Application Security This Week for April 25

A fun tool that finds weak Active Directory passwords, and then notifies the user.


Signal pwned Cellebrite with pure Moxie.


Sad news, Dan Kaminsky has left us.  He was known for his extraordinary research into DNS cache poisoning, but most importantly, he was a great person. He will be missed.



Application Security This Week for April 18

Pwn2Own had some interesting browser vulnerability results:


Reddit (A social network) has started a bug bounty program:

I am user #63 on that site, and thee oldest active member who isn't an admin, so I might give it a shot.


A good person wrote a list for semgrep that searches for secrets in public repos (or really any code) using some really well written filters.  Check it out:


Hope everyone has a secure week!

Application Security This Week for April 11

Surprisingly good article from the BBC about firmware attacks


Some really interesting code related to the Windows RPC attack


One of my favorite topics - insecure API endpoints - presented at BSides


Have a secure week, everyone.

Application Security This Week for March 28

Guess who forgot to do a newsletter last week?


Cool file upload attack to get access to SSH unauthenticated.


Neat tool to MITM an iOS device.  The code is worth a look.


There is a new release of a (new to me) tool to test SAML implementations.


More cool HTTP2 vulnerabilities exploited.


TLS 1.0 and 1.1 are formally deprecated.  These become High findings on reports now.


Retire.js, one of my favorite tools, has been updated.


And finally, spend your Sunday patching OpenSSL.


Have a secure week, everyone.

Application Security This Week for March 14

Happy pi day!


Missive on the insecurity of C as a programming language.


Regex is easily exploitable for denial of service attacks.


It might be too late to register, but Veracode is holding a Capture The Flag competition for students.


Have a secure week.

Application Security This Week for March 7

This is a pop culture article about why mobile application can be insecure (from Wired) but it is well written.  It might be behind a paywall for some of you, if so I'm sorry.


Good writeup on the Apache Velocity vulnerability.


Look, more supply chain problems! Yay! 3,500 pypy packages corrupt, and a tool to discover them.


And finally, a series that begins with DLL Search Order Hijacking, something similar to what I have added to this newsletter before. Worth keeping an eye on.



Application Security This Week for February 28

Portswigger published their Top 10 Hacking Techniques for 2020.


Vulnerabilities in malware!


Github is doubling down on security tools, which I think is awesome.


Have a great week!

Application Security This Week for February 21

Microsoft has some guidance for containers using .NET


Another interesting dependency management tool, but this one if for Python!


AWS isn't the only cloud that has blob storage permission problems.


Have a good week!

Application Security This Week Valentines Day edition

Apparently I failed to publish last week. Sorry about that.


Rolling shellcode from objects in memory.


The Swiss say they can break encryption using quantum computing.


Remember how everyone has been warning about internet-connected industrial control systems?  Whelp.


Look, more supply chain attacks!

In related news, I'll be speaking on the topic at the Cincinnati Security Users Group on Thursday


Oh look!  Another one!  We might have a trend here.



Application Security This Week for January 31

Using Machine Learning to perfect SQL Injection

And some practical application of that idea


Didier has a new PDF tool out.  I haven't used it yet but I am certain it is awesome.


OK, this is a weird one.  It appears that threat actors are using project files with built-in vulnerabilities to target the vulnerability researchers themselves, apparently to steal their research.  That's some next level stuff.

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.



profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites