Application Security This Week for April 25

A fun tool that finds weak Active Directory passwords, and then notifies the user.

https://github.com/AdrianVollmer/Crack-O-Matic

 

Signal pwned Cellebrite with pure Moxie.

https://signal.org/blog/cellebrite-vulnerabilities/

 

Sad news, Dan Kaminsky has left us.  He was known for his extraordinary research into DNS cache poisoning, but most importantly, he was a great person. He will be missed.

https://en.wikipedia.org/wiki/Dan_Kaminsky

 

S

Application Security This Week for April 18

Pwn2Own had some interesting browser vulnerability results:

https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results

 

Reddit (A social network) has started a bug bounty program:

https://www.reddit.com/r/redditsecurity/comments/mqse9a/announcing_reddits_public_bug_bounty_program/?sort=qa

I am user #63 on that site, and thee oldest active member who isn't an admin, so I might give it a shot.

 

A good person wrote a list for semgrep that searches for secrets in public repos (or really any code) using some really well written filters.  Check it out:

https://r2c.dev/blog/2021/dont-leak-your-secrets/

 

Hope everyone has a secure week!

Application Security This Week for April 11

Surprisingly good article from the BBC about firmware attacks

https://www.bbc.com/news/business-56671419

 

Some really interesting code related to the Windows RPC attack

https://iamelli0t.github.io/2021/04/10/RPC-Bypass-CFG.html

 

One of my favorite topics - insecure API endpoints - presented at BSides

https://blog.assetnote.io/2021/04/05/contextual-content-discovery/

 

Have a secure week, everyone.

Application Security This Week for March 28

Guess who forgot to do a newsletter last week?

 

Cool file upload attack to get access to SSH unauthenticated.

https://blog.fadyothman.com/cve-2021-28379-gaining-rce-via-ssh-backdoor-in-vestacp/

 

Neat tool to MITM an iOS device.  The code is worth a look.

https://github.com/doronz88/harlogger

 

There is a new release of a (new to me) tool to test SAML implementations.

https://blog.compass-security.com/2021/03/saml-raider-release-1-4-0/

 

More cool HTTP2 vulnerabilities exploited.

https://blog.assetnote.io/2021/03/18/h2c-smuggling/

 

TLS 1.0 and 1.1 are formally deprecated.  These become High findings on reports now.

https://datatracker.ietf.org/doc/rfc8996/

 

Retire.js, one of my favorite tools, has been updated.

https://retirejs.github.io/retire.js/

 

And finally, spend your Sunday patching OpenSSL.

https://thehackernews.com/2021/03/openssl-releases-patches-for-2-high.html

 

Have a secure week, everyone.

Application Security This Week for March 14

Happy pi day!

 

Missive on the insecurity of C as a programming language.

https://daniel.haxx.se/blog/2021/03/09/half-of-curls-vulnerabilities-are-c-mistakes/

 

Regex is easily exploitable for denial of service attacks.

https://blog.doyensec.com/2021/03/11/regexploit.html

 

It might be too late to register, but Veracode is holding a Capture The Flag competition for students.

https://www.veracode.com/events/hacker-games

 

Have a secure week.

Application Security This Week for March 7

This is a pop culture article about why mobile application can be insecure (from Wired) but it is well written.  It might be behind a paywall for some of you, if so I'm sorry.

https://www.wired.com/story/ios-android-leaky-apps-cloud/

 

Good writeup on the Apache Velocity vulnerability.

https://securitylab.github.com/advisories/GHSL-2020-048-apache-velocity

 

Look, more supply chain problems! Yay! 3,500 pypy packages corrupt, and a tool to discover them.

https://github.com/pypa/pypi-support/issues/923

 

And finally, a series that begins with DLL Search Order Hijacking, something similar to what I have added to this newsletter before. Worth keeping an eye on.

https://github.com/pypa/pypi-support/issues/923

 

S

Application Security This Week for February 28

Portswigger published their Top 10 Hacking Techniques for 2020.

https://portswigger.net/research/top-10-web-hacking-techniques-of-2020

 

Vulnerabilities in malware!

https://malvuln.com/advisory/4932471df98b0e94db076f2b1c0339bd.txt

 

Github is doubling down on security tools, which I think is awesome.

https://venturebeat.com/2021/02/26/github-cso-pledges-more-security-tools-features-for-developers/amp/

 

Have a great week!

Application Security This Week for February 21

Microsoft has some guidance for containers using .NET

https://devblogs.microsoft.com/dotnet/staying-safe-with-dotnet-containers/

 

Another interesting dependency management tool, but this one if for Python!

https://github.com/visma-prodsec/confused

 

AWS isn't the only cloud that has blob storage permission problems.

https://github.com/cyberark/BlobHunter

 

Have a good week!

Application Security This Week Valentines Day edition

Apparently I failed to publish last week. Sorry about that.

 

Rolling shellcode from objects in memory.

https://github.com/paranoidninja/PIC-Get-Privileges

 

The Swiss say they can break encryption using quantum computing.

https://www.bloomberg.com/amp/news/articles/2021-02-07/a-swiss-company-says-it-found-weakness-that-imperils-encryption?__twitter_impression=true

 

Remember how everyone has been warning about internet-connected industrial control systems?  Whelp.

https://www.tampabay.com/news/pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-during-hack-sheriff-says/

 

Look, more supply chain attacks!

https://thehackernews.com/2021/02/dependency-confusion-supply-chain.html

In related news, I'll be speaking on the topic at the Cincinnati Security Users Group on Thursday

https://www.meetup.com/TechLife-Cincinnati/events/hjjlrryccdbxb/

 

Oh look!  Another one!  We might have a trend here.

https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/

 

 

Application Security This Week for January 31

Using Machine Learning to perfect SQL Injection

https://portswigger.net/daily-swig/machine-learning-offers-fresh-approach-to-tackling-sql-injection-vulnerabilities

And some practical application of that idea

https://research.nccgroup.com/2019/06/05/project-ava-on-the-matter-of-using-machine-learning-for-web-application-security-testing-part-1-understanding-the-basics-and-what-platforms-and-frameworks-are-available/

 

Didier has a new PDF tool out.  I haven't used it yet but I am certain it is awesome.

https://blog.didierstevens.com/2021/01/31/new-tool-pdftool-py/

 

OK, this is a weird one.  It appears that threat actors are using project files with built-in vulnerabilities to target the vulnerability researchers themselves, apparently to steal their research.  That's some next level stuff.

https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/amp/

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList