Application Security This Week for April 28

Another Weblogic deserialization bug.

https://securityaffairs.co/wordpress/84450/breaking-news/oracle-weblogic-zeroday.html

I have a PR in for Nikto for it

https://github.com/sullo/nikto/pull/607

 

A reminder that application security is more than SQL Injection: good analysis of the bugs that caused the 737 Max wrecks. I had to drop it in Pastebin because IEEE put it behind the paywall.

https://pastebin.com/QEiKvvMM

 

Using Git dotfiles to bypass authentication.

https://blog.assetnote.io/bug-bounty/2019/04/23/getting-access-zendesk-gcp/

 

ZDNet, of all places, has a really good, plain language explainer of credential stuffing.

https://www.zdnet.com/article/an-inside-look-at-how-credential-stuffing-operations-work/

 

Little more on the dev side - 10 articles reviewed about using Python in machine learning.

https://hackernoon.com/10-great-articles-on-python-development-6f54dd38437f

 

And that 's the news!  I'll be on vacation next week, so see you on the 12th.

 

 

Application Security This Week for April 21

Hacky Easter is on!  Go get your CTF rolling.

https://hackyeaster.hacking-lab.com/hackyeaster/

 

XXE discovered in IE 11.

https://seclists.org/fulldisclosure/2019/Apr/20

 

DNS attacks are very much on the rise

https://www.engadget.com/2019/02/24/icann-warns-of-dns-attacks/?ncid=txtlnkusaolp00000618

https://www.golem.de/news/subdomain-takeover-microsoft-loses-control-over-windows-tiles-1904-140717.html

 

YAWAST goes to 0.7.  I use it on every test for recon.

https://adamcaudill.com/2019/04/19/yawast-v0-7-released/

 

Great overview of a white hat attack of a "secure" application.

https://securityaffairs.co/wordpress/84219/breaking-news/hacker-broke-tchap.html

 

That's the news, folks!

Application Security This Week for April 14

The Stack Overflow Survey is out and has some interesting insights

https://insights.stackoverflow.com/survey/2019

 

Rebex has built a tool to scan SSH servers, similar to the Qualis SSL scan

https://sshcheck.com/

 

A new OWASP project that I'm participating in is aiming at inventorying and improving the overall security postures of package managers - take a look

https://github.com/OWASP/packman

 

And that's the news!

Application Security This Week for April 7

PortSwigger has replaced the exercises in the Web Application Security Hacker's Handbook with the new Web Academy.

https://portswigger.net/web-security

 

An ARM assembler - in JavaScript.  I don't even have the words, this is so awesome.

https://azm.azerialabs.com/

 

Writing a talk?  Here are 60 information security statistics with corresponding references.

https://itblogr.com/60-must-know-cybersecurity-statistics-for-2019/

 

Google has started their own vulnerability database.  I'm not sure why, we already have several, but it is worth a look.

https://www.vulncode-db.com/

 

And that's the news!

Application Security This Week for March 31

No April Fools here.

 

Solid primer on using burp Collaborator for blind command injection.  One of the real benefits of Burp over ZAP.

https://threat.tevora.com/stop-collaborate-and-listen/

 

Bruce weighs in on a study where freelance devs were checked for their secure coding.  It didn't go well.

https://www.schneier.com/blog/archives/2019/03/programmers_who.html

 

A new tool for testing on Windows.  Now, I don't use Windows for EVERYTHING but it is nice for a lot of things.  I'll be checking this out.

https://securityaffairs.co/wordpress/83065/hacking/commando-vm-windows.html

 

And that's the news!

Application Security This Week for March 24

Bruce has some thoughts on a well-circulated article suggesting that application security isn't that important after all.

https://www.schneier.com/blog/archives/2019/03/an_argument_tha.html

 

Solid analysis of SimBad, a rogue malware campaign that infiltrated the Google Play store.

https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/

 

Terrifying tool that creates a spoofed cert for any website and signs an executable for AV Evasion.

https://github.com/paranoidninja/CarbonCopy

 

More awesome research from Rapid7, on deserialization bugs.  A topic, as regular readers know, that is near and dear to my heart.

https://www.rapid7.com/research/report/exploiting-jsos/

 

And that's the news!

Application Security This Week for March 17

Android malware had almost 150 MILLION Googe Play Store downloads before it is was discovered and pulled.

https://www.theverge.com/2019/3/13/18263739/android-adware-simbad-google-play-store

 

Awesome User Access Control bypass that never saves anything to disk.  As always PLEASE be careful playing with malware.

https://www.activecyber.us/activelabs/windows-uac-bypass

I wrote something similar for FALE a LOOOONG time ago but the ActiveLabs tool is better.

https://github.com/lockfale/DotNetAVBypass-Master

 

It's old home week.  Subdomain brute forcing tool in VISUAL BASIC 6!!  If anyone gets this up and running let me know, I would, but it triggers my PTSD.

https://github.com/visualbasic6/subdomain-bruteforce

 

Thanks to Jim Holmes to tuning me into this list - collected exploits for web attacks.  

https://github.com/swisskyrepo/PayloadsAllTheThings

 

And that's the news!!

Application Security This Week for March 10

The NSA has open sourced their internal reverse engineering tool.  It's so good, many consultants I know and trust have moved to it from IDA.

https://ghidra-sre.org/

 

This is a great story from the Verge that reminds us all to occasionally look at the ANSI alphabet for attacks ... and passwords.

https://www.theverge.com/tldr/2019/3/5/18252150/bad-password-security-data-breach-taiwan-ji32k7au4a83-have-i-been-pwned

 

Remember that guy, who might or might not write this blog, who said that SPECTRE isn't a real vulnerability and it will never be exploitable?  Well, he was wrong.  Again.

https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/

 

In the department of Standing On The Shoulders of Giants, we have a ring of GitHub accounts that are promoting forked and backdoored versions of popular software.

https://www.zdnet.com/article/researchers-uncover-ring-of-github-accounts-promoting-300-backdoored-apps/

 

And that's the news!

 

Test apps for vulnerabilities that enable phishing

As the network boundary becomes more ephemeral, and attackers don't have obvious kickoff points for attacks as often, they are resorting more and more to the human angle.  This is not news to any reader of this blog, I am certain. Physical attacks notwithstanding, the best place to stage an attack against the humans that run the systems is via phishing - using email, SMS, forum comments, customer service requests, or other communication to trick the people that have the keys to applications into giving them up.

Phishing increased 250% in 2018, according to Microsoft.

Vulnerabilities in applications are  a key vector in phishing - not the most common vector, but a key vector.  Nonetheless, we are testing for them more and more rarely.  For instance, unvalidated requests and forwards dropped from the OWASP Top 10 in 2017, as was Cross Site REquest Forgery, even though they are used in a significant portion of phishing attacks.  I get it, SQL Injection is more damaging and Cross Site Scripting is sexier, but these identity attacks are what the attackers are doing these days.

Bottom line, you have to be checking for these vulnerabilities.  Here is an incomplete list:

  • Unvalidated Requests and Forwards
  • Cross Site Request Forgery
  • Cross Site Scripting
  • Host Header Poisoning
  • Lack of Two Factor Authentication
  • CORS Policy Violations
  • Improper Handling of HTTP Verbs
  • Out of Date or Insecure Third Party Components

I'll do a little more research on this topic and see if I can't get together a testing guide on this, but in the meantime I think you will find guidance in the new OWASP ASVS v4.0.

Application Security This Week for March 3

A new tool for finding malicious JavaScript and securely using external libraries.

https://blog.focal-point.com/a-new-tool-for-finding-malicious-javascript-and-securely-using-external-libraries

 

Acunetix has it's annual report out.  Gotta give them your dox though, sorry.

https://www.acunetix.com/acunetix-web-application-vulnerability-report/?utm_source=hacktools&utm_campaign=security&utm_medium=content

 

Portswigger has their annual report out too.  You do NOT need to give them your dox.  Just sayin.

https://portswigger.net/blog/top-10-web-hacking-techniques-of-2018

 

Really cool video that shows the non-FUD dangers of digital exploitation, without using a single website, computer, or black hoodie.

https://www.grahamcluley.com/cybersecurity-video-no-computers/

 

New Google Translate exploit. Funny, because I used Google Translate as a counter-example in my REST security talk.

https://github.com/ljmf00/google-translate-exploit

 

Universal RCE with Ruby YAML.load()

https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/

 

And that's the news!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList