Application Security This Week for November 24

Github is starting SecurityLab.  It's part knowledge sharing, part secure coding, part bounty hunting, and it is pretty neat.

https://securitylab.github.com/

 

Stacey on IoT has a good writeup on device and container security citing this Trend Micro report

https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020

Subscribe to her newsletter!

https://staceyoniot.com/

 

TrustedSec, an infosec firm in Cleveland run by my friend Dave Kennedy, has open sourced their legal documentation for physical pentesting in order to try and prevent another Iowa.

https://github.com/trustedsec/physical-docs

Read more about why here

https://www.trustedsec.com/blog/a-message-of-support-coalfire-consultants-charged/

 

Cool writeup of a DOM clobbering vulnerability.  I think DOM XSS will become more of a thing as browsers get more and more power.

https://research.securitum.com/xss-in-amp4email-dom-clobbering/

 

That's the news!

Application Security This Week for November 17

Great breakdown on finding bugs in an OAUTH flow

https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html

 

Only arguably appsec, but there is an artificial intelligence story writer that was determines to be too powerful to release into the wild, and it has been released into the wild

https://nakedsecurity.sophos.com/2019/11/11/ai-wordsmith-too-dangerous-to-be-released-has-been-released/

 

Remember when WordPress malware was all the rage?  Well, not it is Slack Themes

https://fletchto99.dev/2019/november/slack-vulnerability/

 

I am a web guy, not an OS guy, so I learned a ton from this rootkit primer

https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/

 

That's the news, folks.

Application Security This Week for November 10

Microsoft has a really good article on using a semantic query language to find exploitable DOM XSS findings. Honestly the whole series is recommended, but the DOM XSS one here is particularly good.

https://msrc-blog.microsoft.com/2018/08/16/vulnerability-hunting-with-semmle-ql-part-1/

 

Google Project Zero revealed a UAF bug in Android a bit ago, and here is an awesome analysis of how it happened.  Good reading for mobile devs especially, but I certainly learned stuff too.

https://dayzerosec.com/posts/analyzing-androids-cve-2019-2215-dev-binder-uaf/

 

In continuing supply chain news, Armor has a good article on Managed Service Providers being a strong candidate for Malware Distributers of the Year.

https://www.armor.com/reports/new-msps-compromised-reports-armor/

 

That's the news!

Application Security This Week for November 3

Lawfare has a good article  by Jim Baker (former legal council for the FBI) on a new way to think about encryption.  You'll agree with some, disagree with some, but it will make you think.

https://www.lawfareblog.com/rethinking-encryption

 

From the Standard Vulnerability List: "When a session ends, first select the session ID from the client, then delete the session information from the server, then finally return the user to the login page." Session management matters, people.

https://arstechnica.com/information-technology/2019/10/five-months-after-returning-rental-car-man-still-has-remote-control/

 

Google is doing its "we are the Web so we will decide how it works" thing again, and threatening to enable samesite by default in Chrome. Here's some analysis of that.

https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/

 

Speaking of Chrome nad running the web, here's El Reg's take on DNS over HTTPS:

https://www.theregister.co.uk/2019/10/29/chrome_dns_https/

 

Oh, and still speaking of Google and glass houses and stone throwing, there's an 0-day in Chrome.

https://www.bleepingcomputer.com/news/security/chrome-zero-day-bug-with-exploit-in-the-wild-gets-a-patch/

 

You know that stupid goose game your kid is playing? There is an insecure deserialization flaw in it.

https://pulsesecurity.co.nz/advisories/untitled-goose-game-deserialization

 

And finally, a good talk out of BSides Belfast about supply-chain attacks.  Code review your open source libraries, folks!

https://www.infosecurity-magazine.com/news/bsidesbelfast-supply-chain/

 

Busy week! But that's the news.

 

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList