Application Security This Week for October 7

Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges.  Obscure finding, but neat bug.

https://www.securify.nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html

 

EIGHTY FIVE findings in latest Adobe Reader patch.

https://www.theregister.co.uk/AMP/2018/10/02/adobe_acrobat_reader_patch/

 

It looks like we might be getting a foothold on the war against malware.

https://www.infosecurity-magazine.com/news/malware-less-common-in-q2-still/

 

And that's the news!

Application Security This Week for September 30

The "Wow, it's been a busy month" edition.

 

Apple took "Adware Doctor" out of the store because it was stealing data.  How did no one notice this?

https://www.infosecurity-magazine.com/news/apple-removes-security-tool/

 

There is a new search engine for researching exploits.

https://sploitus.com/

 

Google open sourced their file upload protection tool.

https://github.com/google/wuffs

 

A cheat sheet for Angular web security.

https://cheatsheets.pragmaticwebsecurity.com/angularowasptop10

 

SharpSploit: a C# post-exploitation library.

https://posts.specterops.io/introducing-sharpsploit-a-c-post-exploitation-library-5c7be5f16c51

 

 

Application Security This Week for September 9

MWR Labs describes use of HTTP Referer headers to execute DNS rebinding attacks on AWS-hosted analytics systems

https://labs.mwrinfosecurity.com/blog/from-http-referer-to-aws-security-credentials/

 

Malicious PowerShell Compiling C# Code on the Fly

https://isc.sans.edu/diary/rss/24072

 

Interesting bug in Chromium

https://bugs.chromium.org/p/chromium/issues/detail?id=881410

 

Holy crap there are a lot of Cisco security patches this month.

https://tools.cisco.com/security/center/publicationListing.x

Application Security This Week for September 2

Mazen Ahmed write an exploit for the new Struts CVE.

https://github.com/mazen160/struts-pwn_CVE-2018-11776

 

Speaking of the CVE program, and MITRE in general, Steve Ragan got a solid scoop on congress planning a revamp.

https://www.csoonline.com/article/3300753/security/congress-pushes-mitre-to-fix-cve-program-suggests-regular-reviews-and-stable-funding.html

 

Secure Ideas started a blog seried on CORS, CSRF, and Clickjacking which is off to a good start

https://blog.secureideas.com/2018/07/three-c-words-of-web-app-security-part-1-cors.html

 

The Fortnite Android app is vulnerable to a really very unique flaw, Man-on-the-disk.  

https://www.theregister.co.uk/AMP/2018/08/29/android_external_storage_man_in_the_disk/

 

Speaking of weird flaws, people have started registering skills on Alexa with phonetically similar names as common commands. It's called Skill Squatting.

https://www.usenix.org/conference/usenixsecurity18/presentation/kumar

 

And that's the news!

Application Security This Week for August 26

Big, big news out of Portswigger this week.  I'm a huge fan of OWASP ZAP, and use it daily, but this is a major uptick in web analysis tools.

A new API for Burp Suite (something ZAP has had for years) https://portswigger.net/blog/burps-new-rest-api

The introduction of 2.0 https://portswigger.net/blog/burp-suite-2-0-beta-now-available

And finally the introduction of Enterprise Edition, which effectively adds scalibility https://portswigger.net/blog/burp-suite-enterprise-edition

Really solid week of announcements.

 

In other news, AppSec consulting hits it out of the park again with advice on securing third-party JavaScript.

https://www.appsecconsulting.com/blog/securing-third-party-javascript

 

A major flaw was found in GhostScript.  If you are parsing document formats like PDF or XPS, get your patch on!

https://www.kb.cert.org/vuls/id/332928

 

Another Struts RCE vulnerability.  "I'm shocked!" said nobody, ever.

https://cwiki.apache.org/confluence/display/WW/S2-057

 

Bitdefender published a whitepaper on the next phase of Android malware, and it is worth a read.

https://www.bitdefender.com/files/News/CaseStudies/study/234/Bitdefender-Whitepaper-Triout-The-Malware-Framework-for-Android-That-Packs-Potent-Spyware-Capabilities.pdf

 

And that's the news!

Application Security this Week for August 19

Trend Micro found a really interesting use-after-free vulnerability in the VBScript engine in IE.  Now, before you giggle, think of all of the companies that have standardized on IE. They are out there. Either way, the finding is cool.

https://blog.trendmicro.com/trendlabs-security-intelligence/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/

 

Username enumeration bug discovered in OpenSSH of all things.

http://seclists.org/oss-sec/2018/q3/124

 

Ever seen a scanner point out that a site is vulnerable to DNS Rebinding, and wonder what the heck it was talking about?  Yeah me too.  These folks wrote up a framework for it.

https://github.com/nccgroup/singularity

 

Here is a password list sorted by probability. Remember that training course when I said you should check your new passwords against a list of known bad values, because NIST said to? Here ya go. The esteemed Jim Fenton recommends checking against the first 100,000. Neat project.

https://github.com/berzerk0/Probable-Wordlists

Application Security This Week for August 12

Interesting idea - introducing bugs to make software more difficult to attackers to navigate.  Seems risky to me; I would rather see self-reporting software.

https://arxiv.org/pdf/1808.00659.pdf

 

Cloudflare has a really really good writeup on TLS 1.3.

https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

 

Questionably ethical hacker steals credentials from the Homebrew repo and makes a commit.

https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

 

Viral tweet thread on the "voatz" software that WVa is planning on using for midterm elections. Vulnerabilityapalooza.

https://twitter.com/GossiTheDog/status/1026603800365330432

 

Portswigger posted a nice primer on cache poisoning.

https://portswigger.net/blog/practical-web-cache-poisoning

Application Security Weekly for August 5

Reddit Breach Highlights Limits of SMS-Based Authentication

https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/

 

One of my favorite people - Adam Caudill with AppSec Consulting - gives a breakdown of changes to the way Chrome handles HTTPS

https://www.appsecconsulting.com/blog/https-or-be-warned

 

Information disclosure is a thing - stop using Trello as a password manager

https://www.reddit.com/r/security/comments/93n6ln/stop_using_trello_as_a_password_manager_how_to?sort=confidence

 

One of my favorite companies (Duo) has been acquired by Cisco

https://arstechnica.com/information-technology/2018/08/heads-up-2fa-provider-duo-security-to-be-acquired-by-cisco-ugh/

I have been assured that everything is gonna be OK 

 

As nosqlmap has fallen a bit by the wayside, I'm glad to see a new NoSQL scanner show up

https://github.com/torque59/Nosql-Exploitation-Framework

Application Security This Week for July 29

Venmo, a social payment system, defaults to public disclosure of payments made on the system.

https://arstechnica.com/tech-policy/2018/07/venmos-terrible-idea/

 

Scott Simmons has some terriffic advice about using Same-Origin policy as a control for CSRF.

https://www.appsecconsulting.com/blog/using-the-same-origin-policy-to-control-for-cross-site-request-forgery

 

Open redirect flaw in Electron exploites in the new Google Hangouts Chat application.

https://blog.bentkowski.info/2018/07/vulnerability-in-hangouts-chat-aka-how.html?m=1

 

F5 has released their annual Application Protection report.  Worth a read.

https://www.f5.com/labs/articles/threat-intelligence/2018-Application-Protection-Report

 

DOMpurify, a common control for DOM based XSS, has a vulnerability - update if you are using it (you probably are).

http://www.thespanner.co.uk/2018/07/29/bypassing-dompurify-with-mxss/

Application Security This Week for July 22

It has come to my attention that one of Paul Asadoorian's Security Weekly broadcasts is titled Application Security Weekly! I had no idea. It's good too, you should listen.  I caught up with the last few weeks when I drove over to Indianapolis to chat with the Indy Software Artisans meetup.  Anyway, I am changing the title of this recurring series of posts to Application Security This Week because of the mixup.

 

Interesting discussion over at El Reg about the weakest link in software security.

https://www.theregister.co.uk/2018/07/16/who_is_the_weakest_link_in_software_security/

 

Oracle addressed 334 security vulnerabilities in its latest patch series.

https://www.us-cert.gov/ncas/current-activity/2018/07/17/Oracle-Releases-July-2018-Security-Bulletin

 

Shape Security did the math, and 9 out of 10 login attempts on the web are bypass attempts.

http://info.shapesecurity.com/rs/935-ZAM-778/images/Shape_Credential_Spill_Report_2018.pdf?aliId=7269967

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList