Application Security This Week for March 22

Quarantine edition.

 

Microsoft patches the newest SMB flaw.  Stop using SMB.

https://nakedsecurity.sophos.com/2020/03/16/microsoft-patches-wormable-windows-10-smbghost-flaw/

 

Microsoft bough npm.  This should be interesting.

https://www.windowscentral.com/microsofts-github-acquires-npm-help-javascript-developers

 

There are a ton of folks streaming and running virtual conferences right now. Watch them. I'm watching PancakesCon right now. Even if you are an introvert, it's good for your mental health.

https://tisiphone.net/2020/03/15/pancakescon-2020-quarantine-edition/

 

Keep safe, keep aware.  We are in condition orange. Distance yourself from poisonous people. (and I don't mean ill people)  Help out your neighbors if you can.

Application Security This Week for March 15

SMBv3 is borked.  Block port 445.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005

 

Sometimes I hate the human race.  Someone built a fake COVID-19 map and is using it to spread malware.

https://www.grahamcluley.com/coronavirus-map-used-to-spread-malware/

 

Not an appsec thing but NordVPN got popped - again.

https://www.theregister.co.uk/2020/03/06/nordvpn_no_auth_needed_view_user_payments/

 

Really need exploit on file upload in web applications that allows NTLMv2 hash theft.

http://www.mannulinux.org/2020/03/abusing-file-system-functions-in-web.html?m=1

 

Another neat finding from a bug bounty with CSRF in a JSON web service.

https://medium.com/@secureITmania/how-i-exploit-the-json-csrf-with-method-override-technique-71c0a9a7f3b0

 

Stay safe - and healthy - folks.

Application Security This Week for March 8

NordVPN has yet another interesting application security vulnerability.

https://www.theregister.co.uk/2020/03/06/nordvpn_no_auth_needed_view_user_payments/

 

The University of Cincinnati has open sources their malware reverse engineering class.

https://class.malware.re/

 

Not new but new to me: 23 node.js security tips.

https://medium.com/@nodepractices/were-under-attack-23-node-js-security-best-practices-e33c146cb87d

 

That's the news!

Application Security This Week for March 1

From @baskarmib on Twitter, we have an example of malware that will steal your Google authenticator codes.

https://www.zdnet.com/google-amp/article/android-malware-can-steal-google-authenticator-2fa-codes/?__twitter_impression=true

 

OK, I know we have a love hate relationship with ISC2, but they put opuur a cloud security paper, and it is really good.

https://blog.isc2.org/isc2_blog/2020/02/white-paper-on-cloud-security-risks-and-how-to-mitigate-them.html

 

Google is now explicitly suggesting that developers encrypt data used by their applications, on the device.

https://thehackernews.com/2020/02/android-app-data-encryption.html?m=1

 

Lots of Google today.  Their security team has a good whitepaper on malicious document detection.

https://security.googleblog.com/2020/02/improving-malicious-document-detection.html

 

Finally, if you aren't getting Violet Blue's weekly security roundup, you are missing out.  Lots of good stuff.

https://www.patreon.com/posts/cybersecurity-25-34318466

 

That's the news, folks.  Stay safe.

Application Security This Week for February 23

Portswigger (the company that makes Burp Suite) is out with their Top 10 web application hacking techniques.

https://portswigger.net/research/top-10-web-hacking-techniques-of-2019

 

Solid evidence that APIs are becoming the main target for credential stuffing attacks.

https://www.csoonline.com/article/3527858/apis-are-becoming-a-major-target-for-credential-stuffing-attacks.html

 

Another decent writeup for template injection.  Attacks like this are becoming SO much more common in SPAs.

http://ghostlulz.com/angularjs-client-side-template-injection-xss/

 

That's the news, people.  Stay safe out  there.

Application Security This Week for February 16

From the Absolute AppSec Podcast - learned about a really great article on how Account Enumeration is exploited.  I get pushback when I put it on reports, but it's a real vulnerability.

https://sidechannel.tempestsi.com/once-upon-a-time-there-was-an-account-enumeration-4cf8ca7cd6c1

 

Chrome is going to start blocking mixed content downloads, which are HTTPS pages that have links to HTTP files.  Search your codebase for HTTP!

https://blog.chromium.org/2020/02/protecting-users-from-insecure.html?m=1

 

America isn't the only country leaving their data exposed.

https://www.zdnet.com/article/netanyahus-party-exposes-data-on-over-6-4-million-israelis/

 

Exposing secrets in source code is a real thing.  I discovered a very cool tool that helps (if you are working in VS Code, which you should be) called Cloak.

https://johnpapa.net/hide-your-secrets-in-vs-code-with-cloak/

 

Finally, I have mixed feelings about this one.  Firefox will stop supporting TLS 1.0 and 1.1 soon and other browsers will surely follow.  I get it, there are flaws in those protocols, but they are better than nothing.  This feels a lot like gatekeeping to me (older machines run older browsers), and regular readers know that I am not saying that out of political correctness. Lemme know what you think in the comments.

https://www.theregister.co.uk/2020/02/10/tls_10_11_firefox_complete_eradication/

 

That's the news, folks.  Stay safe.

Application Security This Week for February 9

Christian Pedersen wrote a cool scanner for the Netscaler Gateway flaw, and is hosting it on Azure. 

https://cve-2019-19781.azurewebsites.net/

It is based on the TrustedSec POC

https://github.com/trustedsec/cve-2019-19781

 

Wacom tablets call the mothership every time you load up an application. The writeup has a fantastic breakdown on how to use available tools to find this shittery.

https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/

 

The Twitter API was exploitable by a direct object reference flaw that exposed phone numbers of users.

https://www.theregister.co.uk/2020/02/04/twitter_phone_numbers/

 

An ancient bug in Sudo (well by software standards anyway) allowed nonprivleged users to, well, do what superusers do.

https://thehackernews.com/2020/02/sudo-linux-vulnerability.html

 

That's the news folks.  Keep it frosty.

 

Application Security This Week for February 2nd

Simon Bennetts reminds me that OWASP ZAP also has a shiny new web presence, and an upgraded executable to go with it.

https://twitter.com/psiinon/status/1221482927768395778

https://www.zaproxy.org/docs/desktop/releases/2.9.0/

 

Good research on abusing Windows DLL configuration

https://www.fireeye.com/blog/threat-research/2020/01/abusing-dll-misconfigurations.html

 

More Azure problems - good old fashioned buffer overflow in the Stack.

https://thehackernews.com/2020/01/microsoft-azure-vulnerabilities.html?m=1

 

That's the news.  Stay safe out there.

Application Security This Week for January 26

You know that open S3 buckets are one of my pet peeves - well guess what.  Azure isn't any better.

https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/

 

OWASP has launched their new web page based on GitHub. Controversial decision.  Starting to take shape, though.

https://owasp.org/

https://owasp.org/website/2020/01/15/website-migration-journey.html

 

Credential stuffing is rapidly becoming the appsec story of 2020. Check your users' passwords against the most common passwords list.

https://www.wired.com/story/disney-plus-hacks-credential-stuffing/

https://github.com/filtration/pullit

https://haveibeenpwned.com/Passwords

 

That's the news, folks.

Application Security This Week for January 19

Good Twitter thread on JavaScript based redirection and Cross-site Scripting.

https://twitter.com/hakluke/status/1216524131421655041

 

I use Burp Suite for a lot of my testing (though I do love ZAP as well).  Here is their roadmap for the next year or so.

https://portswigger.net/blog/burp-suite-roadmap-for-2020

 

You have probably heard that Microsoft's CryptoAPI has a bug.  The US Government has a good writeup.

https://www.us-cert.gov/ncas/alerts/aa20-014a

 

Speaking of governments, the UK cybercommand has a really creat article on security antipatterns.

https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns

 

And finally: SHA-1 is now proveably broken.  Time to move on from it as a session identifier.

https://eprint.iacr.org/2020/014.pdf

 

That's the news, folks.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList