Another Weblogic deserialization bug.

https://securityaffairs.co/wordpress/84450/breaking-news/oracle-weblogic-zeroday.html

I have a PR in for Nikto for it

https://github.com/sullo/nikto/pull/607

A reminder that application security is more than SQL Injection: good analysis of the bugs that caused the 737 Max wrecks. I had to drop it in Pastebin because IEEE put it behind the paywall.

https://pastebin.com/QEiKvvMM

Using Git dotfiles to bypass authentication.

https://blog.assetnote.io/bug-bounty/2019/04/23/getting-access-zendesk-gcp/

ZDNet, of all places, has a really good, plain language explainer of credential stuffing.

https://www.zdnet.com/article/an-inside-look-at-how-credential-stuffing-operations-work/

Little more on the dev side - 10 articles reviewed about using Python in machine learning.

https://hackernoon.com/10-great-articles-on-python-development-6f54dd38437f

And that 's the news!  I'll be on vacation next week, so see you on the 12th.

Hacky Easter is on!  Go get your CTF rolling.

https://hackyeaster.hacking-lab.com/hackyeaster/

XXE discovered in IE 11.

https://seclists.org/fulldisclosure/2019/Apr/20

DNS attacks are very much on the rise

https://www.engadget.com/2019/02/24/icann-warns-of-dns-attacks/?ncid=txtlnkusaolp00000618

https://www.golem.de/news/subdomain-takeover-microsoft-loses-control-over-windows-tiles-1904-140717.html

YAWAST goes to 0.7.  I use it on every test for recon.

https://adamcaudill.com/2019/04/19/yawast-v0-7-released/

Great overview of a white hat attack of a "secure" application.

https://securityaffairs.co/wordpress/84219/breaking-news/hacker-broke-tchap.html

That's the news, folks!

The Stack Overflow Survey is out and has some interesting insights

https://insights.stackoverflow.com/survey/2019

Rebex has built a tool to scan SSH servers, similar to the Qualis SSL scan

https://sshcheck.com/

A new OWASP project that I'm participating in is aiming at inventorying and improving the overall security postures of package managers - take a look

https://github.com/OWASP/packman

And that's the news!

PortSwigger has replaced the exercises in the Web Application Security Hacker's Handbook with the new Web Academy.

https://portswigger.net/web-security

An ARM assembler - in JavaScript.  I don't even have the words, this is so awesome.

https://azm.azerialabs.com/

Writing a talk?  Here are 60 information security statistics with corresponding references.

https://itblogr.com/60-must-know-cybersecurity-statistics-for-2019/

Google has started their own vulnerability database.  I'm not sure why, we already have several, but it is worth a look.

https://www.vulncode-db.com/

And that's the news!