It's the holiday edition! No I'm kidding it's the same stuff as usual. Sorry.
Apparently there is a chat app that is literally spyware developed by a nation state. This isn't a political blog, but the technical implications are deep. Here's a good writeup.
https://objective-see.com/blog/blog_0x52.html
I'm all about supply chain issues, and this is a really good analysis of risks involved with package managers like npm.
https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/
Someone reverse engineered an RSA token, and is using it to bypass two factor in the wild.
https://www.schneier.com/blog/archives/2019/12/chinese_hackers_1.html
That's the news folks. See you next decade.
Hope everyone has a good holiday.
You probably heard that the Russian offices of ngnix were raided by the government. F5 is doing a code review.
https://www.msn.com/en-us/news/technology/f5-networks-secures-ngnix-software-builds-as-precaution-after-visit-from-russian-law-enforcement/ar-BBY357u?ocid=ARWLCHR
Solid research on privilege escalation in Amazon Web Services. Very real problem.
https://know.bishopfox.com/research/privilege-escalation-in-aws
Do you want to bone up on real world appsec skills over the week? I recommend the PortSwigger Web Academy.
https://portswigger.net/web-security
That's the news.
Nice writup that explains a pivot from and iPhone app all the way through to domain access via chained exploits. Application security is hard.
https://decoder.cloud/2019/12/12/from-iphone-to-nt-authoritysystem/
The security.txt file is near becoming an IETF standard.
https://mailarchive.ietf.org/arch/msg/ietf-announce/OFuiGlVv6WgvEEABaGmnYi120yU
Cool Azure horizontal privilege escalation writeup using the cloud shell.
https://blog.netspi.com/attacking-azure-cloud-shell/
That's the news. Hope everyone is having a stress-free holiday.
My favorite thing this week: SwiftOnSecurity accidentally dropped a Confluence 0-day on Twitter. Oopsie.
https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/
An Android spoofing vulnerability is already being exploited by bank thieves. Hard to write secure apps when the platform doesn't help.
https://arstechnica.com/information-technology/2019/12/vulnerability-in-fully-patched-android-phones-under-active-attack-by-bank-thieves/
On that topic, here's a cool primer on Android reverse engineering.
https://maddiestone.github.io/AndroidAppRE/
TruffleHog is a new (and still a little rough) script to sniff out secrets from GitHub repos.
https://www.darknet.org.uk/2019/12/trufflehog-search-git-for-high-entropy-strings-with-commit-history/
AWS built a took to yell at you if you have open S3 buckets.
https://www.theregister.co.uk/2019/12/03/aws_s3_buckets/
That's the news, folks. Stay safe out there.
Fortinet is communicating with static keys and a simple XOR. Whoops.
https://sec-consult.com/en/blog/advisories/weak-encryption-cipher-and-hardcoded-cryptographic-keys-in-fortinet-products/
An Android gif library has an interesting vulnerability that will affect many application.
https://seclists.org/fulldisclosure/2019/Nov/27
An OWASP member made a neat ZAP plugin that helps to attack deployed Kubernetes applications.
https://github.com/omerlh/zap-operator
Hope everyone had a great thanksgiving.
S
Github is starting SecurityLab. It's part knowledge sharing, part secure coding, part bounty hunting, and it is pretty neat.
https://securitylab.github.com/
Stacey on IoT has a good writeup on device and container security citing this Trend Micro report
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020
Subscribe to her newsletter!
https://staceyoniot.com/
TrustedSec, an infosec firm in Cleveland run by my friend Dave Kennedy, has open sourced their legal documentation for physical pentesting in order to try and prevent another Iowa.
https://github.com/trustedsec/physical-docs
Read more about why here
https://www.trustedsec.com/blog/a-message-of-support-coalfire-consultants-charged/
Cool writeup of a DOM clobbering vulnerability. I think DOM XSS will become more of a thing as browsers get more and more power.
https://research.securitum.com/xss-in-amp4email-dom-clobbering/
That's the news!
Great breakdown on finding bugs in an OAUTH flow
https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html
Only arguably appsec, but there is an artificial intelligence story writer that was determines to be too powerful to release into the wild, and it has been released into the wild
https://nakedsecurity.sophos.com/2019/11/11/ai-wordsmith-too-dangerous-to-be-released-has-been-released/
Remember when WordPress malware was all the rage? Well, not it is Slack Themes
https://fletchto99.dev/2019/november/slack-vulnerability/
I am a web guy, not an OS guy, so I learned a ton from this rootkit primer
https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/
That's the news, folks.
Microsoft has a really good article on using a semantic query language to find exploitable DOM XSS findings. Honestly the whole series is recommended, but the DOM XSS one here is particularly good.
https://msrc-blog.microsoft.com/2018/08/16/vulnerability-hunting-with-semmle-ql-part-1/
Google Project Zero revealed a UAF bug in Android a bit ago, and here is an awesome analysis of how it happened. Good reading for mobile devs especially, but I certainly learned stuff too.
https://dayzerosec.com/posts/analyzing-androids-cve-2019-2215-dev-binder-uaf/
In continuing supply chain news, Armor has a good article on Managed Service Providers being a strong candidate for Malware Distributers of the Year.
https://www.armor.com/reports/new-msps-compromised-reports-armor/
That's the news!
Lawfare has a good article by Jim Baker (former legal council for the FBI) on a new way to think about encryption. You'll agree with some, disagree with some, but it will make you think.
https://www.lawfareblog.com/rethinking-encryption
From the Standard Vulnerability List: "When a session ends, first select the session ID from the client, then delete the session information from the server, then finally return the user to the login page." Session management matters, people.
https://arstechnica.com/information-technology/2019/10/five-months-after-returning-rental-car-man-still-has-remote-control/
Google is doing its "we are the Web so we will decide how it works" thing again, and threatening to enable samesite by default in Chrome. Here's some analysis of that.
https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/
Speaking of Chrome nad running the web, here's El Reg's take on DNS over HTTPS:
https://www.theregister.co.uk/2019/10/29/chrome_dns_https/
Oh, and still speaking of Google and glass houses and stone throwing, there's an 0-day in Chrome.
https://www.bleepingcomputer.com/news/security/chrome-zero-day-bug-with-exploit-in-the-wild-gets-a-patch/
You know that stupid goose game your kid is playing? There is an insecure deserialization flaw in it.
https://pulsesecurity.co.nz/advisories/untitled-goose-game-deserialization
And finally, a good talk out of BSides Belfast about supply-chain attacks. Code review your open source libraries, folks!
https://www.infosecurity-magazine.com/news/bsidesbelfast-supply-chain/
Busy week! But that's the news.
Here's an interesting article on some non-JavaScript Cross-Site Scripting vectors.
https://x-c3ll.github.io/posts/CSS-Injection-Primitives/
Timely history lesson about the gradual movement of web application from primarily server-side to primarily client-side:
https://medium.com/young-coder/an-illustrated-beginners-guide-to-server-side-and-client-side-code-723cbb1db9ea
This isn't as new of an idea as the authors would like us to believe, but it is a good PoC of the CDN-related cache poisoning attack:
https://thehackernews.com/2019/10/cdn-cache-poisoning-dos-attack.html?m=1
Public disclosure of some bugs in AutoDesk discovered by binary fuzzing. Good way to get a look into this kind of testing - look breakdowns of CVEs.
https://fuzzit.dev/2019/10/25/discovery-and-analysis-of-2-dos-vulnerabilities-in-autodesk-fbx-1-unpatched/
PHP has a vector for remote code execution (combined with other known flaws) to patch if you can! Worth a read for the process, as well.
https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html
That's the news, folks.