Application Security This Week for March 28

Guess who forgot to do a newsletter last week?

 

Cool file upload attack to get access to SSH unauthenticated.

https://blog.fadyothman.com/cve-2021-28379-gaining-rce-via-ssh-backdoor-in-vestacp/

 

Neat tool to MITM an iOS device.  The code is worth a look.

https://github.com/doronz88/harlogger

 

There is a new release of a (new to me) tool to test SAML implementations.

https://blog.compass-security.com/2021/03/saml-raider-release-1-4-0/

 

More cool HTTP2 vulnerabilities exploited.

https://blog.assetnote.io/2021/03/18/h2c-smuggling/

 

TLS 1.0 and 1.1 are formally deprecated.  These become High findings on reports now.

https://datatracker.ietf.org/doc/rfc8996/

 

Retire.js, one of my favorite tools, has been updated.

https://retirejs.github.io/retire.js/

 

And finally, spend your Sunday patching OpenSSL.

https://thehackernews.com/2021/03/openssl-releases-patches-for-2-high.html

 

Have a secure week, everyone.

Application Security This Week for March 14

Happy pi day!

 

Missive on the insecurity of C as a programming language.

https://daniel.haxx.se/blog/2021/03/09/half-of-curls-vulnerabilities-are-c-mistakes/

 

Regex is easily exploitable for denial of service attacks.

https://blog.doyensec.com/2021/03/11/regexploit.html

 

It might be too late to register, but Veracode is holding a Capture The Flag competition for students.

https://www.veracode.com/events/hacker-games

 

Have a secure week.

Application Security This Week for March 7

This is a pop culture article about why mobile application can be insecure (from Wired) but it is well written.  It might be behind a paywall for some of you, if so I'm sorry.

https://www.wired.com/story/ios-android-leaky-apps-cloud/

 

Good writeup on the Apache Velocity vulnerability.

https://securitylab.github.com/advisories/GHSL-2020-048-apache-velocity

 

Look, more supply chain problems! Yay! 3,500 pypy packages corrupt, and a tool to discover them.

https://github.com/pypa/pypi-support/issues/923

 

And finally, a series that begins with DLL Search Order Hijacking, something similar to what I have added to this newsletter before. Worth keeping an eye on.

https://github.com/pypa/pypi-support/issues/923

 

S

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList