Application Security This Week for August 2nd

Check your Docker API permissions.  A new piece of malware has been turning cloud hosted containers into mining rigs.

https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

 

Remember when I told you that Microsoft is dropping support for TLS 1.0 and 1.1?  Well, SHA-1 is next.

https://www.theregister.com/2020/07/29/microsoft_windows_sha_1/

 

1d8 posted a good primer on setting up an android security analysis lab.  It's pretty solid.

https://github.com/1d8/Android-Analysis

I did a talk on a similar topic at GrrCon a few years back

http://www.irongeek.com/i.php?page=videos/grrcon2016/114-breaking-android-apps-for-fun-and-profit-bill-sempf

 

Finally, I'll be at the OWASP Booth at Virtual BlackHat Wednesday afternoon (3-7 EDT). I have no idea how it will work yet, but it should be fun! Come have a virtual beer with me.

 

That's the news.  Stay safe out there.

Application Security This Week for July 26

They dropped Open Redirection from the OWASP Top 10 but, like CSRF, it is still out there. Here is a neat tool to help find it.

https://github.com/0xNanda/Oralyzer

 

FireEye has a neat new toolset to crowdshare malware patterns.  I haven't dug into this yet, but I am fascinated.  Malware isn't my thing - I am a web guy - but this is a cool idea.

https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html

 

Microsoft has started killing off TLS 1.0 and 1.1 really for real this time.  Really.  Interesting take, because in poorer countries who are still using old Android and iOS devices are effectively losing access to the tools.  Acceptable losses? Seems so.

https://docs.microsoft.com/en-us/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365?view=o365-worldwide

 

Gotta love a sanitizer bypass in ... a sanitizer tool.

https://research.securitum.com/html-sanitization-bypass-in-ruby-sanitize-5-2-1/

 

That's the news.  Hope everyone is well.

 

Application Security This Week for July 19

The Enterprise Security API for Java went to 2.2.1.0

https://github.com/ESAPI/esapi-java-legacy/blob/esapi-2.2.1.0/documentation/esapi4java-core-2.2.1.0-release-notes.txt

 

Microsoft's .NET Framework is getting rid of the Binary Formatter, erasing a significant security flaw

https://github.com/dotnet/designs/pull/141

 

Good writeup on pentesting GitHub source repos - a great place to find bugs in open source packages used by your apps

https://www.errno.fr/Attacking_source_repositories

 

Portswigger's Burp Suite now includes a pre-configured browser as part of community edition - a game changer if you are doing inhouse training or CTFs

https://portswigger.net/burp/releases/professional-community-2020-7

 

Unquestionably the funniest POC for an exploit I have ever seen in my life

https://github.com/tinkersec/cve-2020-1350

 

That's the news, folks.  Hope everyone is well.

Application Security This Week for July 12

Big news this week was the F5 zero day, of course, but on the application side you should review the code for the exploit, which is public.  I am not gonna link it here but y'all can google.  DO NOT run this on your corporate machines, use your test box and a VM, and just look.  Here is a link to the CVE:

https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve

 

Bestill my heart, an API driven HTTP server. Haven't played with it yet but I looks super sexy.

https://httpie.org/

 

Common thread on this newsletter - DNS is dangerous.  Review your records.

https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/

 

Very nice collection of testing scripts - well worth the clone and the hour it takes to learn to use them. I'm integrating them into my test scenarios.

https://github.com/wintrmvte/Citadel

 

That's the news, folks!

 

Application Security This Week for July 5

Happy Independence Day for my US readers!

 

BugCrowd released a really cool looking Burp extension to help find bug bounty items.

https://portswigger.net/bappstore/059343223d094d16a0a8440485bc5c5e

 

Some guidance I am using right now on a test to bypass file upload filters.

https://stazot.com/boltcms-file-upload-bypass/

 

Fantastic analysis of the SAML flaw in Palo Alto devices by my friends at TrustedSec.

https://www.trustedsec.com/blog/cve-2020-2021-pan-os-saml-security-bypass/

 

That's the news, folks.  Go hack something.

Application Security This Week for June 28

I was tempted to start making up dates. Like Junuary 54th.  But dark humor doesn't belong here.  Or does it.

 

Lots of talk recently about using Frida to hook methods in binary application, like native mobile apps and even windows apps. Here's an easy way to get started.

https://github.com/leonjza/frida-boot

 

Taking advantage of Bitdefender FROM A WEBSITE.  No I am not kidding.  I haven't tried this yet but wow.

https://palant.info/2020/06/22/exploiting-bitdefender-antivirus-rce-from-any-website/

 

This is a twitter thread I wish I had written.  The basics of application vulnerability analysis.

https://threadreaderapp.com/thread/1273052843012841472.html

 

We are back on the encryption discussion.  Let me make my own, personal, not endorsed by anyone, position very clear.  Anyone - ANYONE - can encrypt anything with two coins, a pencil, and a piece of paper.  These laws do NOTHING. Nothing at all. Please tell everyone.  If you have questions, please ask. If I don't know the answer, I know people who do.

https://news.bitcoin.com/lawful-access-to-encrypted-data-act-backdoor/

 

And finally: an amazing exploit getting RCE from PostgreSQL with only a little magic juice.

https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html

 

Have a great week, everyone.

Application Security This Week for June 21

Happy Father's Day!

 

Sn1per is not new, but has some updates, and is with adding to your vulnerability assessment routine, or even your SSDLC CICD process

https://github.com/1N3/Sn1per

 

Seeker is a cool social engineering tool that makes it easy to collect geopositioning from users.  This blog isn't about SE, but they used some neat programming tactics and it is worth a look.

https://github.com/thewhiteh4t/seeker

 

"There are 14 people with this item in their cart" is probably a lie.  Press F12 and see for yourself! Might be worth a look.

https://medium.com/dev-genius/are-14-people-currently-looking-at-this-product-e7fe8412f16b

 

ProxyJump lets you pivot from one SSH host to another.  It's pretty neat.

https://medium.com/maverislabs/proxyjump-the-ssh-option-you-probably-never-heard-of-2d7e41d43464

 

Cool new XSS vulnerability in Angular.  Update your framework!

https://securitylab.github.com/advisories/GHSL-2020-099-mxss-angular

 

One of the "ilities" of application security is "availability".  The Dark Tangent (Jeff Moss, founder of DefCon) is using this tool for stress testing the new forums.

https://www.paessler.com/tools/webstress/sample_performance_tests

 

Have a great week everyone.

Application Security This Week for June 14

Happy 614 day to my Columbus friends.

 

 

Very solid guidelines to storing API secrets.

https://blog.gitguardian.com/secrets-api-management/

If you haven't seen it, you should watch Seth's API security talk too.

https://www.youtube.com/watch?v=NHeoCocs60I

 

Facebook wrote a Tails exploit?

https://www.schneier.com/blog/archives/2020/06/facebook_helped.html

 

VERY nice tool for scanning Node apps that I have recently added to my stable of scripts.

https://github.com/ajinabraham/nodejsscan

 

Hope you all are well. That's the news!

 

 

Application Security This Week for June 7

Another great Server Side Request Forgery find.  I found this on a test again in May folks, it's a real thing.  Just because your analyst doesn't have time to write the exploit doesn't mean it isn't real.

https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204

 

Spoofing attacks on contact tracing.  Man, the bad guys will stop at nothing.  Insane.

https://www.theregister.com/2020/06/02/contact_tracing_spoofable/

 

Two MORE remote code execution vulns in Zoom.  Now, don't think I am picking on them, but this is why we should be careful up front - you never know when you are gonna go viral! I think the devs at Zoom are doing an AWESOME job fixing these as they show up.

https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-execution-june-2020.html?m=1

 

The fantastic Google Project Zero wrote a neat instrumentation library that is ACTUALLY lightweight for Windows 32 and 64.  You should use it to instrument only modules of interest, and it adds very little overhead. I haven't played with it yet but I am very excited to (when I have two minutes to rub together).

https://github.com/googleprojectzero/TinyInst/blob/master/README.md

 

Hope you are all safe. Weird stuff going on, and us in tech are well positioned to make changes in the world.  Stop and think before you choose a direction.

 

Chat Log from the May OWASP meeting with Jamie Dicken

This wouldn't fit in a comment, but there is a lot of interesting information in here:

 

Kevin Brown12:01 PM
the event was widely advertised at Fuse
Joe Kuemerle12:01 PM
Far NE Pennsylvania for me
Mosharrat Shams12:02 PM
Hi Everyone,
I am Mosharrat Shams.
Kevin W. Wall12:04 PM
I'm about ready to use a weed whacker to cut my hair. Two hour waits at Great Clips.
Going for that Lion look
Kris Wall12:08 PM
Since everything is going virtual, this has been a big advantage for under represented OWASP cities.

Greetings from Oklahoma City!
Scott Goette12:10 PM
Greetings from the north coast of Ohio
Chris Holman12:10 PM
Good afternoon from sunny Chelmsford, UK.
Andrew Fitzgerald12:10 PM
she's just so popular
Doron Samuel12:11 PM
Good afternoon! Greetings from New York City!
Bob Caruso12:12 PM
There is an extension available also that implements the Zoom-style grid (or Brady bunch). https://chrome.google.com/webstore/detail/google-meet-grid-view/kklailfgofogmmdlhgmjgenehkjoioip
Wolfgang Goerlich12:12 PM
Greetings from Detroit!
Bob Caruso12:12 PM
It has not been pen tested
Kyle Kline12:12 PM
This is my first Google Meet ever -- everybody's video was grainy, and I discovered in settings mine was defaulted to 360p max for both send/receive. Changing it up to 720p helped a lot :)
Klaus Agnoletti12:12 PM
I am from Denmark, so yes. Global
Kris Wall12:13 PM
New York, Detroit, UK, OKC! We might outnumber the Ohio folks!
Chris Brew12:15 PM
Hi Jamie, Chris Brew here from Facebook Seattle, working on the future Assistant that will live on AR/VR glasses. We have many lovely security challenges. More difficult to lose your glasses than to lose your phone, but it will happen.
Warner Moore12:17 PM
LOPSA Columbus is virtual tonight! http://lopsacbus.org
Kris Wall12:17 PM
Our BSidesOK conference is going virtual. We tried hard to make it in person. :(
Scott Goette12:19 PM
that's because she went into presentation mode
You12:22 PM
This chat has a lot of awesome. Not sure how to archive, but I might just try copy/paste
Newsletter I mentioned at sempf.net
You12:23 PM
WSTG at https://owasp.org/www-project-web-security-testing-guide/
Scott Goette12:24 PM
👍👍😎
Kris Wall12:26 PM
Valuable? Bah! What does it connect to? Where can it pivot?
Scott Goette12:27 PM
dev and qa are on your production network, right?

or does everyone practice network segmentation and not poke holes through firewalls?
Kris Wall12:28 PM
I've found plenty of half baked and abandoned apps with access to prod and internal DBs
Bob Caruso12:29 PM
Pivot-through is usually the biggest threat. spot on, @Kris Wall
Scott Goette12:35 PM
ooohh - like this. Different Security engagements should be appropriately timed for accuracy
You12:43 PM
Deployment too. Sometimes you have out of date third party components, and ops has to get involved.
Chris Brew12:47 PM
All of this makes sense in a big tech company context, except that it is not directly financial. Engineering resources are still limited, and over-committed, and there is still an aggressive timeline.
Kris Wall12:48 PM
I take this into consideration when sending my reports. Each remediation issue turns into an action item and each item has to be well-defined for the dev team.
Brandon Lewis12:49 PM
To add on to Chris' comment, it's still a lot of $$$ at the end of the day - rewrites are never cheap especially for large applications (refer back to estimates).
Warner Moore12:49 PM
Re-writes are almost never the answer.
Andrew Fitzgerald12:52 PM
+1 for "don't touch my tech debt"
Bob Caruso12:52 PM
I can see Bill's arms waving, but no sound
Chris Brew12:52 PM
A Facebook specific is that privacy is an extremely big stick to wield. No one can or should say no to a security person who has a justified privacy concern, because it is officially a non-negotiable priority. But dev teams still face all the prioritization issues you raise.
Warner Moore12:53 PM
Depends on the allocation. I typically like 20% for tech debt, security, etc.
If you'd prefer it not to be touched, it can be a smaller part of the pie. ;)
Kris Wall12:53 PM
Devs get upset if you can't define the problem. :)
Doron Samuel12:55 PM
I was about to say that point in the chat box :)
Bob Caruso12:58 PM
Scenarios are the most convincing when you can use the developer's own code (via pen test).
Kevin W. Wall1:02 PM
A great example of letting the perfect becoming the enemy of the good.
Jennifer Middleton1:03 PM
+1 ^
Bob Caruso1:04 PM
Also, developers are trained to not touch working code and are often measured/rewarded by shipping new features (tied to revenue) and not by remediations or weaknesses closed. SOLUTION: Put a $ value on remediations, and/or turn cybersecurity controls into product features that are advertised to customers so that they get pulled through the whole dev pipeline.
Kevin W. Wall1:07 PM
Great prezo. g2g to work mtg. Stay safe everyone.
Warner Moore1:08 PM
Security features in products is looking at it from a value creation perspective and not necessarily an operations perspective. A robust security program for a modern tech organization requires both security features in the products and security capabilities within the organization. Often, that distinction is missed which means the security program is lacking in an area.
Kris Wall1:08 PM
We need to be nicer?
Sure. I guess!
You1:09 PM
Maaaaaaaaaan, I was just working on being grouchier like Kevin
Brandon Lewis1:09 PM
As a dev (looking to transition into security), sounds like there's a big lack of security champions on the dev side - someone who can be a realistic bridge of communication/reason so it doesn't feel so "security versus app teams".
rachit sood1:09 PM
@warner +1
Ron Varghese1:09 PM
Nice work Jamie!
Nabeel Alauddin1:09 PM
Appreciate the tips to build partnerships/establish trust and enable dev teams to self-direct their security efforts
Thanks for the presentation, Jamie!
Ron Varghese1:10 PM
Brandon it depends on the maturity of the org.
Warner Moore1:10 PM
Fantastic presentation. Important and useful message to working more productively together.
Scott Goette1:10 PM
great talk!! empathy and understanding is key - hire more devs in security
Krysten J1:10 PM
Thank you for this presentation!
Bill Churchill1:10 PM
Thanks Jamie!
Bob Caruso1:10 PM
Thanks, Jamie
Scott Goette1:11 PM
Will you publish the deck that you presented?
Rebecca Harvey1:11 PM
Thanks Jamie!
Andrew Smith1:11 PM
Thank you, I appreciate your observations...especially around the golden rule.
Kris Wall1:11 PM
@jamie If we need to get more forceful with dev teams and their governance, let's say there's continual push back, do you have any suggestions for being effective and not burning bridges?
Robert Ravenscroft1:11 PM
As always, great job Jamie!
Warner Moore1:12 PM
WARNER WAS HERE
Michael Flock1:12 PM
Thanks Jamie. Good stuff.
Brandon Lewis1:12 PM
Are the issues discussed here a really common experience for security folks trying to engage app teams?
Warner Moore1:12 PM
;)
Kris Wall1:13 PM
Push back from dev teams is quite common.
Kris Wall1:17 PM
Scans are OK for finding low hanging fruit, but not a replacement for security assessments.
Bob Caruso1:18 PM
agreed, a scan is just the start. It should result in a systemic improvement
Kris Wall1:19 PM
Keep it going! Bust out the guitar!
Nabeel Alauddin1:19 PM
I have to dip out. This was my first OWASP gathering and I learned a ton. Thanks Bill for facilitating and looking forward to more sessions in the future.
You1:20 PM
https://owasp.org/www-project-application-security-verification-standard/
https://owasp.org/www-project-application-security-verification-standard/
Andrew Fitzgerald1:23 PM
We'll save the jamie snark for offline
Nathan Zender1:24 PM
👏 👏 👏
Brandon Lewis1:24 PM
Good presentation Jamie, thanks!
J.D. Santen1:24 PM
great job everyone.
Bob Caruso1:27 PM
Thanks!
Kris Wall1:27 PM
Thank you everyone!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList