Application Security This Week for July 14

A wonderful human being put together a list of resources about hacking mainframe systems, worth a look if your organization is run on the big metal.

https://github.com/samanL33T/Awesome-Mainframe-Hacking/

 

Apple had a not-good-very-bad week.  First, the OpenIF Foundation dinged the Mac implementation of "Sign in with Apple"

https://nakedsecurity.sophos.com/2019/07/08/privacy-and-security-risks-as-sign-in-with-apple-tweaks-open-id-protocol/

Then it was discovered that all of the magic of Zoom's conference software is due to a web server installed on MacOS, which you can't remove!  (Heeeey!)

https://www.engadget.com/2019/07/09/zoom-will-remove-server-behind-mac-security-hole/?ncid=txtlnkusaolp00000618

 

Rhino Security released a new version of CloudGoat, an insecure-by-design cloud deployment tool.  

https://rhinosecuritylabs.com/aws/cloudgoat-walkthrough-rce_web_app/

 

One of my favorite attacks against file uploads that take zip files is the zipbomb.  Well, someone made a really nice one.

https://www.vice.com/en_us/article/597vzx/the-most-clever-zip-bomb-ever-made-explodes-a-46mb-file-to-45-petabytes

 

There is a flaw in the Android update system that allows attackers to modify updates on the fly.  Oh, and it is being exploited in the wild.

https://thehackernews.com/2017/12/android-malware-signature.html?m=1

 

That's the news, folks.  Have a safe week!

 

Application Security This Week for July 7

Good article on using fuzzers as productivity tools

https://kripken.github.io/blog/binaryen/2019/06/11/fuzz-reduce-productivity.html

Reminds me of a great talk by the remarkable Craig Stuntz, worth a read.

https://speakerdeck.com/craigstuntz/high-speed-bug-discovery-with-fuzzing

 

Firefox will automatically trust certificates trusted by your OS

https://thehackernews.com/2019/07/firefox-https-security.html?m=1

In other Firefox news, the UK is up in arms about Secure DNS breaking the Great British Pornwall

https://www.zdnet.com/article/uk-isp-group-names-mozilla-internet-villain-for-supporting-dns-over-https/

 

Next time I ping your site for not using X-FRAME-OPTIONS on a DNS endpoint, well, HAH I TOLD YOU SO NAAA NAA NAA

https://medium.com/intigriti/gotcha-taking-phishing-to-a-whole-new-level-72eda9e30bef

 

And that's the news, folks.

Application Security This week for June 30

Fascinating look into Internet routing that caused an outage last week.  We are really building this city on a bed of sticks.

https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/

 

Not my normal fare for this newsletter, but Microsoft added a secure vault to OneDrive.  Not in the US yes, but my Australian friends can give it a try.

https://www.windowscentral.com/microsoft-announces-onedrive-personal-vault-secure-area-within-your-onedrive

 

There is a directory traversal vulnerability in ... this blog!  Please don't hack my.  I'll update later today.

https://seclists.org/fulldisclosure/2019/Jun/44

 

MongoDB is adding field level encryption.  Now if folks would just use the authentication features ...

https://www.wired.com/story/field-level-encryption-databases-mongobd/

 

Found a VERY cool tool that lists known vulnerabilities in default containers.

https://vulnerablecontainers.org/

 

A weird enge case forces the npm deployment script to push the .git folder.  Remember, complexity is the enemy of security.

https://npm.community/t/npm-6-9-1-is-broken-due-to-git-folder-in-published-tarball/8454/2

 

And that's the news folks.

Application Security This Week for June 23

Google has decided that the API that underpins the Chrome extension kit is too powerful - and they aren't wrong.  But the changes appear to be killing adblockers.  Strange, that.

https://www.theregister.co.uk/2019/06/17/chrome_extensions_security/

 

No, you aren't reading an old edition of this newsletter.  There really is another Orable Weblogic deserialization bug.

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html

https://www.theregister.co.uk/2019/06/19/oracle_weblogic_emergency/

 

Good writeup on the current state of 2 factor authorization.

https://blog.trailofbits.com/2019/06/20/getting-2fa-right-in-2019/

 

That's the news, folks.

 

Application Security This Week for June 16

Happy Father's Day!

 

Great writeup by Rapid7 about security-focused HTTP headers.

https://blog.rapid7.com/2019/05/30/hidden-helpers-security-focused-http-headers/?utm_medium=twitter&utm_content=http-headers&CS=twitter

 

Phishing kit used by the bad guys has a gaping insecure file upload bug.

https://www.theregister.co.uk/2019/06/05/akamai_phishing_kit_vuln/

 

"But it's inside the firewall!" Here's 18 cases of insider attacks in the banking industry.

https://medium.com/bugbountywriteup/18-cases-of-insider-bank-threats-16a29dcfca18

 

And, a little security related humor to lighten your week.

https://medium.com/commitlog/how-to-design-for-the-web-in-2019-a0be4d6702e2

 

And that's the news.

 

 

Application Security This Week for June 2

Accidentally Took Memorial Day Weekend Off Edition

 

New tool: FinalRecon- OSINT Tool For All-In-One Web Reconnaissance

https://blog.hackersonlineclub.com/2019/05/finalrecon-osint-tool-for-all-in-one.html?m=1

 

Permanent URL Hijack Through 301 HTTP Redirect Cache Poisoning

https://blog.duszynski.eu/domain-hijack-through-http-301-cache-poisoning/

 

Didier Stevens, one of my favorite researchers, mentioned that one of his readers has made a docker container with all of his tools.

https://blog.didierstevens.com/2019/05/27/dssuite-a-docker-container-with-my-tools/

 

There is a POC for CVE-2019-0708. Certainly is worth a look.

https://github.com/Ekultek/BlueKeep

 

Speaking of Docker, there is a bug that allows a hypervisor jump.

https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system

https://nakedsecurity.sophos.com/2019/05/31/unpatched-docker-bug-allows-read-write-access-to-host-os/

 

Finally, the always-wonderful folks at Portswigger have a cool analysis of Behavioral Fuzzing.

https://portswigger.net/blog/provoking-browser-quirks-with-behavioural-fuzzing

 

And that's the news! Have a great week.

Application Security This Week for May 19

Container security is a big deal, with OWASP A9 showing up more and more.  Here is a tool that will help with container scanning, and it is compatible with your continuous integration builds.

https://github.com/knqyf263/trivy

 

WhatsApp had a bug, but that doesn't dismiss the importance of end-to-end encryption.  Discuss.

https://www.wired.com/story/whatsapp-hack-phone-call-voip-buffer-overflow/

 

Someone found a user after free vulnerability in the Linux kernal going alllll the way back.

https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/

 

And that's the news!

 

 

Application Security This Week for May 12

If you have been in my classes, you know that I often point to weev as my example for why not to hack live sites.  Well, now I have a new example.

https://thehackernews.com/2019/05/israel-hamas-hacker-airstrikes.html

 

DHS is putting a 15 day deadline on all critical patches.  Maybe that Windows NT4SP2 box will get a little sumpn sumpn, huh?

https://thehackernews.com/2019/05/dhs-patch-vulnerabilities.html

 

The Google CTF is coming up in a month or so.  Start doing those ZAP pushups.

https://security.googleblog.com/2019/05/google-ctf-2019-is-here.html

 

El Reg has a great article on the latest (of many) SQLite RCE flaws.

https://www.theregister.co.uk/2019/05/10/sqlite_rce_vuln/

 

Y'all know that cryptography is not my best subject, but this is important. SHA1 is now provably just as broken as MD5, so start scrubbing it from codebases, except in cases like HMAC.

https://eprint.iacr.org/2019/459

 

That's the news!

Application Security This Week for April 28

Another Weblogic deserialization bug.

https://securityaffairs.co/wordpress/84450/breaking-news/oracle-weblogic-zeroday.html

I have a PR in for Nikto for it

https://github.com/sullo/nikto/pull/607

 

A reminder that application security is more than SQL Injection: good analysis of the bugs that caused the 737 Max wrecks. I had to drop it in Pastebin because IEEE put it behind the paywall.

https://pastebin.com/QEiKvvMM

 

Using Git dotfiles to bypass authentication.

https://blog.assetnote.io/bug-bounty/2019/04/23/getting-access-zendesk-gcp/

 

ZDNet, of all places, has a really good, plain language explainer of credential stuffing.

https://www.zdnet.com/article/an-inside-look-at-how-credential-stuffing-operations-work/

 

Little more on the dev side - 10 articles reviewed about using Python in machine learning.

https://hackernoon.com/10-great-articles-on-python-development-6f54dd38437f

 

And that 's the news!  I'll be on vacation next week, so see you on the 12th.

 

 

Application Security This Week for April 21

Hacky Easter is on!  Go get your CTF rolling.

https://hackyeaster.hacking-lab.com/hackyeaster/

 

XXE discovered in IE 11.

https://seclists.org/fulldisclosure/2019/Apr/20

 

DNS attacks are very much on the rise

https://www.engadget.com/2019/02/24/icann-warns-of-dns-attacks/?ncid=txtlnkusaolp00000618

https://www.golem.de/news/subdomain-takeover-microsoft-loses-control-over-windows-tiles-1904-140717.html

 

YAWAST goes to 0.7.  I use it on every test for recon.

https://adamcaudill.com/2019/04/19/yawast-v0-7-released/

 

Great overview of a white hat attack of a "secure" application.

https://securityaffairs.co/wordpress/84219/breaking-news/hacker-broke-tchap.html

 

That's the news, folks!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList