTerm2:
https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/
Eric Lawrence (of Fiddler fame) has a good writeup on Chrome's new direction for cookies:
https://textslashplain.com/2019/09/30/same-site-cookies-by-default/
And that's the news.
This is a blog entirely dedicated to security analysis of mobine apps. No idea who writes it but it is good.
https://theappanalyst.com/
Neat writeup on going from SQL Injection to Remote Code Execution.
https://medium.com/bugbountywriteup/sql-injection-to-lfi-to-rce-536bed29a862
I've been on a PHP project recently, and I learned about this cool tool to bypass disable_functions.
https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass
Speaking of PHP, the statis code analysis tool I learned to use was Exakat. Steep learning curve but unbelievable reports. And open source!
https://github.com/exakat/exakat
That's the news, folks.
The big news of the week is that every iPhone from 1 to X is apparently vulnerable to a bootROM flaw, and it is a hardware problem so Apple can't patch it. Now, this won't help malware writers fortunately, but it will make it easier to jailbreak your phone, and there are some more sinister uses as well. Several articles:
https://blog.malwarebytes.com/mac/2019/09/new-ios-exploit-checkm8-allows-permanent-compromise-of-iphones/
https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/
https://github.com/axi0mX/alloc8
https://github.com/axi0mX/ipwndfu
McAfee published a conglomeration of their studies on Cloud security, and as I am sure you can imaging the news isn't good.
https://www.theregister.co.uk/2019/09/24/mcafee_cloud_leak_study/
And there was a vulnerability discovered in Cold Fusion, so make sure you patch ... wait people still use Cold Fusion?
https://helpx.adobe.com/security/products/coldfusion/apsb19-47.html
Here's a neat Android reverse engineering game.
https://0x00sec.org/t/reversing-hackex-an-android-game/16243
A tool to edit images to have payloads. Use it t o test and see if your imagine processing components have vulnerabilities!
https://github.com/chinarulezzz/pixload
I have been running into HTTP Request Smuggling a lot recently after the new research by PortSwigger. Here is an interesting writeup.
https://medium.com/@memn0ps/http-request-smuggling-cl-te-7c40e246021c
That's the news, folks.
Only Rails 6.x and 5.2.x are getting security updates. Plan your development accordingly.
https://rubyonrails.org/security/
Jason Karns was kind enough to pass along this awesome upgrade helper for Rails:
https://blog.testdouble.com/posts/2019-09-03-3-keys-to-upgrading-rails
I regularly write apps up for failure to disable autofill, and this article is a good explainer.
https://www.social-engineer.com/disable-autofill-browsers/
Bruce has a really good set of reasoning on why there is no difference between "commercial" encryption and "consumer" encryption.
https://www.schneier.com/blog/archives/2019/08/the_myth_of_con.html
iOS doesn't get a lot of malware love because it's only 12% of the phone market, but the bad guys realized that 12% has a lot of money, so here are a BOATload of exploits that Google found them.
https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html?m=1
I also write folks up for clickjacking a lot, and it is making a comeback. It's just a header people, add it.
https://nakedsecurity.sophos.com/2019/08/29/web-clickjacking-fraud-makes-a-comeback-thanks-to-javascript-tricks/
Some RCE flaws discovered in PHP. Update if you can, mitigate if you can't.
https://thehackernews.com/2019/09/php-programming-language.html?m=1
That's the news. Stay safe.