Application Security This Week for October 27

Here's an interesting article on some non-JavaScript Cross-Site Scripting vectors.

https://x-c3ll.github.io/posts/CSS-Injection-Primitives/

 

Timely history lesson about the gradual movement of web application from primarily server-side to primarily client-side:

https://medium.com/young-coder/an-illustrated-beginners-guide-to-server-side-and-client-side-code-723cbb1db9ea

 

This isn't as new of an idea as the authors would like us to believe, but it is a good PoC of the CDN-related cache poisoning attack:

https://thehackernews.com/2019/10/cdn-cache-poisoning-dos-attack.html?m=1

 

Public disclosure of some bugs in AutoDesk discovered by binary fuzzing. Good way to get a look into this kind of testing - look breakdowns of CVEs.

https://fuzzit.dev/2019/10/25/discovery-and-analysis-of-2-dos-vulnerabilities-in-autodesk-fbx-1-unpatched/

 

PHP has a vector for remote code execution (combined with other known flaws) to patch if you can! Worth a read for the process, as well.

https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html

 

That's the news, folks.

Comments are closed

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList