Test apps for vulnerabilities that enable phishing

As the network boundary becomes more ephemeral, and attackers don't have obvious kickoff points for attacks as often, they are resorting more and more to the human angle.  This is not news to any reader of this blog, I am certain. Physical attacks notwithstanding, the best place to stage an attack against the humans that run the systems is via phishing - using email, SMS, forum comments, customer service requests, or other communication to trick the people that have the keys to applications into giving them up.

Phishing increased 250% in 2018, according to Microsoft.

Vulnerabilities in applications are  a key vector in phishing - not the most common vector, but a key vector.  Nonetheless, we are testing for them more and more rarely.  For instance, unvalidated requests and forwards dropped from the OWASP Top 10 in 2017, as was Cross Site REquest Forgery, even though they are used in a significant portion of phishing attacks.  I get it, SQL Injection is more damaging and Cross Site Scripting is sexier, but these identity attacks are what the attackers are doing these days.

Bottom line, you have to be checking for these vulnerabilities.  Here is an incomplete list:

  • Unvalidated Requests and Forwards
  • Cross Site Request Forgery
  • Cross Site Scripting
  • Host Header Poisoning
  • Lack of Two Factor Authentication
  • CORS Policy Violations
  • Improper Handling of HTTP Verbs
  • Out of Date or Insecure Third Party Components

I'll do a little more research on this topic and see if I can't get together a testing guide on this, but in the meantime I think you will find guidance in the new OWASP ASVS v4.0.

Application Security This Week for March 3

A new tool for finding malicious JavaScript and securely using external libraries.



Acunetix has it's annual report out.  Gotta give them your dox though, sorry.



Portswigger has their annual report out too.  You do NOT need to give them your dox.  Just sayin.



Really cool video that shows the non-FUD dangers of digital exploitation, without using a single website, computer, or black hoodie.



New Google Translate exploit. Funny, because I used Google Translate as a counter-example in my REST security talk.



Universal RCE with Ruby YAML.load()



And that's the news!

Application Security This Week for February 24

Cool PoC of the Mac vulnerability CVE-2018-4193, an RCE in WindowServer.



Terrifying vulnerability in an underlying component of Docker, Kubernates, and other virtuilazation software leads to hypervisor breakdown.



An Oracle DCMA takedown of a Docker container leads to some interesting build awareness. Good Reddit thread.



A fourteen year old flaw was discovered in the encryption facility of WinRAR.  Whoops.  So much for the thousand eyes on open source theory.



Microsoft turbocharges GitHub's bug bounty program.



And that's the news!

Application Security This Week for February 17

A maintainer of the underlying runtime for Docker and Kubernetes) reported a vulnerability.



Here is a PoC codebase for the above.  Well written too.



Hashcat can now crack any eight chatacter Windows password in two hours.



Interested in Bug Bounties?  Think they are all taken?  Facebook CSRF finding nets $25,000.



And that's the news.

Application Security This Week for February 10

Ullaakut on Reddit posted this toolset: Gorsair, a tool to remotely access the exposed Docker API of vulnerable Docker containers.  Works, too.



Someone already pwned TLS 1.3, for crying out loud.



Cool attack on CORS configuration in mobile devices



RCE in Libreoffice.  Not so free NOW areya?



And that's the news. Stay warm.

Application Security This Week for January 27

Here's a thread by Michael Stanek about how bad 7-zip's encryption algorithm is.  I use this all the time and had no idea.



An exploit POC that Mark Haase wrote for the new SCP vulnerability.



Hadoop is the new target for a lot of malware.  Please stop leaving your clusters vulnerable.



Chrome is turning off the API that UBlock Origin uses. Makes sense - Chrome is free, Google is an ad company. Whatcha gonna do?



While you're here, the Central Ohio Infosec Summit has their annual Call For Papers open.  Submit!



And that's the news.

Application Security This Week for January 20

A 773 million record file of usernames and passwords discovered



Google releases a tool to help with TLS certificate management



Really cool attack discovered using zero width spaces



DNS Hijacking on the rise



Late addition: Watch your password control logic, please!


That's the news, folks.

Application Security This Week for January 6

New year, new vulnerabilities.


Or old vulnerabilities.  How about Open Redirects, the vulnerability no one cares about other than the bad guys.



We gotta look back at The Year That Was.



Someone cracked recaptcha.  Again.



Chrome was leaking device info.  I got caught by this too.



Cool research on a malicious jpeg.




That's the news, folks.  Happy new year! Hope to see some of you at CodeMash.


Application Security This Week for December 23

SplashData has their 100 worst passwords out again this year.  Remember, at least, prevent these passwords in your signin flow.



Really good breakdown of finding hidden files and directories and using them for information gathering on web applications.



Microsoft has come out with Windows Sandbox - might be a good platform for analyzing malware, but the jury is still out.



Gah, bug in Ghostscript.  Lots of vectors in the ImageMagik/PostScript space these days, watch yourselves.



And this is why I write up folks that have third party hosted JavaScript.



That's the news folks.  Stay safe, and have a good holiday.

Application Security This Week for December 16

The House oversight report on Equifax is out, and it is a doosy.  Ouch.


Here's a good Twitter thread on it, unrolled



XXE was added to the OWASP Top 10 and some scoffed.  Read this before you blow it off.



OAuth is a thing, and deserves more research.  If Twitter can screw it up, anyone can.



Wordpress 5 got a security release.  Get your hax in while you can.



So SMS based two factor auth is better than NOTHING, but not much.



That's the news, folks.


Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.



profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites