Big, big news out of Portswigger this week.  I'm a huge fan of OWASP ZAP, and use it daily, but this is a major uptick in web analysis tools.

A new API for Burp Suite (something ZAP has had for years) https://portswigger.net/blog/burps-new-rest-api

The introduction of 2.0 https://portswigger.net/blog/burp-suite-2-0-beta-now-available

And finally the introduction of Enterprise Edition, which effectively adds scalibility https://portswigger.net/blog/burp-suite-enterprise-edition

Really solid week of announcements.

In other news, AppSec consulting hits it out of the park again with advice on securing third-party JavaScript.

https://www.appsecconsulting.com/blog/securing-third-party-javascript

A major flaw was found in GhostScript.  If you are parsing document formats like PDF or XPS, get your patch on!

https://www.kb.cert.org/vuls/id/332928

Another Struts RCE vulnerability.  "I'm shocked!" said nobody, ever.

https://cwiki.apache.org/confluence/display/WW/S2-057

Bitdefender published a whitepaper on the next phase of Android malware, and it is worth a read.

https://www.bitdefender.com/files/News/CaseStudies/study/234/Bitdefender-Whitepaper-Triout-The-Malware-Framework-for-Android-That-Packs-Potent-Spyware-Capabilities.pdf

And that's the news!

Trend Micro found a really interesting use-after-free vulnerability in the VBScript engine in IE.  Now, before you giggle, think of all of the companies that have standardized on IE. They are out there. Either way, the finding is cool.

https://blog.trendmicro.com/trendlabs-security-intelligence/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/

Username enumeration bug discovered in OpenSSH of all things.

http://seclists.org/oss-sec/2018/q3/124

Ever seen a scanner point out that a site is vulnerable to DNS Rebinding, and wonder what the heck it was talking about?  Yeah me too.  These folks wrote up a framework for it.

https://github.com/nccgroup/singularity

Here is a password list sorted by probability. Remember that training course when I said you should check your new passwords against a list of known bad values, because NIST said to? Here ya go. The esteemed Jim Fenton recommends checking against the first 100,000. Neat project.

https://github.com/berzerk0/Probable-Wordlists

Interesting idea - introducing bugs to make software more difficult to attackers to navigate.  Seems risky to me; I would rather see self-reporting software.

https://arxiv.org/pdf/1808.00659.pdf

Cloudflare has a really really good writeup on TLS 1.3.

https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

Questionably ethical hacker steals credentials from the Homebrew repo and makes a commit.

https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

Viral tweet thread on the "voatz" software that WVa is planning on using for midterm elections. Vulnerabilityapalooza.

https://twitter.com/GossiTheDog/status/1026603800365330432

Portswigger posted a nice primer on cache poisoning.

https://portswigger.net/blog/practical-web-cache-poisoning

Reddit Breach Highlights Limits of SMS-Based Authentication

https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/

One of my favorite people - Adam Caudill with AppSec Consulting - gives a breakdown of changes to the way Chrome handles HTTPS

https://www.appsecconsulting.com/blog/https-or-be-warned

Information disclosure is a thing - stop using Trello as a password manager

https://www.reddit.com/r/security/comments/93n6ln/stop_using_trello_as_a_password_manager_how_to?sort=confidence

One of my favorite companies (Duo) has been acquired by Cisco

https://arstechnica.com/information-technology/2018/08/heads-up-2fa-provider-duo-security-to-be-acquired-by-cisco-ugh/

I have been assured that everything is gonna be OK 

As nosqlmap has fallen a bit by the wayside, I'm glad to see a new NoSQL scanner show up

https://github.com/torque59/Nosql-Exploitation-Framework