Application Security This Week for September 27

by Bill Sempf 27. September 2020 07:06

A list of Capture The Flags that are on now or forever!


The source code to XP was leaked.  This isn't a surprise, extended support gives folks access to it.  It was bound to get out.

What's funny is the comments though:


The EFF is reporting on the very real problem of student contact tracing apps violating privacy considerations.  Balance has to be found.


That's the news, folks.  Stay safe.


Application Security This Week for September 20

by Bill Sempf 20. September 2020 13:38

Microsoft open sourced their fuzzing framework


Not new but certain worth a read - how HTTPS works


Ming Chow - a buddy of mine and did a fantastic online course on packet analysis, that includes a nod to your humble author (around minute 58)


Stay safe out there.



Application Security This Week for September 13

by Bill Sempf 13. September 2020 13:46

Or Maypril 319 but who is counting.


Here's an OLD Visual Studio project that gets AES keys from running applications.  Seems to still work!


 Another writeup on my current favorite bug, HTTP Request Smuggling.


Via Matt Groves, this tool tests CouchBase databases for injection.  Pretty slick.


Neat article on using Fuzzilli to fuzz JavaScript engines using an intermediate language.


Cool breakdown on using Mobile Device Management to get RCE on devices.


That's the news folks.  Stay safe.


Application Security This Week for September 6

by Bill Sempf 6. September 2020 12:08

Cool 10,000 foot overview of web application vulnerability assessment.  Clearly written and concise.


A really well thought through attack on HTML sanitizers.


El Reg has a good article on spear-phishing developers to get access to back end tools.  This is why the vulnerability analysts tell you to decommission old test systems.


Nice into to blind SQL injection.


That's the news, folks.  Have a good Labor Day!


Application Security This Week for August 30

by Bill Sempf 30. August 2020 12:43

Monsoon is a fast HTTP request enumerator that allows you to run a large number of tests to try out potential findings.


Python devs: Don't run the executable in your downloads folder! Python isn't designed for that and there are vulnerabilities.


A really fantastic list of Android security resources.


That's the latest, folks! Have a great week.


Appliocation Security This Week for August 23

by Bill Sempf 23. August 2020 12:41

Update Jenkins - there is a flaw in the HTTP renderer.


Pretty cool article about attacking the MS Exchange web interface


Don't usually talk locksport here but it's a slow news week and this is pretty cool - creating a key based on the sound of the original entering the lock.


That's the news!


Application Security This Week for August 16

by Bill Sempf 16. August 2020 09:37

Microsoft pushed a change to ASP.NET for a DoS vulnerability.  Not only should you patch, but looking at the change control is worth your time.


Speaking of .NET, Adam Chester has an awesome article about the debugger that is worth a look.


Sonatype has their annual report on the Software Supply Chain ready, which is a topic near and dear to my heart. You have to give them your email, but it is worth it.

I spoke to the .NET Dev Group in Columbus about this topic in March and it got a little spicy.


 Finally, here is another good analysis paper on the application security development lifecycle.


Stay safe and well.



Application Security This Week for August 9

by Bill Sempf 9. August 2020 08:27

The new Open Source Security Foundation is trying to broaden the reach of information security best practice.


Four new variants of HTTP Request Smuggling were published, and they are pretty cool.


A really cool XMLK External Entity flaw was used to get RCE in the latest Pwn2Own competition.


That's the news, folks.



Application Security This Week for August 2nd

by Bill Sempf 2. August 2020 07:23

Check your Docker API permissions.  A new piece of malware has been turning cloud hosted containers into mining rigs.


Remember when I told you that Microsoft is dropping support for TLS 1.0 and 1.1?  Well, SHA-1 is next.


1d8 posted a good primer on setting up an android security analysis lab.  It's pretty solid.

I did a talk on a similar topic at GrrCon a few years back


Finally, I'll be at the OWASP Booth at Virtual BlackHat Wednesday afternoon (3-7 EDT). I have no idea how it will work yet, but it should be fun! Come have a virtual beer with me.


That's the news.  Stay safe out there.


Application Security This Week for July 26

by Bill Sempf 26. July 2020 06:37

They dropped Open Redirection from the OWASP Top 10 but, like CSRF, it is still out there. Here is a neat tool to help find it.


FireEye has a neat new toolset to crowdshare malware patterns.  I haven't dug into this yet, but I am fascinated.  Malware isn't my thing - I am a web guy - but this is a cool idea.


Microsoft has started killing off TLS 1.0 and 1.1 really for real this time.  Really.  Interesting take, because in poorer countries who are still using old Android and iOS devices are effectively losing access to the tools.  Acceptable losses? Seems so.


Gotta love a sanitizer bypass in ... a sanitizer tool.


That's the news.  Hope everyone is well.



Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites