Application Security This Week for April 11

Surprisingly good article from the BBC about firmware attacks

https://www.bbc.com/news/business-56671419

Some really interesting code related to the Windows RPC attack

https://iamelli0t.github.io/2021/04/10/RPC-Bypass-CFG.html

One of my favorite topics - insecure API endpoints - presented at BSides

https://blog.assetnote.io/2021/04/05/contextual-content-discovery/

Have a secure week, everyone.

Application Security This Week for March 28

Guess who forgot to do a newsletter last week?

Cool file upload attack to get access to SSH unauthenticated.

https://blog.fadyothman.com/cve-2021-28379-gaining-rce-via-ssh-backdoor-in-vestacp/

Neat tool to MITM an iOS device.  The code is worth a look.

https://github.com/doronz88/harlogger

There is a new release of a (new to me) tool to test SAML implementations.

https://blog.compass-security.com/2021/03/saml-raider-release-1-4-0/

More cool HTTP2 vulnerabilities exploited.

https://blog.assetnote.io/2021/03/18/h2c-smuggling/

TLS 1.0 and 1.1 are formally deprecated.  These become High findings on reports now.

https://datatracker.ietf.org/doc/rfc8996/

Retire.js, one of my favorite tools, has been updated.

https://retirejs.github.io/retire.js/

And finally, spend your Sunday patching OpenSSL.

https://thehackernews.com/2021/03/openssl-releases-patches-for-2-high.html

Have a secure week, everyone.

Application Security This Week for March 14

Happy pi day!

Missive on the insecurity of C as a programming language.

https://daniel.haxx.se/blog/2021/03/09/half-of-curls-vulnerabilities-are-c-mistakes/

Regex is easily exploitable for denial of service attacks.

https://blog.doyensec.com/2021/03/11/regexploit.html

It might be too late to register, but Veracode is holding a Capture The Flag competition for students.

https://www.veracode.com/events/hacker-games

Have a secure week.

Application Security This Week for March 7

This is a pop culture article about why mobile application can be insecure (from Wired) but it is well written.  It might be behind a paywall for some of you, if so I'm sorry.

https://www.wired.com/story/ios-android-leaky-apps-cloud/

Good writeup on the Apache Velocity vulnerability.

https://securitylab.github.com/advisories/GHSL-2020-048-apache-velocity

Look, more supply chain problems! Yay! 3,500 pypy packages corrupt, and a tool to discover them.

https://github.com/pypa/pypi-support/issues/923

And finally, a series that begins with DLL Search Order Hijacking, something similar to what I have added to this newsletter before. Worth keeping an eye on.

https://github.com/pypa/pypi-support/issues/923

S

Application Security This Week for February 28

Portswigger published their Top 10 Hacking Techniques for 2020.

https://portswigger.net/research/top-10-web-hacking-techniques-of-2020

Vulnerabilities in malware!

https://malvuln.com/advisory/4932471df98b0e94db076f2b1c0339bd.txt

Github is doubling down on security tools, which I think is awesome.

https://venturebeat.com/2021/02/26/github-cso-pledges-more-security-tools-features-for-developers/amp/

Have a great week!

Application Security This Week for February 21

Microsoft has some guidance for containers using .NET

https://devblogs.microsoft.com/dotnet/staying-safe-with-dotnet-containers/

Another interesting dependency management tool, but this one if for Python!

https://github.com/visma-prodsec/confused

AWS isn't the only cloud that has blob storage permission problems.

https://github.com/cyberark/BlobHunter

Have a good week!

Application Security This Week Valentines Day edition

Apparently I failed to publish last week. Sorry about that.

Rolling shellcode from objects in memory.

https://github.com/paranoidninja/PIC-Get-Privileges

The Swiss say they can break encryption using quantum computing.

https://www.bloomberg.com/amp/news/articles/2021-02-07/a-swiss-company-says-it-found-weakness-that-imperils-encryption?__twitter_impression=true

Remember how everyone has been warning about internet-connected industrial control systems?  Whelp.

https://www.tampabay.com/news/pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-during-hack-sheriff-says/

Look, more supply chain attacks!

https://thehackernews.com/2021/02/dependency-confusion-supply-chain.html

In related news, I'll be speaking on the topic at the Cincinnati Security Users Group on Thursday

https://www.meetup.com/TechLife-Cincinnati/events/hjjlrryccdbxb/

Oh look!  Another one!  We might have a trend here.

https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/

Application Security This Week for January 31

Using Machine Learning to perfect SQL Injection

https://portswigger.net/daily-swig/machine-learning-offers-fresh-approach-to-tackling-sql-injection-vulnerabilities

And some practical application of that idea

https://research.nccgroup.com/2019/06/05/project-ava-on-the-matter-of-using-machine-learning-for-web-application-security-testing-part-1-understanding-the-basics-and-what-platforms-and-frameworks-are-available/

Didier has a new PDF tool out.  I haven't used it yet but I am certain it is awesome.

https://blog.didierstevens.com/2021/01/31/new-tool-pdftool-py/

OK, this is a weird one.  It appears that threat actors are using project files with built-in vulnerabilities to target the vulnerability researchers themselves, apparently to steal their research.  That's some next level stuff.

https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/amp/

Application Security This Week for January 24th

A very Interesting list of exploitable "features" in PDFs.

https://web-in-security.blogspot.com/2021/01/insecure-features-in-pdfs.html?m=1

There have been a lot of attacks on Azure's authentication system recently - some of which were even in this newsletter.  Sparrow helps you smoke out vulnerable instances.

https://github.com/cisagov/Sparrow/

Didier has been a regular in this newsletter, and he has updated his Strings.py tool to support more encoding. Very cool stuff.

https://blog.didierstevens.com/2021/01/24/update-strings-py-version-0-0-7/

Have your kids test your apps.

https://github.com/linuxmint/cinnamon-screensaver/issues/354

Stay safe out there.

Application Security This Week for January 17

Breakdown of a malicious app that man-in-the-middled the Google Signin.

https://blog.usejournal.com/how-i-stole-the-data-in-millions-of-peoples-google-accounts-aa1b72dcc075

Good Wired article about tools the fibby uses to get around smartphone encryption.

https://www.wired.com/story/smartphone-encryption-law-enforcement-tools/

Oh man, cross-origin images and data leakage.  Certainly adding this to my manual testing.

https://blog.mozilla.org/attack-and-defense/2021/01/11/leaking-silhouettes-of-cross-origin-images/

This has been patched, but a really good explainer on how the RCE in Office 365 was discovered.

https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html

Using game hacking to explain the danger of unsigned code.

https://secret.club/2021/01/12/callout.html

Have a great week folks!