Compass Security built a really nice Burp plugin that helps with the reporting of findings by copying the request and response pair from various tools.
https://blog.compass-security.com/2020/10/burp-extension-copy-request-response/
Container Security is all the rage. Here is a good primer.
https://cloudberry.engineering/article/practical-introduction-container-security/
Random vulnerability names ... so hawt right now.
https://www.theregister.com/2020/11/03/cert_bug_names/
One of the Big 4 consulting/audit firms helpfully built a "test your Hacker IQ" quiz that exposes the DB username and password.
https://www.theregister.com/2020/11/05/deloitte_hacker_test/
I have written in this humble publication many times about my disdain over cryptic TLS vulnerabilities (pun intended) and now Let's Encrypt is going to cut off 30% of Android devices.
https://letsencrypt.org/2020/11/06/own-two-feet.html
That's the news, folks.
Not a lot going on this week. Almost as if everyone has something else to think about.
Get your debugger on. Good two parter on getting your feet wet with a little close-to-the-metal code.
https://www.moritz.systems/blog/how-debuggers-work-getting-and-setting-x86-registers-part-1/
For the bounty hunters - Harvard publicked a guide to the legal risk involved in bug hunting.
https://clinic.cyber.harvard.edu/2020/10/30/cyberlaw-clinic-and-eff-publish-guide-to-legal-risks-of-security-research/
Writing Go code? Here's a new fuzzer for your Go apps.
https://adalogics.com/blog/getting-started-with-go-fuzz
That's the news folks. Have a great week!
Microsoft has created the Adversarial ML Threat Matrix. If you are in Machine Learning, it is certainly worth a look.
https://www.microsoft.com/security/blog/2020/10/22/cyberattacks-against-machine-learning-systems-are-more-common-than-you-think/
Fuzzilli is a JS fuzzing library that allows you to write fuzzing patterns in a custom interpreted language to generate errors, find injection points, and do other useful things.
https://www.darknet.org.uk/2020/10/fuzzilli-javascript-engine-fuzzing-library/
Hijacking DNS is one of my biggest worries because it slips between the cracks of appsec and devops.
https://github.com/SuperFola/DoNotSend
FinalRecon is a recently updated web recon tool. I haven't tried it yet but I'm gonna.
https://github.com/thewhiteh4t/FinalRecon
Good writeup on the recent RCE bug patched in Discord.
https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1
CORS is new (ish) and this is a great breakdown on hacking it from a knowledge perspective.
https://medium.com/bugbountywriteup/hacking-http-cors-from-inside-out-512cb125c528
Have a great week everyone.
Great explainer on using OWASP ZAP, instead of DotDotPwn, for directory traversal attacks. I haven't used it yet but it looks really promising.
https://diegogiacomelli.com.br/owasp-zap-path-traversal-and-asp-dotnet-notes/
Wanna write Burp extensions? Me too! Here's some good tools.
https://github.com/doyensec/burpdeveltraining
Man, I'm doing a lot with Docker container security. This is a good breakdown.
https://cloudberry.engineering/article/dockerfile-security-best-practices/
That's the news folks. Hope you are all doing well.
Totally forgot to do this last week, sorry.
Telerik released Fiddler Everywhere
https://www.telerik.com/fiddler
Github has added code scanning
https://github.blog/2020-09-30-code-scanning-is-now-available/
Another example of what I am admittedly harping on too much - the power of HTTP Smuggling
https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142
Here's a cool intro to manual static vulnerable analysis by Will Butler
https://btlr.dev/blog/how-to-find-vulnerabilities-in-code-bad-words
Some basics of securing APIs
https://dev.to/bearer/api-security-best-practices-3gjl
Have a good week, everyone!
A list of Capture The Flags that are on now or forever!
https://captf.com/practice-ctf/
The source code to XP was leaked. This isn't a surprise, extended support gives folks access to it. It was bound to get out.
https://thehackernews.com/2020/09/windows-xp-source-code.html
What's funny is the comments though:
https://pastebin.com/PTLeWhc2
The EFF is reporting on the very real problem of student contact tracing apps violating privacy considerations. Balance has to be found.
https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps
That's the news, folks. Stay safe.
Microsoft open sourced their fuzzing framework
https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
Not new but certain worth a read - how HTTPS works
https://howhttps.works/
Ming Chow - a buddy of mine and did a fantastic online course on packet analysis, that includes a nod to your humble author (around minute 58)
https://www.youtube.com/watch?v=Lj2DaFLRQVI&feature=youtu.be
Stay safe out there.
Or Maypril 319 but who is counting.
Here's an OLD Visual Studio project that gets AES keys from running applications. Seems to still work!
https://github.com/mmozeiko/aes-finder
Another writeup on my current favorite bug, HTTP Request Smuggling.
https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c
Via Matt Groves, this tool tests CouchBase databases for injection. Pretty slick.
https://github.com/FSecureLABS/N1QLMap
Neat article on using Fuzzilli to fuzz JavaScript engines using an intermediate language.
https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html
Cool breakdown on using Mobile Device Management to get RCE on devices.
https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html?m=1
That's the news folks. Stay safe.
Cool 10,000 foot overview of web application vulnerability assessment. Clearly written and concise.
https://www.codementor.io/@seanhiggins550/the-ins-and-outs-of-penetration-testing-for-web-apps-19jhhqsexo
A really well thought through attack on HTML sanitizers.
https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/
El Reg has a good article on spear-phishing developers to get access to back end tools. This is why the vulnerability analysts tell you to decommission old test systems.
https://www.theregister.com/2020/09/04/disclosure_developer_targeting/
Nice into to blind SQL injection.
http://www.mannulinux.org/2020/09/sql-injection-filter-bypass-to-perform.html?m=1
That's the news, folks. Have a good Labor Day!
Monsoon is a fast HTTP request enumerator that allows you to run a large number of tests to try out potential findings.
https://github.com/RedTeamPentesting/monsoon
Python devs: Don't run the executable in your downloads folder! Python isn't designed for that and there are vulnerabilities.
https://glyph.twistedmatrix.com/2020/08/never-run-python-in-your-downloads-folder.html
A really fantastic list of Android security resources.
https://github.com/ashishb/android-security-awesome
That's the latest, folks! Have a great week.