Application Security This Week for February 16

From the Absolute AppSec Podcast - learned about a really great article on how Account Enumeration is exploited.  I get pushback when I put it on reports, but it's a real vulnerability.

https://sidechannel.tempestsi.com/once-upon-a-time-there-was-an-account-enumeration-4cf8ca7cd6c1

 

Chrome is going to start blocking mixed content downloads, which are HTTPS pages that have links to HTTP files.  Search your codebase for HTTP!

https://blog.chromium.org/2020/02/protecting-users-from-insecure.html?m=1

 

America isn't the only country leaving their data exposed.

https://www.zdnet.com/article/netanyahus-party-exposes-data-on-over-6-4-million-israelis/

 

Exposing secrets in source code is a real thing.  I discovered a very cool tool that helps (if you are working in VS Code, which you should be) called Cloak.

https://johnpapa.net/hide-your-secrets-in-vs-code-with-cloak/

 

Finally, I have mixed feelings about this one.  Firefox will stop supporting TLS 1.0 and 1.1 soon and other browsers will surely follow.  I get it, there are flaws in those protocols, but they are better than nothing.  This feels a lot like gatekeeping to me (older machines run older browsers), and regular readers know that I am not saying that out of political correctness. Lemme know what you think in the comments.

https://www.theregister.co.uk/2020/02/10/tls_10_11_firefox_complete_eradication/

 

That's the news, folks.  Stay safe.

Application Security This Week for February 9

Christian Pedersen wrote a cool scanner for the Netscaler Gateway flaw, and is hosting it on Azure. 

https://cve-2019-19781.azurewebsites.net/

It is based on the TrustedSec POC

https://github.com/trustedsec/cve-2019-19781

 

Wacom tablets call the mothership every time you load up an application. The writeup has a fantastic breakdown on how to use available tools to find this shittery.

https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/

 

The Twitter API was exploitable by a direct object reference flaw that exposed phone numbers of users.

https://www.theregister.co.uk/2020/02/04/twitter_phone_numbers/

 

An ancient bug in Sudo (well by software standards anyway) allowed nonprivleged users to, well, do what superusers do.

https://thehackernews.com/2020/02/sudo-linux-vulnerability.html

 

That's the news folks.  Keep it frosty.

 

Application Security This Week for February 2nd

Simon Bennetts reminds me that OWASP ZAP also has a shiny new web presence, and an upgraded executable to go with it.

https://twitter.com/psiinon/status/1221482927768395778

https://www.zaproxy.org/docs/desktop/releases/2.9.0/

 

Good research on abusing Windows DLL configuration

https://www.fireeye.com/blog/threat-research/2020/01/abusing-dll-misconfigurations.html

 

More Azure problems - good old fashioned buffer overflow in the Stack.

https://thehackernews.com/2020/01/microsoft-azure-vulnerabilities.html?m=1

 

That's the news.  Stay safe out there.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList