Application Security This Week for February 21

Microsoft has some guidance for containers using .NET

https://devblogs.microsoft.com/dotnet/staying-safe-with-dotnet-containers/

 

Another interesting dependency management tool, but this one if for Python!

https://github.com/visma-prodsec/confused

 

AWS isn't the only cloud that has blob storage permission problems.

https://github.com/cyberark/BlobHunter

 

Have a good week!

Application Security This Week Valentines Day edition

Apparently I failed to publish last week. Sorry about that.

 

Rolling shellcode from objects in memory.

https://github.com/paranoidninja/PIC-Get-Privileges

 

The Swiss say they can break encryption using quantum computing.

https://www.bloomberg.com/amp/news/articles/2021-02-07/a-swiss-company-says-it-found-weakness-that-imperils-encryption?__twitter_impression=true

 

Remember how everyone has been warning about internet-connected industrial control systems?  Whelp.

https://www.tampabay.com/news/pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-during-hack-sheriff-says/

 

Look, more supply chain attacks!

https://thehackernews.com/2021/02/dependency-confusion-supply-chain.html

In related news, I'll be speaking on the topic at the Cincinnati Security Users Group on Thursday

https://www.meetup.com/TechLife-Cincinnati/events/hjjlrryccdbxb/

 

Oh look!  Another one!  We might have a trend here.

https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/

 

 

Application Security This Week for January 31

Using Machine Learning to perfect SQL Injection

https://portswigger.net/daily-swig/machine-learning-offers-fresh-approach-to-tackling-sql-injection-vulnerabilities

And some practical application of that idea

https://research.nccgroup.com/2019/06/05/project-ava-on-the-matter-of-using-machine-learning-for-web-application-security-testing-part-1-understanding-the-basics-and-what-platforms-and-frameworks-are-available/

 

Didier has a new PDF tool out.  I haven't used it yet but I am certain it is awesome.

https://blog.didierstevens.com/2021/01/31/new-tool-pdftool-py/

 

OK, this is a weird one.  It appears that threat actors are using project files with built-in vulnerabilities to target the vulnerability researchers themselves, apparently to steal their research.  That's some next level stuff.

https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/amp/

Application Security This Week for January 24th

A very Interesting list of exploitable "features" in PDFs.

https://web-in-security.blogspot.com/2021/01/insecure-features-in-pdfs.html?m=1

 

There have been a lot of attacks on Azure's authentication system recently - some of which were even in this newsletter.  Sparrow helps you smoke out vulnerable instances.

https://github.com/cisagov/Sparrow/

 

Didier has been a regular in this newsletter, and he has updated his Strings.py tool to support more encoding. Very cool stuff.

https://blog.didierstevens.com/2021/01/24/update-strings-py-version-0-0-7/

 

Have your kids test your apps.

https://github.com/linuxmint/cinnamon-screensaver/issues/354

 

Stay safe out there.

Application Security This Week for January 17

Breakdown of a malicious app that man-in-the-middled the Google Signin.

https://blog.usejournal.com/how-i-stole-the-data-in-millions-of-peoples-google-accounts-aa1b72dcc075

 

Good Wired article about tools the fibby uses to get around smartphone encryption.

https://www.wired.com/story/smartphone-encryption-law-enforcement-tools/

 

Oh man, cross-origin images and data leakage.  Certainly adding this to my manual testing.

https://blog.mozilla.org/attack-and-defense/2021/01/11/leaking-silhouettes-of-cross-origin-images/

 

This has been patched, but a really good explainer on how the RCE in Office 365 was discovered.

https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html

 

Using game hacking to explain the danger of unsigned code.

https://secret.club/2021/01/12/callout.html

 

Have a great week folks!

Application Security This Week for January 10

Hey, welcome back from holidays.  Quite a week it has been.

 

Portswigger has a really good writeup of OAUTH 2 vulnerabilities.

https://portswigger.net/web-security/oauth

 

This isn't so much appsec, but it is really interesting code that hacks a game - Cyberpunk 2077 minigame resolver.

https://github.com/nicolas-siplis/cyberpwned

 

SolarWinds just keeps on giving.

https://kb.cert.org/vuls/id/843464

 

Keep on keeping on, folks.

Application Security This Week for December 20

So, hey, yeah, how are all of you.  Clearly SolarWinds has completely overwhelmed the news this week, so I have a couple of notes about that. To those of you who are having to deal with this, I am with you in spirit. Doing what I can here from The Bunker to help you out.

 

Here was my first indication there was a problem, I believe.  It's pretty old news now.

https://thehackernews.com/2020/12/new-evidence-suggests-solarwinds.html

I spoke about Supply Chain problems at the Central Ohio .NET Developer's group in March.  Oddly timed.

https://www.youtube.com/watch?v=KWt0Brcc2Ag

MicroSolved has a good writeup you should read.

https://media.microsolved.com/SolarWindsBrief.pdf

This is Microsoft's breakdown on DLL Injection.  For the record, I attended a BoF session on this at DefCon 15(!) and everyone I talked to blew it off.  Guess not.

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

 

Some other news, thank goodness.

 

Github is gonna ban passwords.

https://www.theregister.com/2020/12/17/github_bans_passwords/

 

The NSA finally figured out that authentication systems are under attack.

https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2451159/nsa-cybersecurity-advisory-malicious-actors-abuse-authentication-mechanisms-to/

 

And finally, a short article about memcpy. 

https://r2c.dev/blog/2020/when-devsecops-goes-wrong-a-short-lesson-from-huaweis-source-code/

 

That's the news, folks, have a great holiday and end-of-year. May your systems be secure and your code be frozen.

 

Application Security This Week for December 13

There is a potential new addition to DNS security, which is sorely needed.

https://blog.cloudflare.com/oblivious-dns/

 

A good writeup on discovery of a Facebook vulnerability.

https://alaa0x2.medium.com/how-i-hacked-facebook-part-one-282bbb125a5d

 

I am not in favor of brigading FireEye, and if you are I'll fight you.  That said, the analysis of the stolen tools is very enlightening.

https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools

 

That's the news, folks.  Stay safe.

 

The Trouble With Teaching Secure Coding

Once a week or so, someone calls and asks for OWASP Top 10 testing.  I have to make the call on the spot weather or not to explain that isn't what they want, or say "Sure!" and then give them actually what they need, or have a larger scale meeting to see where their appsec maturity is, and base training on that.  Usually it is the third.

The problem is, app security is hard to teach, and frankly many shops need secure coding training, which is even harder.  Let's break down why that is the case.

OWASP Training yes, OWASP Top 10 training, no

 OWASP is a great organization.  For those unfamiliar, it is a global nonprofit with the mission of evangelizing application security to developers.  It has it's political problems sure, but in general it solves a very hard problem with grace and clarity.

One of the most famous products to come out of OWASP is the Top 10.  This list is the most risky vulnerabilities discovered by member organizations, ranked.  It is a useful.  Useful for printing out, rolling up, and smacking your CIO with until you get a security budget. 

The OWASP Top 10 is not an application security plan.  It is also not a training curriculum.  It is a marketing vehicle, and a remarkably effective one. Use it for that and you are golden.  Try and do an OWASP Top 10 training, and you are performing a disservice.

This discussion doesn't go over well with most.  Everyone wants a magic bullet for application security, but there just isn't one.

Sorry.

The plan is simply to do three things:

1) Teach the developers to recognize security flaws.

2) Teach the developers to repair the security flaws.

3) Give the developers tools to prevent security flaws from ever making it in the code.

Let's count 'em down.

When you need to learn how to test apps

 Let's be straight here.  The only way to make applications more secure is to code them securely.  Okay pokey? Good, that's settled.

Now.  There are a few things that need to happen first, and therein lies the rub.  CIOs and Dev Leads want to drop a process in place that will secure their code.  Then I stop by, put '; in their website search field, blow the whole thing up, and get the O face from the team. First, we need to show developers what the attacks are, and how to check for them.

The issue among the high level development security instructors is that they are so far along in their personal skill set that they wanna talk about indepth output encoding for style sheets, without realizing that many developers are still wondering what the other site is in Cross-Site Scripting anyway? I get it. I do.  But we gotta judge that audience, and it's rough. Average 40 person dev team you are gonna have 7-8 people that already know the basics, but not well enough to teach the other thirty-odd.  We need to start there.

Security champions - I love you all very much. Take a look at your dev teams. Close your eyes.  Take a deep breath.  Open your eyes.  Does everyone in there understand JWT risks? Does your organization remove dev names in comments? If not, you need to run an application security testing class.  No, you don't have to have everyone be an uber-hacker. But it is fun, and it does give everyone a starting point.

When you look at code in code review, ask what input validation is being done. Ask about how that viewstate is encoded.  If you get a glassy eyed stare, then consider a class on testing.

When you need to learn how to write secure code

 Once folks can recognize insecure code, it is time to start fixing things. Sounds far, far easier than it actually is. However, this is when we need to start getting the development staff into the process of building security into their everyday process.

My experience is that you need to do a few things.  First, static analysis.  It isn't perfect, but it is a start.  Static analysis is the process of analyzing the code to best determine the potential security flaws. Dynamic analysis is the act of looking at the flaws in a running application. Either can be automated - meaning a script does the work - or manual - meaning a human does the work.  Automatic static analysis, say with a tool like SonarQube, is very likely to generate a ton of false positives at the start, but the rules can be honed over time. It is an imperfect but fairly effective tool.

Another important tool that should be used is a secure coding standard.  This is a custom built document not unlike a style guide.  It is something you can hand to new devs and say "this is how we do things."  Now, this leads well into the next section, about language agnostic testing and training, because the secure coding document should be tailored to the platform used by your organization. 

Testing is language agnostic, but secure coding isn't

The issue, as one discovers writing a secure coding standard, is that testing is very platform agnostic, but writing more secure code is not.  From a tester perspective, I can say "you need to encode your outputs" but from the developer perspective, there is a different way for every language and platform.  Html.Encode()? Sanitize()? Different everywhere, and a few frameworks do the work for you.  

When the report is written, there should be remediation advice, and it should have detailed guidance.  However, that means the tester should have detailed information about the language and platform and framework used to build the tested application.  This is extremely unlikely.   

When trying to teach generally, there needs to generally be an expertise in the language, platform, and framework.  Now, some folks know several languages, platforms, and frameworks,, if they have been around a while.  I for instance know C# and ASP.NET on Windows, Java and JSP on Apache, and Python with various frameworks quite well. Others less so.  But I have been doing this a long, long time.  Teaching secure coding in Ruby on Rails requires a specialty in appsec, AND Ruby.  That's not an everyday set of skills.

So what are we gonna do?

 Whatcha gonna do?  It's not the easiest problems to solve. I have a system that I would like to share, though.

First, have someone give a security talk at your company.  Usually, I do a lunch and learn or something, obviously online these days. Go over the vaunted OWASP Top 10, or give a demo of Burp or ZAP. Heck, click F12 and see what you see. I usually invite developers, business analysts, and testers (quality assurance, whatever your term is). Some people will nap through it, some will stay after to ask questions.  Those people that stayed after might very well be your security champions.  

OK, so now we know who is interested.  Second, we do training on testing. Have the security champions help to collect together the folks they think are important to understand what the vulnerabilities are, and hold a real training - one or two days, with labs - on application security testing.  This gets the core group of people the information they need about vulnerabilities to look for.  In the labs, have them look for them.  In their own code.  Encourage folks to test their own dev instances.  Dig in.

Third, retrospective.  Get the champions back together.  What did we learn?  How can we do better?  Most important, what are the secure coding principles that must be taught?  This is where we solve the language agnostic issue.  You can't just call someone in to teach secure coding, you must learn what it means to you and your team and your company.

Fourth, write a secure coding standard. It should be based on the lessons from the retrospective.  Base it on the categories of vulnerabilities, but couched in developer terms.  I use:

  1. Security Principles
  2. Access Control
  3. Content Management
  4. Browser Interaction
  5. Exception Management
  6. Cryptography
  7. System Configuration

But your mileage may vary.  The goal is to build a guide you can give someone on their first day.  Say "We write secure code here.  This is how it is expected to be done."  Think that through.  Usually my documents are 12 pages or less.

Finally, you train the secure coding standard.  Now you know what needs to be trained.  Yes, you have to write the materials, but they can be reused.  It can be as long or as short as you like but you get everyone back together and teach.  Then, as new people join the team, you have the culture in place to hand them the document.

Next, if you want to, you start to enforce the standard with a static analysis process.  That, however, is for another post.

Application Security This Week for December 6

An astonishingly well-written article by Google Project Zero on a vulnerability in iPhone's proximity features.

https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html?m=1

 

For something totally different, a tool that de-pixelizes values in images.

https://github.com/beurtschipper/Depix

 

Another fuzzer, ostensibly for debugging, but you know how that goes.

https://opensource.googleblog.com/2020/12/announcing-atheris-python-fuzzer.html

 

Fortinet has a good writeup of some info disclosure problems with current browsers.

https://www.fortinet.com/blog/threat-research/leaking-browser-url-protocol-handlers

 

That's the news! Have a fantastic week.

 

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList