Application Security This Week for August 30

Monsoon is a fast HTTP request enumerator that allows you to run a large number of tests to try out potential findings.

https://github.com/RedTeamPentesting/monsoon

 

Python devs: Don't run the executable in your downloads folder! Python isn't designed for that and there are vulnerabilities.

https://glyph.twistedmatrix.com/2020/08/never-run-python-in-your-downloads-folder.html

 

A really fantastic list of Android security resources.

https://github.com/ashishb/android-security-awesome

 

That's the latest, folks! Have a great week.

Appliocation Security This Week for August 23

Update Jenkins - there is a flaw in the HTTP renderer.

https://www.jenkins.io/security/advisory/2020-08-17/

https://thehackernews.com/2020/08/jenkins-server-vulnerability.html

 

Pretty cool article about attacking the MS Exchange web interface

https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/

 

Don't usually talk locksport here but it's a slow news week and this is pretty cool - creating a key based on the sound of the original entering the lock.

https://cacm.acm.org/news/246744-picking-locks-with-audio-technology/fulltext

 

That's the news!

Application Security This Week for August 16

Microsoft pushed a change to ASP.NET for a DoS vulnerability.  Not only should you patch, but looking at the change control is worth your time.

https://github.com/aspnet/Announcements/issues/431

 

Speaking of .NET, Adam Chester has an awesome article about the debugger that is worth a look.

https://blog.xpnsec.com/debugging-into-net/

 

Sonatype has their annual report on the Software Supply Chain ready, which is a topic near and dear to my heart. You have to give them your email, but it is worth it.

https://www.sonatype.com/2020ssc

I spoke to the .NET Dev Group in Columbus about this topic in March and it got a little spicy.

https://www.youtube.com/watch?v=KWt0Brcc2Ag

 

 Finally, here is another good analysis paper on the application security development lifecycle.

https://www.veracode.com/sites/default/files/pdf/resources/surveyreports/esg-modern-application-development-security-veracode-survey-report.pdf

 

Stay safe and well.

S

Application Security This Week for August 9

The new Open Source Security Foundation is trying to broaden the reach of information security best practice.

https://github.com/ossf

 

Four new variants of HTTP Request Smuggling were published, and they are pretty cool.

https://thehackernews.com/2020/08/http-request-smuggling.html

 

A really cool XMLK External Entity flaw was used to get RCE in the latest Pwn2Own competition.

http://muffsec.com/blog/?p=608

 

That's the news, folks.

S

Application Security This Week for August 2nd

Check your Docker API permissions.  A new piece of malware has been turning cloud hosted containers into mining rigs.

https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

 

Remember when I told you that Microsoft is dropping support for TLS 1.0 and 1.1?  Well, SHA-1 is next.

https://www.theregister.com/2020/07/29/microsoft_windows_sha_1/

 

1d8 posted a good primer on setting up an android security analysis lab.  It's pretty solid.

https://github.com/1d8/Android-Analysis

I did a talk on a similar topic at GrrCon a few years back

http://www.irongeek.com/i.php?page=videos/grrcon2016/114-breaking-android-apps-for-fun-and-profit-bill-sempf

 

Finally, I'll be at the OWASP Booth at Virtual BlackHat Wednesday afternoon (3-7 EDT). I have no idea how it will work yet, but it should be fun! Come have a virtual beer with me.

 

That's the news.  Stay safe out there.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList