Application Security This Week for November 22

Troy Hunt has another one of his awesome data breach breakdowns.  Lots to be learned here.

Troy Hunt: Inside the Cit0Day Breach Collection

 

Awesome paper on unwanted app distribution on Android.

2010.10088.pdf (arxiv.org)

 

In the department of information disclosure department, we have a Go project that will look for URLs exposed by shortner services like bit.ly

utkusen/urlhunter: a recon tool that allows searching on URLs that are exposed via shortener services (github.com)

 

Have a great thanksgiving!

Application Security This Week for November 15

Portswigger has a really nice new release - update now! Community and pro.

https://portswigger.net/burp/releases/professional-community-2020-11

 

OWASP ZAP has a fantastic new plugin to help test SPAs and the like.

https://www.zaproxy.org/docs/desktop/addons/ajax-spider/options/

 

Everything old is new again.  DNS Cache Poisoning is back.

https://arstechnica.com/information-technology/2020/11/researchers-find-way-to-revive-kaminskys-2008-dns-cache-poisoning-attack/

 

That's the news!

Application Security This Week for November 8

Compass Security built a really nice Burp plugin that helps with the reporting of findings by copying the request and response pair from various tools.

https://blog.compass-security.com/2020/10/burp-extension-copy-request-response/

 

Container Security is all the rage.  Here is a good primer.

https://cloudberry.engineering/article/practical-introduction-container-security/

 

Random vulnerability names ... so hawt right now.

https://www.theregister.com/2020/11/03/cert_bug_names/

 

One of the Big 4 consulting/audit firms helpfully built a "test your Hacker IQ" quiz that exposes the DB username and password.

https://www.theregister.com/2020/11/05/deloitte_hacker_test/

 

I have written in this humble publication many times about my disdain over cryptic TLS vulnerabilities (pun intended) and now Let's Encrypt is going to cut off 30% of Android devices.

https://letsencrypt.org/2020/11/06/own-two-feet.html

 

That's the news, folks.

Application Security This Week for November 1

Not a lot going on this week.  Almost as if everyone has something else to think about.

 

Get your debugger on.  Good two parter on getting your feet wet with a little close-to-the-metal code.

https://www.moritz.systems/blog/how-debuggers-work-getting-and-setting-x86-registers-part-1/

 

For the bounty hunters - Harvard publicked a guide to the legal risk involved in bug hunting.

https://clinic.cyber.harvard.edu/2020/10/30/cyberlaw-clinic-and-eff-publish-guide-to-legal-risks-of-security-research/

 

Writing Go code? Here's a new fuzzer for your Go apps.

https://adalogics.com/blog/getting-started-with-go-fuzz

 

That's the news folks. Have a great week!

 

Application Security This Week for October 25

Microsoft has created the Adversarial ML Threat Matrix. If you are in Machine Learning, it is certainly worth a look.

https://www.microsoft.com/security/blog/2020/10/22/cyberattacks-against-machine-learning-systems-are-more-common-than-you-think/

 

Fuzzilli is a JS fuzzing library that allows you to write fuzzing patterns in a custom interpreted language to generate errors, find injection points, and do other useful things.

https://www.darknet.org.uk/2020/10/fuzzilli-javascript-engine-fuzzing-library/

 

Hijacking DNS is one of my biggest worries because it slips between the cracks of appsec and devops.

https://github.com/SuperFola/DoNotSend

 

FinalRecon is a recently updated web recon tool. I haven't tried it yet but I'm gonna.

https://github.com/thewhiteh4t/FinalRecon

 

Good writeup on the recent RCE bug patched in Discord.

https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1

 

CORS is new (ish) and this is a great breakdown on hacking it from a knowledge perspective.

https://medium.com/bugbountywriteup/hacking-http-cors-from-inside-out-512cb125c528

 

Have a great week everyone.

Application Security This Week for October 18

Great explainer on using OWASP ZAP, instead of DotDotPwn, for directory traversal attacks.  I haven't used it yet but it looks really promising.

https://diegogiacomelli.com.br/owasp-zap-path-traversal-and-asp-dotnet-notes/

 

Wanna write Burp extensions? Me too! Here's some good tools.

https://github.com/doyensec/burpdeveltraining

 

Man, I'm doing a lot with Docker container security.  This is a good breakdown.

https://cloudberry.engineering/article/dockerfile-security-best-practices/

 

That's the news folks.  Hope you are all doing well.

 

Application Security This Week for October 11

Totally forgot to do this last week, sorry.

 

Telerik released Fiddler Everywhere

https://www.telerik.com/fiddler

 

Github has added code scanning

https://github.blog/2020-09-30-code-scanning-is-now-available/

 

Another example of what I am admittedly harping on too much - the power of HTTP Smuggling

https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142

 

Here's a cool intro to  manual static vulnerable analysis by Will Butler

https://btlr.dev/blog/how-to-find-vulnerabilities-in-code-bad-words

 

Some basics of securing APIs

https://dev.to/bearer/api-security-best-practices-3gjl

 

Have a good week, everyone!

Application Security This Week for September 27

A list of Capture The Flags that are on now or forever!

https://captf.com/practice-ctf/

 

The source code to XP was leaked.  This isn't a surprise, extended support gives folks access to it.  It was bound to get out.

https://thehackernews.com/2020/09/windows-xp-source-code.html

What's funny is the comments though:

https://pastebin.com/PTLeWhc2

 

The EFF is reporting on the very real problem of student contact tracing apps violating privacy considerations.  Balance has to be found.

https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps

 

That's the news, folks.  Stay safe.

Application Security This Week for September 20

Microsoft open sourced their fuzzing framework

https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/

 

Not new but certain worth a read - how HTTPS works

https://howhttps.works/

 

Ming Chow - a buddy of mine and did a fantastic online course on packet analysis, that includes a nod to your humble author (around minute 58)

https://www.youtube.com/watch?v=Lj2DaFLRQVI&feature=youtu.be

 

Stay safe out there.

 

Application Security This Week for September 13

Or Maypril 319 but who is counting.

 

Here's an OLD Visual Studio project that gets AES keys from running applications.  Seems to still work!

https://github.com/mmozeiko/aes-finder

 

 Another writeup on my current favorite bug, HTTP Request Smuggling.

https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c

 

Via Matt Groves, this tool tests CouchBase databases for injection.  Pretty slick.

https://github.com/FSecureLABS/N1QLMap

 

Neat article on using Fuzzilli to fuzz JavaScript engines using an intermediate language.

https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html

 

Cool breakdown on using Mobile Device Management to get RCE on devices.

https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html?m=1

 

That's the news folks.  Stay safe.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList