Microsoft has created the Adversarial ML Threat Matrix. If you are in Machine Learning, it is certainly worth a look.

https://www.microsoft.com/security/blog/2020/10/22/cyberattacks-against-machine-learning-systems-are-more-common-than-you-think/

Fuzzilli is a JS fuzzing library that allows you to write fuzzing patterns in a custom interpreted language to generate errors, find injection points, and do other useful things.

https://www.darknet.org.uk/2020/10/fuzzilli-javascript-engine-fuzzing-library/

Hijacking DNS is one of my biggest worries because it slips between the cracks of appsec and devops.

https://github.com/SuperFola/DoNotSend

FinalRecon is a recently updated web recon tool. I haven't tried it yet but I'm gonna.

https://github.com/thewhiteh4t/FinalRecon

Good writeup on the recent RCE bug patched in Discord.

https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1

CORS is new (ish) and this is a great breakdown on hacking it from a knowledge perspective.

https://medium.com/bugbountywriteup/hacking-http-cors-from-inside-out-512cb125c528

Have a great week everyone.

Great explainer on using OWASP ZAP, instead of DotDotPwn, for directory traversal attacks.  I haven't used it yet but it looks really promising.

https://diegogiacomelli.com.br/owasp-zap-path-traversal-and-asp-dotnet-notes/

Wanna write Burp extensions? Me too! Here's some good tools.

https://github.com/doyensec/burpdeveltraining

Man, I'm doing a lot with Docker container security.  This is a good breakdown.

https://cloudberry.engineering/article/dockerfile-security-best-practices/

That's the news folks.  Hope you are all doing well.

Totally forgot to do this last week, sorry.

Telerik released Fiddler Everywhere

https://www.telerik.com/fiddler

Github has added code scanning

https://github.blog/2020-09-30-code-scanning-is-now-available/

Another example of what I am admittedly harping on too much - the power of HTTP Smuggling

https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142

Here's a cool intro to  manual static vulnerable analysis by Will Butler

https://btlr.dev/blog/how-to-find-vulnerabilities-in-code-bad-words

Some basics of securing APIs

https://dev.to/bearer/api-security-best-practices-3gjl

Have a good week, everyone!