Application Security This Week for November 8

Compass Security built a really nice Burp plugin that helps with the reporting of findings by copying the request and response pair from various tools.

https://blog.compass-security.com/2020/10/burp-extension-copy-request-response/

 

Container Security is all the rage.  Here is a good primer.

https://cloudberry.engineering/article/practical-introduction-container-security/

 

Random vulnerability names ... so hawt right now.

https://www.theregister.com/2020/11/03/cert_bug_names/

 

One of the Big 4 consulting/audit firms helpfully built a "test your Hacker IQ" quiz that exposes the DB username and password.

https://www.theregister.com/2020/11/05/deloitte_hacker_test/

 

I have written in this humble publication many times about my disdain over cryptic TLS vulnerabilities (pun intended) and now Let's Encrypt is going to cut off 30% of Android devices.

https://letsencrypt.org/2020/11/06/own-two-feet.html

 

That's the news, folks.

Application Security This Week for November 1

Not a lot going on this week.  Almost as if everyone has something else to think about.

 

Get your debugger on.  Good two parter on getting your feet wet with a little close-to-the-metal code.

https://www.moritz.systems/blog/how-debuggers-work-getting-and-setting-x86-registers-part-1/

 

For the bounty hunters - Harvard publicked a guide to the legal risk involved in bug hunting.

https://clinic.cyber.harvard.edu/2020/10/30/cyberlaw-clinic-and-eff-publish-guide-to-legal-risks-of-security-research/

 

Writing Go code? Here's a new fuzzer for your Go apps.

https://adalogics.com/blog/getting-started-with-go-fuzz

 

That's the news folks. Have a great week!

 

Application Security This Week for October 25

Microsoft has created the Adversarial ML Threat Matrix. If you are in Machine Learning, it is certainly worth a look.

https://www.microsoft.com/security/blog/2020/10/22/cyberattacks-against-machine-learning-systems-are-more-common-than-you-think/

 

Fuzzilli is a JS fuzzing library that allows you to write fuzzing patterns in a custom interpreted language to generate errors, find injection points, and do other useful things.

https://www.darknet.org.uk/2020/10/fuzzilli-javascript-engine-fuzzing-library/

 

Hijacking DNS is one of my biggest worries because it slips between the cracks of appsec and devops.

https://github.com/SuperFola/DoNotSend

 

FinalRecon is a recently updated web recon tool. I haven't tried it yet but I'm gonna.

https://github.com/thewhiteh4t/FinalRecon

 

Good writeup on the recent RCE bug patched in Discord.

https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1

 

CORS is new (ish) and this is a great breakdown on hacking it from a knowledge perspective.

https://medium.com/bugbountywriteup/hacking-http-cors-from-inside-out-512cb125c528

 

Have a great week everyone.

Application Security This Week for October 18

Great explainer on using OWASP ZAP, instead of DotDotPwn, for directory traversal attacks.  I haven't used it yet but it looks really promising.

https://diegogiacomelli.com.br/owasp-zap-path-traversal-and-asp-dotnet-notes/

 

Wanna write Burp extensions? Me too! Here's some good tools.

https://github.com/doyensec/burpdeveltraining

 

Man, I'm doing a lot with Docker container security.  This is a good breakdown.

https://cloudberry.engineering/article/dockerfile-security-best-practices/

 

That's the news folks.  Hope you are all doing well.

 

Application Security This Week for October 11

Totally forgot to do this last week, sorry.

 

Telerik released Fiddler Everywhere

https://www.telerik.com/fiddler

 

Github has added code scanning

https://github.blog/2020-09-30-code-scanning-is-now-available/

 

Another example of what I am admittedly harping on too much - the power of HTTP Smuggling

https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142

 

Here's a cool intro to  manual static vulnerable analysis by Will Butler

https://btlr.dev/blog/how-to-find-vulnerabilities-in-code-bad-words

 

Some basics of securing APIs

https://dev.to/bearer/api-security-best-practices-3gjl

 

Have a good week, everyone!

Application Security This Week for September 27

A list of Capture The Flags that are on now or forever!

https://captf.com/practice-ctf/

 

The source code to XP was leaked.  This isn't a surprise, extended support gives folks access to it.  It was bound to get out.

https://thehackernews.com/2020/09/windows-xp-source-code.html

What's funny is the comments though:

https://pastebin.com/PTLeWhc2

 

The EFF is reporting on the very real problem of student contact tracing apps violating privacy considerations.  Balance has to be found.

https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps

 

That's the news, folks.  Stay safe.

Application Security This Week for September 20

Microsoft open sourced their fuzzing framework

https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/

 

Not new but certain worth a read - how HTTPS works

https://howhttps.works/

 

Ming Chow - a buddy of mine and did a fantastic online course on packet analysis, that includes a nod to your humble author (around minute 58)

https://www.youtube.com/watch?v=Lj2DaFLRQVI&feature=youtu.be

 

Stay safe out there.

 

Application Security This Week for September 13

Or Maypril 319 but who is counting.

 

Here's an OLD Visual Studio project that gets AES keys from running applications.  Seems to still work!

https://github.com/mmozeiko/aes-finder

 

 Another writeup on my current favorite bug, HTTP Request Smuggling.

https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c

 

Via Matt Groves, this tool tests CouchBase databases for injection.  Pretty slick.

https://github.com/FSecureLABS/N1QLMap

 

Neat article on using Fuzzilli to fuzz JavaScript engines using an intermediate language.

https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html

 

Cool breakdown on using Mobile Device Management to get RCE on devices.

https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html?m=1

 

That's the news folks.  Stay safe.

Application Security This Week for September 6

Cool 10,000 foot overview of web application vulnerability assessment.  Clearly written and concise.

https://www.codementor.io/@seanhiggins550/the-ins-and-outs-of-penetration-testing-for-web-apps-19jhhqsexo

 

A really well thought through attack on HTML sanitizers.

https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/

 

El Reg has a good article on spear-phishing developers to get access to back end tools.  This is why the vulnerability analysts tell you to decommission old test systems.

https://www.theregister.com/2020/09/04/disclosure_developer_targeting/

 

Nice into to blind SQL injection.

http://www.mannulinux.org/2020/09/sql-injection-filter-bypass-to-perform.html?m=1

 

That's the news, folks.  Have a good Labor Day!

Application Security This Week for August 30

Monsoon is a fast HTTP request enumerator that allows you to run a large number of tests to try out potential findings.

https://github.com/RedTeamPentesting/monsoon

 

Python devs: Don't run the executable in your downloads folder! Python isn't designed for that and there are vulnerabilities.

https://glyph.twistedmatrix.com/2020/08/never-run-python-in-your-downloads-folder.html

 

A really fantastic list of Android security resources.

https://github.com/ashishb/android-security-awesome

 

That's the latest, folks! Have a great week.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList