Application Security This Week for November 18

Here's a new set of training wheels for MetaSploit.  It's a little bumpy, but it is pretty decent as an intro to using scripting tools for exploitative pentesting.

https://github.com/M4cs/BabySploit/blob/master/README.md

 

A really good analysis of some PHP malware.  Beneficial reading for red and blue teams. As usual, please be careful playing with malware on your corporate network (or any other network).

https://blog.manchestergreyhats.co.uk/2018/11/07/php-malware-examination/

 

A new XSS detection tool with some nice hand-written parsers.

https://github.com/s0md3v/XSStrike

 

And that's the news!

Application Security This Week for November 11

Happy Veterans Day. Please make sure that this isn't the only day of the year that you take the time to do something for a veteran in your life.

 

The OWASP Top 10 project has added the Serverless Application Top 10 to the collection.

https://github.com/OWASP/Serverless-Top-10-Project/

 

Here's a good analysis of a live example of an Android banking trojan.

https://lukasstefanko.com/2018/11/video-analysis-of-android-banking-trojan-found-on-google-play.html

 

A malicious FaceTime caller can cause a kernal panic in some devices.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1641

 

Squally is a purposefully vulnerable video game to teach hacking of games.  Neat idea.

https://squallygame.com/

 

Struts has yet another RCE bug.

https://www.theregister.co.uk/2018/11/07/flaw_in_apache_struts/

 

There is a XSS bug in Evernote!

https://securityaffairs.co/wordpress/77789/hacking/evernote-xss-flaw.html

 

And that's the news.

Application Security This Week for November 4

A new-to-me file upload vulnerability scanner got an update recently - worth a look.

https://github.com/almandin/fuxploider

 

Not a very USEFUL vulnerability, but someone figured out how to bypass Chrome's security model for cookies.

https://mango.pdf.zone/stealing-chrome-cookies-without-a-password

 

Telerik (a developer tools company) has a good post on XSS and Content Security Policy.

https://www.telerik.com/blogs/on-cross-site-scripting-and-content-security-policy

 

And that's the news!

Application Security This Week for October 28

A flaw in X.Org is exploitable with a tweet sized attack.

https://lists.x.org/archives/xorg-announce/2018-October/002927.html

https://hacker.house/releasez/expl0itz/openbsd-0day-cve-2018-14665.sh

 

A malformed IPv6 packet can take over a Linux box. Thanks, SystemD.

https://www.theregister.co.uk/2018/10/26/systemd_dhcpv6_rce/

 

Twelve malicious Python libraries were found and removed from PyPi.

https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/

 

And that's the news!

 

Application Security this week for October 21

The "Man that was a hell of a flu bug" edition. Stay healthy, everyone.

 

SSH bypass by ... wait for it ... telling the server your request is granted.  These are not the vulnerabilities you are looking for.  They can go on their way.

https://www.libssh.org/security/advisories/CVE-2018-10933.txt

 

PHP 5.6 support is ending.  That's a whole lot of websites.

https://www.zdnet.com/article/around-62-of-all-internet-sites-will-run-an-unsupported-php-version-in-10-weeks/

 

RCE in URL handling in Edge.  Positive security model, people.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8495

 

Oracle released 300 patches, most of them critical or high.  Not sure if this is good or bad.

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

 

jQuery File Upload has a serious bug that has been being exploited for three years.  Go update those old applications.

https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/

 

Here's a new SSL testing contender.  I haven't tried it yet but I will tomorrow.  Let me know what you think if you use it.

https://testssl.sh/

 

And that's the news.

Application Security This Week for October 7

Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges.  Obscure finding, but neat bug.

https://www.securify.nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html

 

EIGHTY FIVE findings in latest Adobe Reader patch.

https://www.theregister.co.uk/AMP/2018/10/02/adobe_acrobat_reader_patch/

 

It looks like we might be getting a foothold on the war against malware.

https://www.infosecurity-magazine.com/news/malware-less-common-in-q2-still/

 

And that's the news!

Application Security This Week for September 30

The "Wow, it's been a busy month" edition.

 

Apple took "Adware Doctor" out of the store because it was stealing data.  How did no one notice this?

https://www.infosecurity-magazine.com/news/apple-removes-security-tool/

 

There is a new search engine for researching exploits.

https://sploitus.com/

 

Google open sourced their file upload protection tool.

https://github.com/google/wuffs

 

A cheat sheet for Angular web security.

https://cheatsheets.pragmaticwebsecurity.com/angularowasptop10

 

SharpSploit: a C# post-exploitation library.

https://posts.specterops.io/introducing-sharpsploit-a-c-post-exploitation-library-5c7be5f16c51

 

 

Application Security This Week for September 9

MWR Labs describes use of HTTP Referer headers to execute DNS rebinding attacks on AWS-hosted analytics systems

https://labs.mwrinfosecurity.com/blog/from-http-referer-to-aws-security-credentials/

 

Malicious PowerShell Compiling C# Code on the Fly

https://isc.sans.edu/diary/rss/24072

 

Interesting bug in Chromium

https://bugs.chromium.org/p/chromium/issues/detail?id=881410

 

Holy crap there are a lot of Cisco security patches this month.

https://tools.cisco.com/security/center/publicationListing.x

Application Security This Week for September 2

Mazen Ahmed write an exploit for the new Struts CVE.

https://github.com/mazen160/struts-pwn_CVE-2018-11776

 

Speaking of the CVE program, and MITRE in general, Steve Ragan got a solid scoop on congress planning a revamp.

https://www.csoonline.com/article/3300753/security/congress-pushes-mitre-to-fix-cve-program-suggests-regular-reviews-and-stable-funding.html

 

Secure Ideas started a blog seried on CORS, CSRF, and Clickjacking which is off to a good start

https://blog.secureideas.com/2018/07/three-c-words-of-web-app-security-part-1-cors.html

 

The Fortnite Android app is vulnerable to a really very unique flaw, Man-on-the-disk.  

https://www.theregister.co.uk/AMP/2018/08/29/android_external_storage_man_in_the_disk/

 

Speaking of weird flaws, people have started registering skills on Alexa with phonetically similar names as common commands. It's called Skill Squatting.

https://www.usenix.org/conference/usenixsecurity18/presentation/kumar

 

And that's the news!

Application Security This Week for August 26

Big, big news out of Portswigger this week.  I'm a huge fan of OWASP ZAP, and use it daily, but this is a major uptick in web analysis tools.

A new API for Burp Suite (something ZAP has had for years) https://portswigger.net/blog/burps-new-rest-api

The introduction of 2.0 https://portswigger.net/blog/burp-suite-2-0-beta-now-available

And finally the introduction of Enterprise Edition, which effectively adds scalibility https://portswigger.net/blog/burp-suite-enterprise-edition

Really solid week of announcements.

 

In other news, AppSec consulting hits it out of the park again with advice on securing third-party JavaScript.

https://www.appsecconsulting.com/blog/securing-third-party-javascript

 

A major flaw was found in GhostScript.  If you are parsing document formats like PDF or XPS, get your patch on!

https://www.kb.cert.org/vuls/id/332928

 

Another Struts RCE vulnerability.  "I'm shocked!" said nobody, ever.

https://cwiki.apache.org/confluence/display/WW/S2-057

 

Bitdefender published a whitepaper on the next phase of Android malware, and it is worth a read.

https://www.bitdefender.com/files/News/CaseStudies/study/234/Bitdefender-Whitepaper-Triout-The-Malware-Framework-for-Android-That-Packs-Potent-Spyware-Capabilities.pdf

 

And that's the news!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList