Application Security This Week for December 23

SplashData has their 100 worst passwords out again this year.  Remember, at least, prevent these passwords in your signin flow.

https://www.prweb.com/releases/bad_password_habits_die_hard_shows_splashdata_s_8th_annual_worst_passwords_list/prweb15987071.htm

 

Really good breakdown of finding hidden files and directories and using them for information gathering on web applications.

https://medium.com/@_bl4de/hidden-directories-and-files-as-a-source-of-sensitive-information-about-web-application-84e5c534e5ad

 

Microsoft has come out with Windows Sandbox - might be a good platform for analyzing malware, but the jury is still out.

https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849

 

Gah, bug in Ghostscript.  Lots of vectors in the ImageMagik/PostScript space these days, watch yourselves.

https://www.rapid7.com/db/modules/exploit/multi/fileformat/ghostscript_failed_restore

 

And this is why I write up folks that have third party hosted JavaScript.

https://shkspr.mobi/blog/2018/11/major-sites-running-unauthenticated-javascript-on-their-payment-pages/

 

That's the news folks.  Stay safe, and have a good holiday.

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList