by Bill Sempf
28. March 2021 12:53
Guess who forgot to do a newsletter last week?
Cool file upload attack to get access to SSH unauthenticated.
https://blog.fadyothman.com/cve-2021-28379-gaining-rce-via-ssh-backdoor-in-vestacp/
Neat tool to MITM an iOS device. The code is worth a look.
https://github.com/doronz88/harlogger
There is a new release of a (new to me) tool to test SAML implementations.
https://blog.compass-security.com/2021/03/saml-raider-release-1-4-0/
More cool HTTP2 vulnerabilities exploited.
https://blog.assetnote.io/2021/03/18/h2c-smuggling/
TLS 1.0 and 1.1 are formally deprecated. These become High findings on reports now.
https://datatracker.ietf.org/doc/rfc8996/
Retire.js, one of my favorite tools, has been updated.
https://retirejs.github.io/retire.js/
And finally, spend your Sunday patching OpenSSL.
https://thehackernews.com/2021/03/openssl-releases-patches-for-2-high.html
Have a secure week, everyone.
d6577191-9316-476f-8641-f485c11be599|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
14. March 2021 12:32
Happy pi day!
Missive on the insecurity of C as a programming language.
https://daniel.haxx.se/blog/2021/03/09/half-of-curls-vulnerabilities-are-c-mistakes/
Regex is easily exploitable for denial of service attacks.
https://blog.doyensec.com/2021/03/11/regexploit.html
It might be too late to register, but Veracode is holding a Capture The Flag competition for students.
https://www.veracode.com/events/hacker-games
Have a secure week.
17596bb1-30b3-4904-ae9b-6b443f38b0e5|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
7. March 2021 16:58
This is a pop culture article about why mobile application can be insecure (from Wired) but it is well written. It might be behind a paywall for some of you, if so I'm sorry.
https://www.wired.com/story/ios-android-leaky-apps-cloud/
Good writeup on the Apache Velocity vulnerability.
https://securitylab.github.com/advisories/GHSL-2020-048-apache-velocity
Look, more supply chain problems! Yay! 3,500 pypy packages corrupt, and a tool to discover them.
https://github.com/pypa/pypi-support/issues/923
And finally, a series that begins with DLL Search Order Hijacking, something similar to what I have added to this newsletter before. Worth keeping an eye on.
https://github.com/pypa/pypi-support/issues/923
S
830413e1-5396-46b3-86e3-6b593877baef|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags: