Application Security This Week for October 27

Here's an interesting article on some non-JavaScript Cross-Site Scripting vectors.

https://x-c3ll.github.io/posts/CSS-Injection-Primitives/

 

Timely history lesson about the gradual movement of web application from primarily server-side to primarily client-side:

https://medium.com/young-coder/an-illustrated-beginners-guide-to-server-side-and-client-side-code-723cbb1db9ea

 

This isn't as new of an idea as the authors would like us to believe, but it is a good PoC of the CDN-related cache poisoning attack:

https://thehackernews.com/2019/10/cdn-cache-poisoning-dos-attack.html?m=1

 

Public disclosure of some bugs in AutoDesk discovered by binary fuzzing. Good way to get a look into this kind of testing - look breakdowns of CVEs.

https://fuzzit.dev/2019/10/25/discovery-and-analysis-of-2-dos-vulnerabilities-in-autodesk-fbx-1-unpatched/

 

PHP has a vector for remote code execution (combined with other known flaws) to patch if you can! Worth a read for the process, as well.

https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html

 

That's the news, folks.

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList