Application Security This Week for August 16

Microsoft pushed a change to ASP.NET for a DoS vulnerability.  Not only should you patch, but looking at the change control is worth your time.

https://github.com/aspnet/Announcements/issues/431

 

Speaking of .NET, Adam Chester has an awesome article about the debugger that is worth a look.

https://blog.xpnsec.com/debugging-into-net/

 

Sonatype has their annual report on the Software Supply Chain ready, which is a topic near and dear to my heart. You have to give them your email, but it is worth it.

https://www.sonatype.com/2020ssc

I spoke to the .NET Dev Group in Columbus about this topic in March and it got a little spicy.

https://www.youtube.com/watch?v=KWt0Brcc2Ag

 

 Finally, here is another good analysis paper on the application security development lifecycle.

https://www.veracode.com/sites/default/files/pdf/resources/surveyreports/esg-modern-application-development-security-veracode-survey-report.pdf

 

Stay safe and well.

S

Application Security This Week for August 9

The new Open Source Security Foundation is trying to broaden the reach of information security best practice.

https://github.com/ossf

 

Four new variants of HTTP Request Smuggling were published, and they are pretty cool.

https://thehackernews.com/2020/08/http-request-smuggling.html

 

A really cool XMLK External Entity flaw was used to get RCE in the latest Pwn2Own competition.

http://muffsec.com/blog/?p=608

 

That's the news, folks.

S

Application Security This Week for August 2nd

Check your Docker API permissions.  A new piece of malware has been turning cloud hosted containers into mining rigs.

https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

 

Remember when I told you that Microsoft is dropping support for TLS 1.0 and 1.1?  Well, SHA-1 is next.

https://www.theregister.com/2020/07/29/microsoft_windows_sha_1/

 

1d8 posted a good primer on setting up an android security analysis lab.  It's pretty solid.

https://github.com/1d8/Android-Analysis

I did a talk on a similar topic at GrrCon a few years back

http://www.irongeek.com/i.php?page=videos/grrcon2016/114-breaking-android-apps-for-fun-and-profit-bill-sempf

 

Finally, I'll be at the OWASP Booth at Virtual BlackHat Wednesday afternoon (3-7 EDT). I have no idea how it will work yet, but it should be fun! Come have a virtual beer with me.

 

That's the news.  Stay safe out there.

Application Security This Week for July 26

They dropped Open Redirection from the OWASP Top 10 but, like CSRF, it is still out there. Here is a neat tool to help find it.

https://github.com/0xNanda/Oralyzer

 

FireEye has a neat new toolset to crowdshare malware patterns.  I haven't dug into this yet, but I am fascinated.  Malware isn't my thing - I am a web guy - but this is a cool idea.

https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html

 

Microsoft has started killing off TLS 1.0 and 1.1 really for real this time.  Really.  Interesting take, because in poorer countries who are still using old Android and iOS devices are effectively losing access to the tools.  Acceptable losses? Seems so.

https://docs.microsoft.com/en-us/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365?view=o365-worldwide

 

Gotta love a sanitizer bypass in ... a sanitizer tool.

https://research.securitum.com/html-sanitization-bypass-in-ruby-sanitize-5-2-1/

 

That's the news.  Hope everyone is well.

 

Application Security This Week for July 19

The Enterprise Security API for Java went to 2.2.1.0

https://github.com/ESAPI/esapi-java-legacy/blob/esapi-2.2.1.0/documentation/esapi4java-core-2.2.1.0-release-notes.txt

 

Microsoft's .NET Framework is getting rid of the Binary Formatter, erasing a significant security flaw

https://github.com/dotnet/designs/pull/141

 

Good writeup on pentesting GitHub source repos - a great place to find bugs in open source packages used by your apps

https://www.errno.fr/Attacking_source_repositories

 

Portswigger's Burp Suite now includes a pre-configured browser as part of community edition - a game changer if you are doing inhouse training or CTFs

https://portswigger.net/burp/releases/professional-community-2020-7

 

Unquestionably the funniest POC for an exploit I have ever seen in my life

https://github.com/tinkersec/cve-2020-1350

 

That's the news, folks.  Hope everyone is well.

Application Security This Week for July 12

Big news this week was the F5 zero day, of course, but on the application side you should review the code for the exploit, which is public.  I am not gonna link it here but y'all can google.  DO NOT run this on your corporate machines, use your test box and a VM, and just look.  Here is a link to the CVE:

https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve

 

Bestill my heart, an API driven HTTP server. Haven't played with it yet but I looks super sexy.

https://httpie.org/

 

Common thread on this newsletter - DNS is dangerous.  Review your records.

https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/

 

Very nice collection of testing scripts - well worth the clone and the hour it takes to learn to use them. I'm integrating them into my test scenarios.

https://github.com/wintrmvte/Citadel

 

That's the news, folks!

 

Application Security This Week for July 5

Happy Independence Day for my US readers!

 

BugCrowd released a really cool looking Burp extension to help find bug bounty items.

https://portswigger.net/bappstore/059343223d094d16a0a8440485bc5c5e

 

Some guidance I am using right now on a test to bypass file upload filters.

https://stazot.com/boltcms-file-upload-bypass/

 

Fantastic analysis of the SAML flaw in Palo Alto devices by my friends at TrustedSec.

https://www.trustedsec.com/blog/cve-2020-2021-pan-os-saml-security-bypass/

 

That's the news, folks.  Go hack something.

Application Security This Week for June 28

I was tempted to start making up dates. Like Junuary 54th.  But dark humor doesn't belong here.  Or does it.

 

Lots of talk recently about using Frida to hook methods in binary application, like native mobile apps and even windows apps. Here's an easy way to get started.

https://github.com/leonjza/frida-boot

 

Taking advantage of Bitdefender FROM A WEBSITE.  No I am not kidding.  I haven't tried this yet but wow.

https://palant.info/2020/06/22/exploiting-bitdefender-antivirus-rce-from-any-website/

 

This is a twitter thread I wish I had written.  The basics of application vulnerability analysis.

https://threadreaderapp.com/thread/1273052843012841472.html

 

We are back on the encryption discussion.  Let me make my own, personal, not endorsed by anyone, position very clear.  Anyone - ANYONE - can encrypt anything with two coins, a pencil, and a piece of paper.  These laws do NOTHING. Nothing at all. Please tell everyone.  If you have questions, please ask. If I don't know the answer, I know people who do.

https://news.bitcoin.com/lawful-access-to-encrypted-data-act-backdoor/

 

And finally: an amazing exploit getting RCE from PostgreSQL with only a little magic juice.

https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html

 

Have a great week, everyone.

Application Security This Week for June 21

Happy Father's Day!

 

Sn1per is not new, but has some updates, and is with adding to your vulnerability assessment routine, or even your SSDLC CICD process

https://github.com/1N3/Sn1per

 

Seeker is a cool social engineering tool that makes it easy to collect geopositioning from users.  This blog isn't about SE, but they used some neat programming tactics and it is worth a look.

https://github.com/thewhiteh4t/seeker

 

"There are 14 people with this item in their cart" is probably a lie.  Press F12 and see for yourself! Might be worth a look.

https://medium.com/dev-genius/are-14-people-currently-looking-at-this-product-e7fe8412f16b

 

ProxyJump lets you pivot from one SSH host to another.  It's pretty neat.

https://medium.com/maverislabs/proxyjump-the-ssh-option-you-probably-never-heard-of-2d7e41d43464

 

Cool new XSS vulnerability in Angular.  Update your framework!

https://securitylab.github.com/advisories/GHSL-2020-099-mxss-angular

 

One of the "ilities" of application security is "availability".  The Dark Tangent (Jeff Moss, founder of DefCon) is using this tool for stress testing the new forums.

https://www.paessler.com/tools/webstress/sample_performance_tests

 

Have a great week everyone.

Application Security This Week for June 14

Happy 614 day to my Columbus friends.

 

 

Very solid guidelines to storing API secrets.

https://blog.gitguardian.com/secrets-api-management/

If you haven't seen it, you should watch Seth's API security talk too.

https://www.youtube.com/watch?v=NHeoCocs60I

 

Facebook wrote a Tails exploit?

https://www.schneier.com/blog/archives/2020/06/facebook_helped.html

 

VERY nice tool for scanning Node apps that I have recently added to my stable of scripts.

https://github.com/ajinabraham/nodejsscan

 

Hope you all are well. That's the news!

 

 

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList