Application Security This week for June 30

Fascinating look into Internet routing that caused an outage last week.  We are really building this city on a bed of sticks.

https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/

 

Not my normal fare for this newsletter, but Microsoft added a secure vault to OneDrive.  Not in the US yes, but my Australian friends can give it a try.

https://www.windowscentral.com/microsoft-announces-onedrive-personal-vault-secure-area-within-your-onedrive

 

There is a directory traversal vulnerability in ... this blog!  Please don't hack my.  I'll update later today.

https://seclists.org/fulldisclosure/2019/Jun/44

 

MongoDB is adding field level encryption.  Now if folks would just use the authentication features ...

https://www.wired.com/story/field-level-encryption-databases-mongobd/

 

Found a VERY cool tool that lists known vulnerabilities in default containers.

https://vulnerablecontainers.org/

 

A weird enge case forces the npm deployment script to push the .git folder.  Remember, complexity is the enemy of security.

https://npm.community/t/npm-6-9-1-is-broken-due-to-git-folder-in-published-tarball/8454/2

 

And that's the news folks.

Application Security This Week for June 23

Google has decided that the API that underpins the Chrome extension kit is too powerful - and they aren't wrong.  But the changes appear to be killing adblockers.  Strange, that.

https://www.theregister.co.uk/2019/06/17/chrome_extensions_security/

 

No, you aren't reading an old edition of this newsletter.  There really is another Orable Weblogic deserialization bug.

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html

https://www.theregister.co.uk/2019/06/19/oracle_weblogic_emergency/

 

Good writeup on the current state of 2 factor authorization.

https://blog.trailofbits.com/2019/06/20/getting-2fa-right-in-2019/

 

That's the news, folks.

 

Application Security This Week for June 16

Happy Father's Day!

 

Great writeup by Rapid7 about security-focused HTTP headers.

https://blog.rapid7.com/2019/05/30/hidden-helpers-security-focused-http-headers/?utm_medium=twitter&utm_content=http-headers&CS=twitter

 

Phishing kit used by the bad guys has a gaping insecure file upload bug.

https://www.theregister.co.uk/2019/06/05/akamai_phishing_kit_vuln/

 

"But it's inside the firewall!" Here's 18 cases of insider attacks in the banking industry.

https://medium.com/bugbountywriteup/18-cases-of-insider-bank-threats-16a29dcfca18

 

And, a little security related humor to lighten your week.

https://medium.com/commitlog/how-to-design-for-the-web-in-2019-a0be4d6702e2

 

And that's the news.

 

 

Application Security This Week for June 2

Accidentally Took Memorial Day Weekend Off Edition

 

New tool: FinalRecon- OSINT Tool For All-In-One Web Reconnaissance

https://blog.hackersonlineclub.com/2019/05/finalrecon-osint-tool-for-all-in-one.html?m=1

 

Permanent URL Hijack Through 301 HTTP Redirect Cache Poisoning

https://blog.duszynski.eu/domain-hijack-through-http-301-cache-poisoning/

 

Didier Stevens, one of my favorite researchers, mentioned that one of his readers has made a docker container with all of his tools.

https://blog.didierstevens.com/2019/05/27/dssuite-a-docker-container-with-my-tools/

 

There is a POC for CVE-2019-0708. Certainly is worth a look.

https://github.com/Ekultek/BlueKeep

 

Speaking of Docker, there is a bug that allows a hypervisor jump.

https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system

https://nakedsecurity.sophos.com/2019/05/31/unpatched-docker-bug-allows-read-write-access-to-host-os/

 

Finally, the always-wonderful folks at Portswigger have a cool analysis of Behavioral Fuzzing.

https://portswigger.net/blog/provoking-browser-quirks-with-behavioural-fuzzing

 

And that's the news! Have a great week.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList