Three tools this week.  Pretty cool.

Check your S3 Buckets permission:

https://github.com/nccgroup/s3_objects_check

Information Disclosure research requires OSInt.  Take a look at IntelOwl:

https://github.com/intelowlproject/IntelOwl

I might have reported on this before - it isn't new.  It is a purposefully vulnerable Android app, for practice purposes:

https://github.com/satishpatnayak/AndroGoat

Hope everyone had a good and safe thanksgiving.

Troy Hunt has another one of his awesome data breach breakdowns.  Lots to be learned here.

Troy Hunt: Inside the Cit0Day Breach Collection

Awesome paper on unwanted app distribution on Android.

2010.10088.pdf (arxiv.org)

In the department of information disclosure department, we have a Go project that will look for URLs exposed by shortner services like bit.ly

utkusen/urlhunter: a recon tool that allows searching on URLs that are exposed via shortener services (github.com)

Have a great thanksgiving!

Portswigger has a really nice new release - update now! Community and pro.

https://portswigger.net/burp/releases/professional-community-2020-11

OWASP ZAP has a fantastic new plugin to help test SPAs and the like.

https://www.zaproxy.org/docs/desktop/addons/ajax-spider/options/

Everything old is new again.  DNS Cache Poisoning is back.

https://arstechnica.com/information-technology/2020/11/researchers-find-way-to-revive-kaminskys-2008-dns-cache-poisoning-attack/

That's the news!

Compass Security built a really nice Burp plugin that helps with the reporting of findings by copying the request and response pair from various tools.

https://blog.compass-security.com/2020/10/burp-extension-copy-request-response/

Container Security is all the rage.  Here is a good primer.

https://cloudberry.engineering/article/practical-introduction-container-security/

Random vulnerability names ... so hawt right now.

https://www.theregister.com/2020/11/03/cert_bug_names/

One of the Big 4 consulting/audit firms helpfully built a "test your Hacker IQ" quiz that exposes the DB username and password.

https://www.theregister.com/2020/11/05/deloitte_hacker_test/

I have written in this humble publication many times about my disdain over cryptic TLS vulnerabilities (pun intended) and now Let's Encrypt is going to cut off 30% of Android devices.

https://letsencrypt.org/2020/11/06/own-two-feet.html

That's the news, folks.

Not a lot going on this week.  Almost as if everyone has something else to think about.

Get your debugger on.  Good two parter on getting your feet wet with a little close-to-the-metal code.

https://www.moritz.systems/blog/how-debuggers-work-getting-and-setting-x86-registers-part-1/

For the bounty hunters - Harvard publicked a guide to the legal risk involved in bug hunting.

https://clinic.cyber.harvard.edu/2020/10/30/cyberlaw-clinic-and-eff-publish-guide-to-legal-risks-of-security-research/

Writing Go code? Here's a new fuzzer for your Go apps.

https://adalogics.com/blog/getting-started-with-go-fuzz

That's the news folks. Have a great week!