Application Security This Week for October 13

Portswigger has some good research on a new angle for cross-site leak attacks:

https://portswigger.net/research/xs-leak-leaking-ids-using-focus

 

Serverless inftastructures are slipping through the cracks as far as security testing goes.  Here's a new tool for Amazon Lambda - hopefully it leads to more.

https://www.darknet.org.uk/2019/10/lambdaguard-aws-lambda-serverless-security-scanner/

 

Mozilla isolated an interesting RCE bug in iTerm2:

https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/

 

Eric Lawrence (of Fiddler fame) has a good writeup on Chrome's new direction for cookies:

https://textslashplain.com/2019/09/30/same-site-cookies-by-default/

 

And that's the news.

Application Security This Week for October 6

This is a blog entirely dedicated to security analysis of mobine apps.  No idea who writes it but it is good.

https://theappanalyst.com/

 

Neat writeup on going from SQL Injection to Remote Code Execution.

https://medium.com/bugbountywriteup/sql-injection-to-lfi-to-rce-536bed29a862

 

I've been on a PHP project recently, and I learned about this cool tool to bypass disable_functions.

https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass

 

Speaking of PHP, the statis code analysis tool I learned to use was Exakat.  Steep learning curve but unbelievable reports.  And open source!

https://github.com/exakat/exakat

 

That's the news, folks.

 

Application Security This Week for September 29

The big news of the week is that every iPhone from 1 to X is apparently vulnerable to a bootROM flaw, and it is a hardware problem so Apple can't patch it.  Now, this won't help malware writers fortunately, but it will make it easier to jailbreak your phone, and there are some more sinister uses as well.  Several articles:

https://blog.malwarebytes.com/mac/2019/09/new-ios-exploit-checkm8-allows-permanent-compromise-of-iphones/

https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/

https://github.com/axi0mX/alloc8

https://github.com/axi0mX/ipwndfu

 

McAfee published a conglomeration of their studies on Cloud security, and as I am sure you can imaging the news isn't good.

https://www.theregister.co.uk/2019/09/24/mcafee_cloud_leak_study/

 

And there was a vulnerability discovered in Cold Fusion, so make sure you patch ... wait people still use Cold Fusion?

https://helpx.adobe.com/security/products/coldfusion/apsb19-47.html

Application Security This Week for September 15

Here's a neat Android reverse engineering game.

https://0x00sec.org/t/reversing-hackex-an-android-game/16243

 

A tool to edit images to have payloads.  Use it t o test and see if your imagine processing components have vulnerabilities!

https://github.com/chinarulezzz/pixload

 

I have been running into HTTP Request Smuggling a lot recently after the new research by PortSwigger.  Here is an interesting writeup.

https://medium.com/@memn0ps/http-request-smuggling-cl-te-7c40e246021c

 

That's the news, folks.

Application Security Weekly for September 8

Only Rails 6.x and 5.2.x are getting security updates.  Plan your development accordingly.

https://rubyonrails.org/security/

Jason Karns was kind enough to pass along this awesome upgrade helper for Rails:

https://blog.testdouble.com/posts/2019-09-03-3-keys-to-upgrading-rails

 

I regularly write apps up for failure to disable autofill, and this article is a good explainer.

https://www.social-engineer.com/disable-autofill-browsers/

 

Bruce has a really good set of reasoning on why there is no difference between "commercial" encryption and "consumer" encryption.

https://www.schneier.com/blog/archives/2019/08/the_myth_of_con.html

 

iOS doesn't get a lot of malware love because it's only 12% of the phone market, but the bad guys realized that 12% has a lot of money, so here are a BOATload of exploits that Google found them.

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html?m=1

 

I also write folks up for clickjacking a lot, and it is making a comeback.  It's just a header people, add it.

https://nakedsecurity.sophos.com/2019/08/29/web-clickjacking-fraud-makes-a-comeback-thanks-to-javascript-tricks/

 

Some RCE flaws discovered in PHP. Update if you can, mitigate if you can't.

https://thehackernews.com/2019/09/php-programming-language.html?m=1

 

That's the news.  Stay safe.

 

Application Security Weekly for August 25

Chrome is finally starting to defend against clickjacking

https://www.theregister.co.uk/2019/08/19/clickjacking_countermeasures_chrome/

Dan Kaminsky only presented the solution in 2015

https://dankaminsky.com/2015/08/09/defcon-23-lets-end-clickjacking/

 

Facebook is in more access control hot water

https://nakedsecurity.sophos.com/2019/08/19/did-facebook-know-about-view-as-bug-before-2018-breach/

 

THERE IS AN IOS 12.4 JAILBREAK!  Man this made my life easier.

https://thehackernews.com/2019/08/ios-iphone-jailbreak.html?m=1

 

Oh man, a Zigbee toolset.  I've done some of this in C#, but this is WAY cooler

https://www.darknet.org.uk/2019/08/zigdiggity-zigbee-hacking-toolkit/

 

That's the news folks.  Stay safe out there.

Application Security Weekly for August 18

Apache called out for reporting incorrect versions in Struts vulnerabilities

https://www.infosecurity-magazine.com/news/apache-struts-incorrect-security/

 

A new breach at First American Financial, a mortgage company, might have exposed nearly a billion records

https://krebsonsecurity.com/2019/08/sec-investigating-data-leak-at-first-american-financial-corp/

 

Fireeye is using machine learning to grade the severity of vulnerabilities

https://www.fireeye.com/blog/threat-research/2019/08/automated-prioritization-of-software-vulnerabilities.html

 

Netflix and Google discovered a set of DDoS vulnerabilities in HTTP/2

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

 

Looks like Paige took a lot more than Capital One's stuff

https://www.theregister.co.uk/2019/08/14/capitalone_hacker_court/

 

That's the news!

 

Application Security Weekly for August 11

A researcher found out that you can discover if a user is in incognito mode in Chrome using a timing attack.

https://blog.jse.li/posts/chrome-76-incognito-filesystem-timing/

 

That Microsoft RDP attack we talked about earlier?  Yeah, it works in Azure.

https://thehackernews.com/2019/08/reverse-rdp-windows-hyper-v.html?m=1

 

In unrelated news, Microsoft has launched Azure Security Lab, a safe space to do appsec testing.

https://msrc-blog.microsoft.com/2019/08/05/azure-security-lab-a-new-space-for-azure-research-and-collaboration/

 

A cool bug was discovered in the Electron Framework.

https://www.contextis.com/en/blog/basic-electron-framework-exploitation

 

Frequent readers know that I am no fan of Apple's closed garden when it comes to app testing.  Well, it might be opening a little.  They have enhanced their bug bounty, and more importantly are going to offer quasi-jailbroken phones to researchers.  I'll be in line for that.

https://www.theverge.com/2019/8/8/20756629/apple-iphone-security-research-device-program-vulnerabilities

 

That's the news!

Application Security This Week for August 4

The Capital One breach leads the news this week, for a dozen good reasons.

https://start.jcolemorrison.com/the-technical-side-of-the-capital-one-aws-security-breach/

 

Reeeeeely good writup on Crypto attacks from Checkpoint.  More than just reading the unreadable, ya know.

https://research.checkpoint.com/cryptographic-attacks-a-guide-for-the-perplexed/

 

The Node Package Manager is in the news again, thanks to a huge kerfuffle related to someone injecting malware into a much-used package.  Think before you import, people.

https://harry.garrood.me/blog/malicious-code-in-purescript-npm-installer/

https://medium.com/commitlog/the-internet-is-at-the-mercy-of-a-handful-of-people-73fac4bc5068

 

Credential stuffing attacks are outpacing phishing, sayth Akamai.

https://www.theregister.co.uk/2019/07/31/black_hats_hate_banks_says_akamai/

 

And we are still talking about weakening encryption, of course:

https://www.forbes.com/sites/kalevleetaru/2019/07/26/the-encryption-debate-is-over-dead-at-the-hands-of-facebook/#37320cb05362

 

That's the news, people.  Stay safe.

Facebook, Passport, and the Human Condition

Facebook is under heavy fire for privacy "violations", although they never did anything they didn't explicitly tell users they were going to do. Also, no privacy laws apply to what they did wrong. Also, if the product is free, you are the product. Blah blah. Fact is, in a capitalist society, companies are going to do whatever they can within the constraints of the law to make a buck. If they make enough customers angry, they will eventually lose money, and that is the incentive to stay on the straight and narrow.

Anyway, in case you hadn't heard, there are a lot of things going on here that has raised the ire of Facebook's customer base. For years, I have demoed using the Open Graph API to download either all of the public users on Facebook, or friends of friends private information. Of course, as we all know, Cambridge Analytica used that same API to write a slick little plugin to gather a boatload of information and sell it to political candidates, which influenced elections, and they are kinda important around here, so people got mad. Technically, they did nothing that hasn't been done a hundred times (hell, I have written software that does it) but this time people got mad. So be it.

Then there is the fake news, and the tracking, and watching where you go on the web even if you don't have a Facebook account, and and and you get the idea. Folks got mad. Facebook did the whole mea culpa thing, as one does, and their customer count still goes up. As the time of this writing, they are still the most used application on the planet. Roger that.

Once upon a time

Let's get in the wayback machine. No, not Brewster Kahle's WayBack Machine, just an imaginary one. In 2002, I was at TechEd signing the newly minted Professional Visual Basic.NET book, and trying to keep up with the Wrox contingent (news flash: Brits can drink.) In the evenings, I was working on an article about the second incarnation of Microsoft Passport. The original version was a try at what is now Active Directory Federated Services, but this version was a wholistic internet identity. It would track your calendar, your credit cards, your contact list, your email, everything, and help you out. If you bought plane tickets, it would have your Visa at the ready, and automatically add flight to your calendar. If your kids emailed to tell you they needed cupcakes for the bake sale, BANG, on the shopping list.

But … there was a problem. The user base went shitfuck. Some of the comments I remember were "I'll sooner throw my computer in the river than give Microsoft access to my calendar and credit cards" and "Are you saying they will look at our email and change our data without asking first" and "The day will never come that I will let Microsoft log me into my bank".

Yeah.

Anyway, if you of a certain age, and I told you the names of the people what wrote those things, you would instantly recognize them, I promise you. Me, I thought Passport was pretty neat. Not many other people thought it was neat. Court cases were filed. People quit Microsoft jobs (really!) over this. It was a disaster.

Fast forward

So here we are today. Facebook is under fire for using the data that people gave them freely to buy Mark more fast cars and hot women and blow, and people are mad. Meanwhile, they are logging into American Airlines, using their stored credentials, and their saved credit card info, and the email from American automatically adds the flight to their Google calendar.

Suffice it to say, in 15 years we'll be having this same, exact conversation about some other technology, maybe facial recognition and brain scanning or something. I dunno. William Gibson probably does. Either way, Facebook has breached the front. In not too long, the user base will have gotten used to it, and whatever is after Facebook will sell our data with impunity.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList