Application Security Weekly for March 25

HSTS tracking beats even incognito mode in browsers, and it more and more often used by advertisers.  In the most recent edition of OSX, Safari has two mitigations in place for this issue.  Let's hope other browsers follow suit shortly.

https://thehackernews.com/2018/03/hsts-supercookie-tracking.html

 

Here's a really good writeup by as researcher that discovered an XML External Entity vulnerability in Windows Remote Assistance.

https://krbtgt.pw/windows-remote-assistance-xxe-vulnerability/

 

Dropbox and Netflix join the growing group of large technology organizations promising not to sue white hat security researchers.

https://www.theregister.co.uk/AMP/2018/03/22/netflix_bounty_dropbox_promise/

 

Here's another application vulnerability analysis procedure, well written and organized.

https://jdow.io/blog/2018/03/18/web-application-penetration-testing-methodology/

A new blog series: Application Security Weekly

No, I haven't given up on my OTHER blog series about application vulnerability assessment but an opportunity opened up to start publishing my client newsletter on my blog.  It's just usually four stories about appsec that I think are particularly important this week.  Not even a lot of commentary, but if you only have so much time to absorb appsec news, then this could be a great way to fit some news in.

Enough chatting, this weeks stories:

 

Any authenticated user on a Samba 4 Active Directory can change any other users' password via LDAP.  A patch is available.

https://www.theregister.co.uk/2018/03/14/samba_password_bug/

 

Ass we all surmised, there was an app that leveraged Open Graph to download profiles from Facebook for the purposes of crafting the election advertising.

https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election

I spend a lot of time talking about the Facebook Open Graph, here I am three years ago at Cleveland BSides:

https://www.youtube.com/watch?v=Ze9Pzb1KSFw&feature=youtu.be&t=12m26s

 

Abusing Certificate Transparency logs to get subdomains from an HTTPS website:

https://github.com/UnaPibaGeek/ctfr

 

A nice primer on breaking encryption from MalwareBytes:

https://blog.malwarebytes.com/threat-analysis/2018/03/encryption-101-how-to-break-encryption/

 

Happy hunting!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList