Application Security This Week for January 12

Post-CodeMash edition!

 

The Government of Gibraltar had a SQL Injection vulnerability in the site that hosts their laws.  That wouldn't end well.

https://www.theregister.co.uk/2020/01/07/gibraltar_sql_vuln_allowed_law_editing/

 

There is an actual practical attack against SHA-1 that has been POCd.  If you are still using SHA-1 for session tokens, might want to consider something else.

https://www.schneier.com/blog/archives/2020/01/new_sha-1_attac.html

 

Half of WASM code is used to write malware.  I'm not completely sure, but I think I called this one.

https://www.zdnet.com/google-amp/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes/

 

Huge big ginormous remote code execution flaw in Citrix.  TrustedSec has a good writeup.

https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/

 

That's the news, folks.  Stay safe.

Application Security This Week for January 5

Pre-CodeMash Edition!

 

Adam Caudill is a personal friend of mine and has forgotten more about application security than I will learn. He manages a cool web scanner called YAWAST, which is awesome. There is news about future plans.

https://adamcaudill.com/2020/01/05/yawast-news-mission/

 

Good writeup on iOS application injection.

https://arjunbrar.com/post/ios-application-injection

 

OWASP Juice Shop has been added to the Open Reference Architecture for Security.

https://security-and-privacy-reference-architecture.readthedocs.io/en/latest/securitycourses.html#owasp-juice-shop

 

SANS Holiday Hack CTF is up.  I forgot about it earlier.

https://isc.sans.edu/diary/rss/25672

 

News from CodeMash next issue!

Application Security This Week for December 29

It's the holiday edition!  No I'm kidding it's the same stuff as usual.  Sorry.

 

Apparently there is a chat app that is literally spyware developed by a nation state.  This isn't a political blog, but the technical implications are deep. Here's a good writeup.

https://objective-see.com/blog/blog_0x52.html

 

I'm all about supply chain issues, and this is a really good analysis of risks involved with package managers like npm.

https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/

 

Someone reverse engineered an RSA token, and is using it to bypass two factor in the wild.

https://www.schneier.com/blog/archives/2019/12/chinese_hackers_1.html

 

That's the news folks.  See you next decade.

Application Security This Week for December 22

Hope everyone has a good holiday.

 

You probably heard that the Russian offices of ngnix were raided by the government.  F5 is doing a code review.

https://www.msn.com/en-us/news/technology/f5-networks-secures-ngnix-software-builds-as-precaution-after-visit-from-russian-law-enforcement/ar-BBY357u?ocid=ARWLCHR

 

Solid research on privilege escalation in Amazon Web Services.  Very real problem.

https://know.bishopfox.com/research/privilege-escalation-in-aws

 

Do you want to bone up on real world appsec skills over the week?  I recommend the PortSwigger Web Academy.

https://portswigger.net/web-security

 

That's the news.

Application Security This Week for December 15

Nice writup that explains a pivot from and iPhone app all the way through to domain access via chained exploits. Application security is hard.

https://decoder.cloud/2019/12/12/from-iphone-to-nt-authoritysystem/

 

The security.txt file is near becoming an IETF standard.

https://mailarchive.ietf.org/arch/msg/ietf-announce/OFuiGlVv6WgvEEABaGmnYi120yU

 

Cool Azure horizontal privilege escalation writeup using the cloud shell.

https://blog.netspi.com/attacking-azure-cloud-shell/

 

That's the news. Hope everyone is having a stress-free holiday.

Application Security This Week for December 8

My favorite thing this week: SwiftOnSecurity accidentally dropped a Confluence 0-day on Twitter.  Oopsie.

https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/

 

An Android spoofing vulnerability is already being exploited by bank thieves.  Hard to write secure apps when the platform doesn't help.

https://arstechnica.com/information-technology/2019/12/vulnerability-in-fully-patched-android-phones-under-active-attack-by-bank-thieves/

 

On that topic, here's a cool primer on Android reverse engineering.

https://maddiestone.github.io/AndroidAppRE/

 

TruffleHog is a new (and still a little rough) script to sniff out secrets from GitHub repos.

https://www.darknet.org.uk/2019/12/trufflehog-search-git-for-high-entropy-strings-with-commit-history/

 

AWS built a took to yell at you if you have open S3 buckets.

https://www.theregister.co.uk/2019/12/03/aws_s3_buckets/

 

That's the news, folks.  Stay safe out there.

Application Security This Week for December 1

Fortinet is communicating with static keys and a simple XOR.  Whoops.

https://sec-consult.com/en/blog/advisories/weak-encryption-cipher-and-hardcoded-cryptographic-keys-in-fortinet-products/

 

An Android gif library has an interesting vulnerability that will affect many application.

https://seclists.org/fulldisclosure/2019/Nov/27

 

An OWASP member made a neat ZAP plugin that helps to attack deployed Kubernetes applications.

https://github.com/omerlh/zap-operator

 

Hope everyone had a great thanksgiving.

S

Application Security This Week for November 24

Github is starting SecurityLab.  It's part knowledge sharing, part secure coding, part bounty hunting, and it is pretty neat.

https://securitylab.github.com/

 

Stacey on IoT has a good writeup on device and container security citing this Trend Micro report

https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020

Subscribe to her newsletter!

https://staceyoniot.com/

 

TrustedSec, an infosec firm in Cleveland run by my friend Dave Kennedy, has open sourced their legal documentation for physical pentesting in order to try and prevent another Iowa.

https://github.com/trustedsec/physical-docs

Read more about why here

https://www.trustedsec.com/blog/a-message-of-support-coalfire-consultants-charged/

 

Cool writeup of a DOM clobbering vulnerability.  I think DOM XSS will become more of a thing as browsers get more and more power.

https://research.securitum.com/xss-in-amp4email-dom-clobbering/

 

That's the news!

Application Security This Week for November 17

Great breakdown on finding bugs in an OAUTH flow

https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html

 

Only arguably appsec, but there is an artificial intelligence story writer that was determines to be too powerful to release into the wild, and it has been released into the wild

https://nakedsecurity.sophos.com/2019/11/11/ai-wordsmith-too-dangerous-to-be-released-has-been-released/

 

Remember when WordPress malware was all the rage?  Well, not it is Slack Themes

https://fletchto99.dev/2019/november/slack-vulnerability/

 

I am a web guy, not an OS guy, so I learned a ton from this rootkit primer

https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/

 

That's the news, folks.

Application Security This Week for November 10

Microsoft has a really good article on using a semantic query language to find exploitable DOM XSS findings. Honestly the whole series is recommended, but the DOM XSS one here is particularly good.

https://msrc-blog.microsoft.com/2018/08/16/vulnerability-hunting-with-semmle-ql-part-1/

 

Google Project Zero revealed a UAF bug in Android a bit ago, and here is an awesome analysis of how it happened.  Good reading for mobile devs especially, but I certainly learned stuff too.

https://dayzerosec.com/posts/analyzing-androids-cve-2019-2215-dev-binder-uaf/

 

In continuing supply chain news, Armor has a good article on Managed Service Providers being a strong candidate for Malware Distributers of the Year.

https://www.armor.com/reports/new-msps-compromised-reports-armor/

 

That's the news!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList