Application Security This Week for November 22

Troy Hunt has another one of his awesome data breach breakdowns.  Lots to be learned here.

Troy Hunt: Inside the Cit0Day Breach Collection

 

Awesome paper on unwanted app distribution on Android.

2010.10088.pdf (arxiv.org)

 

In the department of information disclosure department, we have a Go project that will look for URLs exposed by shortner services like bit.ly

utkusen/urlhunter: a recon tool that allows searching on URLs that are exposed via shortener services (github.com)

 

Have a great thanksgiving!

Application Security This Week for November 15

Portswigger has a really nice new release - update now! Community and pro.

https://portswigger.net/burp/releases/professional-community-2020-11

 

OWASP ZAP has a fantastic new plugin to help test SPAs and the like.

https://www.zaproxy.org/docs/desktop/addons/ajax-spider/options/

 

Everything old is new again.  DNS Cache Poisoning is back.

https://arstechnica.com/information-technology/2020/11/researchers-find-way-to-revive-kaminskys-2008-dns-cache-poisoning-attack/

 

That's the news!

Application Security This Week for November 8

Compass Security built a really nice Burp plugin that helps with the reporting of findings by copying the request and response pair from various tools.

https://blog.compass-security.com/2020/10/burp-extension-copy-request-response/

 

Container Security is all the rage.  Here is a good primer.

https://cloudberry.engineering/article/practical-introduction-container-security/

 

Random vulnerability names ... so hawt right now.

https://www.theregister.com/2020/11/03/cert_bug_names/

 

One of the Big 4 consulting/audit firms helpfully built a "test your Hacker IQ" quiz that exposes the DB username and password.

https://www.theregister.com/2020/11/05/deloitte_hacker_test/

 

I have written in this humble publication many times about my disdain over cryptic TLS vulnerabilities (pun intended) and now Let's Encrypt is going to cut off 30% of Android devices.

https://letsencrypt.org/2020/11/06/own-two-feet.html

 

That's the news, folks.

Application Security This Week for November 1

Not a lot going on this week.  Almost as if everyone has something else to think about.

 

Get your debugger on.  Good two parter on getting your feet wet with a little close-to-the-metal code.

https://www.moritz.systems/blog/how-debuggers-work-getting-and-setting-x86-registers-part-1/

 

For the bounty hunters - Harvard publicked a guide to the legal risk involved in bug hunting.

https://clinic.cyber.harvard.edu/2020/10/30/cyberlaw-clinic-and-eff-publish-guide-to-legal-risks-of-security-research/

 

Writing Go code? Here's a new fuzzer for your Go apps.

https://adalogics.com/blog/getting-started-with-go-fuzz

 

That's the news folks. Have a great week!

 

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList