Application Security This Week for July 26

They dropped Open Redirection from the OWASP Top 10 but, like CSRF, it is still out there. Here is a neat tool to help find it.

https://github.com/0xNanda/Oralyzer

 

FireEye has a neat new toolset to crowdshare malware patterns.  I haven't dug into this yet, but I am fascinated.  Malware isn't my thing - I am a web guy - but this is a cool idea.

https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html

 

Microsoft has started killing off TLS 1.0 and 1.1 really for real this time.  Really.  Interesting take, because in poorer countries who are still using old Android and iOS devices are effectively losing access to the tools.  Acceptable losses? Seems so.

https://docs.microsoft.com/en-us/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365?view=o365-worldwide

 

Gotta love a sanitizer bypass in ... a sanitizer tool.

https://research.securitum.com/html-sanitization-bypass-in-ruby-sanitize-5-2-1/

 

That's the news.  Hope everyone is well.

 

Application Security This Week for July 19

The Enterprise Security API for Java went to 2.2.1.0

https://github.com/ESAPI/esapi-java-legacy/blob/esapi-2.2.1.0/documentation/esapi4java-core-2.2.1.0-release-notes.txt

 

Microsoft's .NET Framework is getting rid of the Binary Formatter, erasing a significant security flaw

https://github.com/dotnet/designs/pull/141

 

Good writeup on pentesting GitHub source repos - a great place to find bugs in open source packages used by your apps

https://www.errno.fr/Attacking_source_repositories

 

Portswigger's Burp Suite now includes a pre-configured browser as part of community edition - a game changer if you are doing inhouse training or CTFs

https://portswigger.net/burp/releases/professional-community-2020-7

 

Unquestionably the funniest POC for an exploit I have ever seen in my life

https://github.com/tinkersec/cve-2020-1350

 

That's the news, folks.  Hope everyone is well.

Application Security This Week for July 12

Big news this week was the F5 zero day, of course, but on the application side you should review the code for the exploit, which is public.  I am not gonna link it here but y'all can google.  DO NOT run this on your corporate machines, use your test box and a VM, and just look.  Here is a link to the CVE:

https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve

 

Bestill my heart, an API driven HTTP server. Haven't played with it yet but I looks super sexy.

https://httpie.org/

 

Common thread on this newsletter - DNS is dangerous.  Review your records.

https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/

 

Very nice collection of testing scripts - well worth the clone and the hour it takes to learn to use them. I'm integrating them into my test scenarios.

https://github.com/wintrmvte/Citadel

 

That's the news, folks!

 

Application Security This Week for July 5

Happy Independence Day for my US readers!

 

BugCrowd released a really cool looking Burp extension to help find bug bounty items.

https://portswigger.net/bappstore/059343223d094d16a0a8440485bc5c5e

 

Some guidance I am using right now on a test to bypass file upload filters.

https://stazot.com/boltcms-file-upload-bypass/

 

Fantastic analysis of the SAML flaw in Palo Alto devices by my friends at TrustedSec.

https://www.trustedsec.com/blog/cve-2020-2021-pan-os-saml-security-bypass/

 

That's the news, folks.  Go hack something.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList