Application Security This Week for July 29

Venmo, a social payment system, defaults to public disclosure of payments made on the system.

https://arstechnica.com/tech-policy/2018/07/venmos-terrible-idea/

 

Scott Simmons has some terriffic advice about using Same-Origin policy as a control for CSRF.

https://www.appsecconsulting.com/blog/using-the-same-origin-policy-to-control-for-cross-site-request-forgery

 

Open redirect flaw in Electron exploites in the new Google Hangouts Chat application.

https://blog.bentkowski.info/2018/07/vulnerability-in-hangouts-chat-aka-how.html?m=1

 

F5 has released their annual Application Protection report.  Worth a read.

https://www.f5.com/labs/articles/threat-intelligence/2018-Application-Protection-Report

 

DOMpurify, a common control for DOM based XSS, has a vulnerability - update if you are using it (you probably are).

http://www.thespanner.co.uk/2018/07/29/bypassing-dompurify-with-mxss/

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList