Application Security This Week for October 18

Great explainer on using OWASP ZAP, instead of DotDotPwn, for directory traversal attacks.  I haven't used it yet but it looks really promising.

https://diegogiacomelli.com.br/owasp-zap-path-traversal-and-asp-dotnet-notes/

 

Wanna write Burp extensions? Me too! Here's some good tools.

https://github.com/doyensec/burpdeveltraining

 

Man, I'm doing a lot with Docker container security.  This is a good breakdown.

https://cloudberry.engineering/article/dockerfile-security-best-practices/

 

That's the news folks.  Hope you are all doing well.

 

Application Security This Week for October 11

Totally forgot to do this last week, sorry.

 

Telerik released Fiddler Everywhere

https://www.telerik.com/fiddler

 

Github has added code scanning

https://github.blog/2020-09-30-code-scanning-is-now-available/

 

Another example of what I am admittedly harping on too much - the power of HTTP Smuggling

https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142

 

Here's a cool intro to  manual static vulnerable analysis by Will Butler

https://btlr.dev/blog/how-to-find-vulnerabilities-in-code-bad-words

 

Some basics of securing APIs

https://dev.to/bearer/api-security-best-practices-3gjl

 

Have a good week, everyone!

Application Security This Week for September 27

A list of Capture The Flags that are on now or forever!

https://captf.com/practice-ctf/

 

The source code to XP was leaked.  This isn't a surprise, extended support gives folks access to it.  It was bound to get out.

https://thehackernews.com/2020/09/windows-xp-source-code.html

What's funny is the comments though:

https://pastebin.com/PTLeWhc2

 

The EFF is reporting on the very real problem of student contact tracing apps violating privacy considerations.  Balance has to be found.

https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps

 

That's the news, folks.  Stay safe.

Application Security This Week for September 20

Microsoft open sourced their fuzzing framework

https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/

 

Not new but certain worth a read - how HTTPS works

https://howhttps.works/

 

Ming Chow - a buddy of mine and did a fantastic online course on packet analysis, that includes a nod to your humble author (around minute 58)

https://www.youtube.com/watch?v=Lj2DaFLRQVI&feature=youtu.be

 

Stay safe out there.

 

Application Security This Week for September 13

Or Maypril 319 but who is counting.

 

Here's an OLD Visual Studio project that gets AES keys from running applications.  Seems to still work!

https://github.com/mmozeiko/aes-finder

 

 Another writeup on my current favorite bug, HTTP Request Smuggling.

https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c

 

Via Matt Groves, this tool tests CouchBase databases for injection.  Pretty slick.

https://github.com/FSecureLABS/N1QLMap

 

Neat article on using Fuzzilli to fuzz JavaScript engines using an intermediate language.

https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html

 

Cool breakdown on using Mobile Device Management to get RCE on devices.

https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html?m=1

 

That's the news folks.  Stay safe.

Application Security This Week for September 6

Cool 10,000 foot overview of web application vulnerability assessment.  Clearly written and concise.

https://www.codementor.io/@seanhiggins550/the-ins-and-outs-of-penetration-testing-for-web-apps-19jhhqsexo

 

A really well thought through attack on HTML sanitizers.

https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/

 

El Reg has a good article on spear-phishing developers to get access to back end tools.  This is why the vulnerability analysts tell you to decommission old test systems.

https://www.theregister.com/2020/09/04/disclosure_developer_targeting/

 

Nice into to blind SQL injection.

http://www.mannulinux.org/2020/09/sql-injection-filter-bypass-to-perform.html?m=1

 

That's the news, folks.  Have a good Labor Day!

Application Security This Week for August 30

Monsoon is a fast HTTP request enumerator that allows you to run a large number of tests to try out potential findings.

https://github.com/RedTeamPentesting/monsoon

 

Python devs: Don't run the executable in your downloads folder! Python isn't designed for that and there are vulnerabilities.

https://glyph.twistedmatrix.com/2020/08/never-run-python-in-your-downloads-folder.html

 

A really fantastic list of Android security resources.

https://github.com/ashishb/android-security-awesome

 

That's the latest, folks! Have a great week.

Appliocation Security This Week for August 23

Update Jenkins - there is a flaw in the HTTP renderer.

https://www.jenkins.io/security/advisory/2020-08-17/

https://thehackernews.com/2020/08/jenkins-server-vulnerability.html

 

Pretty cool article about attacking the MS Exchange web interface

https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/

 

Don't usually talk locksport here but it's a slow news week and this is pretty cool - creating a key based on the sound of the original entering the lock.

https://cacm.acm.org/news/246744-picking-locks-with-audio-technology/fulltext

 

That's the news!

Application Security This Week for August 16

Microsoft pushed a change to ASP.NET for a DoS vulnerability.  Not only should you patch, but looking at the change control is worth your time.

https://github.com/aspnet/Announcements/issues/431

 

Speaking of .NET, Adam Chester has an awesome article about the debugger that is worth a look.

https://blog.xpnsec.com/debugging-into-net/

 

Sonatype has their annual report on the Software Supply Chain ready, which is a topic near and dear to my heart. You have to give them your email, but it is worth it.

https://www.sonatype.com/2020ssc

I spoke to the .NET Dev Group in Columbus about this topic in March and it got a little spicy.

https://www.youtube.com/watch?v=KWt0Brcc2Ag

 

 Finally, here is another good analysis paper on the application security development lifecycle.

https://www.veracode.com/sites/default/files/pdf/resources/surveyreports/esg-modern-application-development-security-veracode-survey-report.pdf

 

Stay safe and well.

S

Application Security This Week for August 9

The new Open Source Security Foundation is trying to broaden the reach of information security best practice.

https://github.com/ossf

 

Four new variants of HTTP Request Smuggling were published, and they are pretty cool.

https://thehackernews.com/2020/08/http-request-smuggling.html

 

A really cool XMLK External Entity flaw was used to get RCE in the latest Pwn2Own competition.

http://muffsec.com/blog/?p=608

 

That's the news, folks.

S

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList