Application Security This Week for September 2

Mazen Ahmed write an exploit for the new Struts CVE.

https://github.com/mazen160/struts-pwn_CVE-2018-11776

 

Speaking of the CVE program, and MITRE in general, Steve Ragan got a solid scoop on congress planning a revamp.

https://www.csoonline.com/article/3300753/security/congress-pushes-mitre-to-fix-cve-program-suggests-regular-reviews-and-stable-funding.html

 

Secure Ideas started a blog seried on CORS, CSRF, and Clickjacking which is off to a good start

https://blog.secureideas.com/2018/07/three-c-words-of-web-app-security-part-1-cors.html

 

The Fortnite Android app is vulnerable to a really very unique flaw, Man-on-the-disk.  

https://www.theregister.co.uk/AMP/2018/08/29/android_external_storage_man_in_the_disk/

 

Speaking of weird flaws, people have started registering skills on Alexa with phonetically similar names as common commands. It's called Skill Squatting.

https://www.usenix.org/conference/usenixsecurity18/presentation/kumar

 

And that's the news!

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList