Application Security This Week for April 28

Another Weblogic deserialization bug.

https://securityaffairs.co/wordpress/84450/breaking-news/oracle-weblogic-zeroday.html

I have a PR in for Nikto for it

https://github.com/sullo/nikto/pull/607

 

A reminder that application security is more than SQL Injection: good analysis of the bugs that caused the 737 Max wrecks. I had to drop it in Pastebin because IEEE put it behind the paywall.

https://pastebin.com/QEiKvvMM

 

Using Git dotfiles to bypass authentication.

https://blog.assetnote.io/bug-bounty/2019/04/23/getting-access-zendesk-gcp/

 

ZDNet, of all places, has a really good, plain language explainer of credential stuffing.

https://www.zdnet.com/article/an-inside-look-at-how-credential-stuffing-operations-work/

 

Little more on the dev side - 10 articles reviewed about using Python in machine learning.

https://hackernoon.com/10-great-articles-on-python-development-6f54dd38437f

 

And that 's the news!  I'll be on vacation next week, so see you on the 12th.

 

 

Application Security This Week for April 21

Hacky Easter is on!  Go get your CTF rolling.

https://hackyeaster.hacking-lab.com/hackyeaster/

 

XXE discovered in IE 11.

https://seclists.org/fulldisclosure/2019/Apr/20

 

DNS attacks are very much on the rise

https://www.engadget.com/2019/02/24/icann-warns-of-dns-attacks/?ncid=txtlnkusaolp00000618

https://www.golem.de/news/subdomain-takeover-microsoft-loses-control-over-windows-tiles-1904-140717.html

 

YAWAST goes to 0.7.  I use it on every test for recon.

https://adamcaudill.com/2019/04/19/yawast-v0-7-released/

 

Great overview of a white hat attack of a "secure" application.

https://securityaffairs.co/wordpress/84219/breaking-news/hacker-broke-tchap.html

 

That's the news, folks!

Application Security This Week for April 14

The Stack Overflow Survey is out and has some interesting insights

https://insights.stackoverflow.com/survey/2019

 

Rebex has built a tool to scan SSH servers, similar to the Qualis SSL scan

https://sshcheck.com/

 

A new OWASP project that I'm participating in is aiming at inventorying and improving the overall security postures of package managers - take a look

https://github.com/OWASP/packman

 

And that's the news!

Application Security This Week for April 7

PortSwigger has replaced the exercises in the Web Application Security Hacker's Handbook with the new Web Academy.

https://portswigger.net/web-security

 

An ARM assembler - in JavaScript.  I don't even have the words, this is so awesome.

https://azm.azerialabs.com/

 

Writing a talk?  Here are 60 information security statistics with corresponding references.

https://itblogr.com/60-must-know-cybersecurity-statistics-for-2019/

 

Google has started their own vulnerability database.  I'm not sure why, we already have several, but it is worth a look.

https://www.vulncode-db.com/

 

And that's the news!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList