Application Security Weekly for June 3

My good friends at AppSec Consulting tipped me off this this really neat finding .  It's a SAML bypass - they didn't discover it but they have been using it in tests and it works well.

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

 

Remember JScript, that attempt by Microsoft to take over ECMAscript?  Yeah, neither does anyone else but it is still in Windows and it has an RCE vulnerability.

https://securityaffairs.co/wordpress/73076/hacking/jscript-component-0day.html

 

Apparently it's the theme today, so I'll point out that an RCE vulnerability was found in the Steam client, and has a good writeup.

https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client

 

In a previous post I mentioned the sheer mass of Redis servers left open on the Internet.  Someone has now written a worm for them, and 75% are infected.

https://www.incapsula.com/blog/report-75-of-open-redis-servers-are-infected.html

 

And that's the news.

S

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList