Application Security This Week for September 27

A list of Capture The Flags that are on now or forever!

https://captf.com/practice-ctf/

 

The source code to XP was leaked.  This isn't a surprise, extended support gives folks access to it.  It was bound to get out.

https://thehackernews.com/2020/09/windows-xp-source-code.html

What's funny is the comments though:

https://pastebin.com/PTLeWhc2

 

The EFF is reporting on the very real problem of student contact tracing apps violating privacy considerations.  Balance has to be found.

https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps

 

That's the news, folks.  Stay safe.

Application Security This Week for September 20

Microsoft open sourced their fuzzing framework

https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/

 

Not new but certain worth a read - how HTTPS works

https://howhttps.works/

 

Ming Chow - a buddy of mine and did a fantastic online course on packet analysis, that includes a nod to your humble author (around minute 58)

https://www.youtube.com/watch?v=Lj2DaFLRQVI&feature=youtu.be

 

Stay safe out there.

 

Application Security This Week for September 13

Or Maypril 319 but who is counting.

 

Here's an OLD Visual Studio project that gets AES keys from running applications.  Seems to still work!

https://github.com/mmozeiko/aes-finder

 

 Another writeup on my current favorite bug, HTTP Request Smuggling.

https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c

 

Via Matt Groves, this tool tests CouchBase databases for injection.  Pretty slick.

https://github.com/FSecureLABS/N1QLMap

 

Neat article on using Fuzzilli to fuzz JavaScript engines using an intermediate language.

https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html

 

Cool breakdown on using Mobile Device Management to get RCE on devices.

https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html?m=1

 

That's the news folks.  Stay safe.

Application Security This Week for September 6

Cool 10,000 foot overview of web application vulnerability assessment.  Clearly written and concise.

https://www.codementor.io/@seanhiggins550/the-ins-and-outs-of-penetration-testing-for-web-apps-19jhhqsexo

 

A really well thought through attack on HTML sanitizers.

https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/

 

El Reg has a good article on spear-phishing developers to get access to back end tools.  This is why the vulnerability analysts tell you to decommission old test systems.

https://www.theregister.com/2020/09/04/disclosure_developer_targeting/

 

Nice into to blind SQL injection.

http://www.mannulinux.org/2020/09/sql-injection-filter-bypass-to-perform.html?m=1

 

That's the news, folks.  Have a good Labor Day!

Application Security This Week for August 30

Monsoon is a fast HTTP request enumerator that allows you to run a large number of tests to try out potential findings.

https://github.com/RedTeamPentesting/monsoon

 

Python devs: Don't run the executable in your downloads folder! Python isn't designed for that and there are vulnerabilities.

https://glyph.twistedmatrix.com/2020/08/never-run-python-in-your-downloads-folder.html

 

A really fantastic list of Android security resources.

https://github.com/ashishb/android-security-awesome

 

That's the latest, folks! Have a great week.

Appliocation Security This Week for August 23

Update Jenkins - there is a flaw in the HTTP renderer.

https://www.jenkins.io/security/advisory/2020-08-17/

https://thehackernews.com/2020/08/jenkins-server-vulnerability.html

 

Pretty cool article about attacking the MS Exchange web interface

https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/

 

Don't usually talk locksport here but it's a slow news week and this is pretty cool - creating a key based on the sound of the original entering the lock.

https://cacm.acm.org/news/246744-picking-locks-with-audio-technology/fulltext

 

That's the news!

Application Security This Week for August 16

Microsoft pushed a change to ASP.NET for a DoS vulnerability.  Not only should you patch, but looking at the change control is worth your time.

https://github.com/aspnet/Announcements/issues/431

 

Speaking of .NET, Adam Chester has an awesome article about the debugger that is worth a look.

https://blog.xpnsec.com/debugging-into-net/

 

Sonatype has their annual report on the Software Supply Chain ready, which is a topic near and dear to my heart. You have to give them your email, but it is worth it.

https://www.sonatype.com/2020ssc

I spoke to the .NET Dev Group in Columbus about this topic in March and it got a little spicy.

https://www.youtube.com/watch?v=KWt0Brcc2Ag

 

 Finally, here is another good analysis paper on the application security development lifecycle.

https://www.veracode.com/sites/default/files/pdf/resources/surveyreports/esg-modern-application-development-security-veracode-survey-report.pdf

 

Stay safe and well.

S

Application Security This Week for August 9

The new Open Source Security Foundation is trying to broaden the reach of information security best practice.

https://github.com/ossf

 

Four new variants of HTTP Request Smuggling were published, and they are pretty cool.

https://thehackernews.com/2020/08/http-request-smuggling.html

 

A really cool XMLK External Entity flaw was used to get RCE in the latest Pwn2Own competition.

http://muffsec.com/blog/?p=608

 

That's the news, folks.

S

Application Security This Week for August 2nd

Check your Docker API permissions.  A new piece of malware has been turning cloud hosted containers into mining rigs.

https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

 

Remember when I told you that Microsoft is dropping support for TLS 1.0 and 1.1?  Well, SHA-1 is next.

https://www.theregister.com/2020/07/29/microsoft_windows_sha_1/

 

1d8 posted a good primer on setting up an android security analysis lab.  It's pretty solid.

https://github.com/1d8/Android-Analysis

I did a talk on a similar topic at GrrCon a few years back

http://www.irongeek.com/i.php?page=videos/grrcon2016/114-breaking-android-apps-for-fun-and-profit-bill-sempf

 

Finally, I'll be at the OWASP Booth at Virtual BlackHat Wednesday afternoon (3-7 EDT). I have no idea how it will work yet, but it should be fun! Come have a virtual beer with me.

 

That's the news.  Stay safe out there.

Application Security This Week for July 26

They dropped Open Redirection from the OWASP Top 10 but, like CSRF, it is still out there. Here is a neat tool to help find it.

https://github.com/0xNanda/Oralyzer

 

FireEye has a neat new toolset to crowdshare malware patterns.  I haven't dug into this yet, but I am fascinated.  Malware isn't my thing - I am a web guy - but this is a cool idea.

https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html

 

Microsoft has started killing off TLS 1.0 and 1.1 really for real this time.  Really.  Interesting take, because in poorer countries who are still using old Android and iOS devices are effectively losing access to the tools.  Acceptable losses? Seems so.

https://docs.microsoft.com/en-us/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365?view=o365-worldwide

 

Gotta love a sanitizer bypass in ... a sanitizer tool.

https://research.securitum.com/html-sanitization-bypass-in-ruby-sanitize-5-2-1/

 

That's the news.  Hope everyone is well.

 

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList