Great explainer on using OWASP ZAP, instead of DotDotPwn, for directory traversal attacks. I haven't used it yet but it looks really promising.
https://diegogiacomelli.com.br/owasp-zap-path-traversal-and-asp-dotnet-notes/
Wanna write Burp extensions? Me too! Here's some good tools.
https://github.com/doyensec/burpdeveltraining
Man, I'm doing a lot with Docker container security. This is a good breakdown.
https://cloudberry.engineering/article/dockerfile-security-best-practices/
That's the news folks. Hope you are all doing well.
Totally forgot to do this last week, sorry.
Telerik released Fiddler Everywhere
https://www.telerik.com/fiddler
Github has added code scanning
https://github.blog/2020-09-30-code-scanning-is-now-available/
Another example of what I am admittedly harping on too much - the power of HTTP Smuggling
https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142
Here's a cool intro to manual static vulnerable analysis by Will Butler
https://btlr.dev/blog/how-to-find-vulnerabilities-in-code-bad-words
Some basics of securing APIs
https://dev.to/bearer/api-security-best-practices-3gjl
Have a good week, everyone!
A list of Capture The Flags that are on now or forever!
https://captf.com/practice-ctf/
The source code to XP was leaked. This isn't a surprise, extended support gives folks access to it. It was bound to get out.
https://thehackernews.com/2020/09/windows-xp-source-code.html
What's funny is the comments though:
https://pastebin.com/PTLeWhc2
The EFF is reporting on the very real problem of student contact tracing apps violating privacy considerations. Balance has to be found.
https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps
That's the news, folks. Stay safe.
Microsoft open sourced their fuzzing framework
https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
Not new but certain worth a read - how HTTPS works
https://howhttps.works/
Ming Chow - a buddy of mine and did a fantastic online course on packet analysis, that includes a nod to your humble author (around minute 58)
https://www.youtube.com/watch?v=Lj2DaFLRQVI&feature=youtu.be
Stay safe out there.
Or Maypril 319 but who is counting.
Here's an OLD Visual Studio project that gets AES keys from running applications. Seems to still work!
https://github.com/mmozeiko/aes-finder
Another writeup on my current favorite bug, HTTP Request Smuggling.
https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c
Via Matt Groves, this tool tests CouchBase databases for injection. Pretty slick.
https://github.com/FSecureLABS/N1QLMap
Neat article on using Fuzzilli to fuzz JavaScript engines using an intermediate language.
https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html
Cool breakdown on using Mobile Device Management to get RCE on devices.
https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html?m=1
That's the news folks. Stay safe.
Cool 10,000 foot overview of web application vulnerability assessment. Clearly written and concise.
https://www.codementor.io/@seanhiggins550/the-ins-and-outs-of-penetration-testing-for-web-apps-19jhhqsexo
A really well thought through attack on HTML sanitizers.
https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/
El Reg has a good article on spear-phishing developers to get access to back end tools. This is why the vulnerability analysts tell you to decommission old test systems.
https://www.theregister.com/2020/09/04/disclosure_developer_targeting/
Nice into to blind SQL injection.
http://www.mannulinux.org/2020/09/sql-injection-filter-bypass-to-perform.html?m=1
That's the news, folks. Have a good Labor Day!
Monsoon is a fast HTTP request enumerator that allows you to run a large number of tests to try out potential findings.
https://github.com/RedTeamPentesting/monsoon
Python devs: Don't run the executable in your downloads folder! Python isn't designed for that and there are vulnerabilities.
https://glyph.twistedmatrix.com/2020/08/never-run-python-in-your-downloads-folder.html
A really fantastic list of Android security resources.
https://github.com/ashishb/android-security-awesome
That's the latest, folks! Have a great week.
Update Jenkins - there is a flaw in the HTTP renderer.
https://www.jenkins.io/security/advisory/2020-08-17/
https://thehackernews.com/2020/08/jenkins-server-vulnerability.html
Pretty cool article about attacking the MS Exchange web interface
https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/
Don't usually talk locksport here but it's a slow news week and this is pretty cool - creating a key based on the sound of the original entering the lock.
https://cacm.acm.org/news/246744-picking-locks-with-audio-technology/fulltext
That's the news!
Microsoft pushed a change to ASP.NET for a DoS vulnerability. Not only should you patch, but looking at the change control is worth your time.
https://github.com/aspnet/Announcements/issues/431
Speaking of .NET, Adam Chester has an awesome article about the debugger that is worth a look.
https://blog.xpnsec.com/debugging-into-net/
Sonatype has their annual report on the Software Supply Chain ready, which is a topic near and dear to my heart. You have to give them your email, but it is worth it.
https://www.sonatype.com/2020ssc
I spoke to the .NET Dev Group in Columbus about this topic in March and it got a little spicy.
https://www.youtube.com/watch?v=KWt0Brcc2Ag
Finally, here is another good analysis paper on the application security development lifecycle.
https://www.veracode.com/sites/default/files/pdf/resources/surveyreports/esg-modern-application-development-security-veracode-survey-report.pdf
Stay safe and well.
S
The new Open Source Security Foundation is trying to broaden the reach of information security best practice.
https://github.com/ossf
Four new variants of HTTP Request Smuggling were published, and they are pretty cool.
https://thehackernews.com/2020/08/http-request-smuggling.html
A really cool XMLK External Entity flaw was used to get RCE in the latest Pwn2Own competition.
http://muffsec.com/blog/?p=608
That's the news, folks.
S