A list of Capture The Flags that are on now or forever!

https://captf.com/practice-ctf/

The source code to XP was leaked.  This isn't a surprise, extended support gives folks access to it.  It was bound to get out.

https://thehackernews.com/2020/09/windows-xp-source-code.html

What's funny is the comments though:

https://pastebin.com/PTLeWhc2

The EFF is reporting on the very real problem of student contact tracing apps violating privacy considerations.  Balance has to be found.

https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps

That's the news, folks.  Stay safe.

Microsoft open sourced their fuzzing framework

https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/

Not new but certain worth a read - how HTTPS works

https://howhttps.works/

Ming Chow - a buddy of mine and did a fantastic online course on packet analysis, that includes a nod to your humble author (around minute 58)

https://www.youtube.com/watch?v=Lj2DaFLRQVI&feature=youtu.be

Stay safe out there.

Or Maypril 319 but who is counting.

Here's an OLD Visual Studio project that gets AES keys from running applications.  Seems to still work!

https://github.com/mmozeiko/aes-finder

 Another writeup on my current favorite bug, HTTP Request Smuggling.

https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c

Via Matt Groves, this tool tests CouchBase databases for injection.  Pretty slick.

https://github.com/FSecureLABS/N1QLMap

Neat article on using Fuzzilli to fuzz JavaScript engines using an intermediate language.

https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html

Cool breakdown on using Mobile Device Management to get RCE on devices.

https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html?m=1

That's the news folks.  Stay safe.

Cool 10,000 foot overview of web application vulnerability assessment.  Clearly written and concise.

https://www.codementor.io/@seanhiggins550/the-ins-and-outs-of-penetration-testing-for-web-apps-19jhhqsexo

A really well thought through attack on HTML sanitizers.

https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/

El Reg has a good article on spear-phishing developers to get access to back end tools.  This is why the vulnerability analysts tell you to decommission old test systems.

https://www.theregister.com/2020/09/04/disclosure_developer_targeting/

Nice into to blind SQL injection.

http://www.mannulinux.org/2020/09/sql-injection-filter-bypass-to-perform.html?m=1

That's the news, folks.  Have a good Labor Day!

Monsoon is a fast HTTP request enumerator that allows you to run a large number of tests to try out potential findings.

https://github.com/RedTeamPentesting/monsoon

Python devs: Don't run the executable in your downloads folder! Python isn't designed for that and there are vulnerabilities.

https://glyph.twistedmatrix.com/2020/08/never-run-python-in-your-downloads-folder.html

A really fantastic list of Android security resources.

https://github.com/ashishb/android-security-awesome

That's the latest, folks! Have a great week.

Update Jenkins - there is a flaw in the HTTP renderer.

https://www.jenkins.io/security/advisory/2020-08-17/

https://thehackernews.com/2020/08/jenkins-server-vulnerability.html

Pretty cool article about attacking the MS Exchange web interface

https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/

Don't usually talk locksport here but it's a slow news week and this is pretty cool - creating a key based on the sound of the original entering the lock.

https://cacm.acm.org/news/246744-picking-locks-with-audio-technology/fulltext

That's the news!

Microsoft pushed a change to ASP.NET for a DoS vulnerability.  Not only should you patch, but looking at the change control is worth your time.

https://github.com/aspnet/Announcements/issues/431

Speaking of .NET, Adam Chester has an awesome article about the debugger that is worth a look.

https://blog.xpnsec.com/debugging-into-net/

Sonatype has their annual report on the Software Supply Chain ready, which is a topic near and dear to my heart. You have to give them your email, but it is worth it.

https://www.sonatype.com/2020ssc

I spoke to the .NET Dev Group in Columbus about this topic in March and it got a little spicy.

https://www.youtube.com/watch?v=KWt0Brcc2Ag

 Finally, here is another good analysis paper on the application security development lifecycle.

https://www.veracode.com/sites/default/files/pdf/resources/surveyreports/esg-modern-application-development-security-veracode-survey-report.pdf

Stay safe and well.

S

The new Open Source Security Foundation is trying to broaden the reach of information security best practice.

https://github.com/ossf

Four new variants of HTTP Request Smuggling were published, and they are pretty cool.

https://thehackernews.com/2020/08/http-request-smuggling.html

A really cool XMLK External Entity flaw was used to get RCE in the latest Pwn2Own competition.

http://muffsec.com/blog/?p=608

That's the news, folks.

S

Check your Docker API permissions.  A new piece of malware has been turning cloud hosted containers into mining rigs.

https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

Remember when I told you that Microsoft is dropping support for TLS 1.0 and 1.1?  Well, SHA-1 is next.

https://www.theregister.com/2020/07/29/microsoft_windows_sha_1/

1d8 posted a good primer on setting up an android security analysis lab.  It's pretty solid.

https://github.com/1d8/Android-Analysis

I did a talk on a similar topic at GrrCon a few years back

http://www.irongeek.com/i.php?page=videos/grrcon2016/114-breaking-android-apps-for-fun-and-profit-bill-sempf

Finally, I'll be at the OWASP Booth at Virtual BlackHat Wednesday afternoon (3-7 EDT). I have no idea how it will work yet, but it should be fun! Come have a virtual beer with me.

That's the news.  Stay safe out there.

They dropped Open Redirection from the OWASP Top 10 but, like CSRF, it is still out there. Here is a neat tool to help find it.

https://github.com/0xNanda/Oralyzer

FireEye has a neat new toolset to crowdshare malware patterns.  I haven't dug into this yet, but I am fascinated.  Malware isn't my thing - I am a web guy - but this is a cool idea.

https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html

Microsoft has started killing off TLS 1.0 and 1.1 really for real this time.  Really.  Interesting take, because in poorer countries who are still using old Android and iOS devices are effectively losing access to the tools.  Acceptable losses? Seems so.

https://docs.microsoft.com/en-us/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365?view=o365-worldwide

Gotta love a sanitizer bypass in ... a sanitizer tool.

https://research.securitum.com/html-sanitization-bypass-in-ruby-sanitize-5-2-1/

That's the news.  Hope everyone is well.