Application Security This Week for October 27

by Bill Sempf 27. October 2019 08:28

Here's an interesting article on some non-JavaScript Cross-Site Scripting vectors.

https://x-c3ll.github.io/posts/CSS-Injection-Primitives/

 

Timely history lesson about the gradual movement of web application from primarily server-side to primarily client-side:

https://medium.com/young-coder/an-illustrated-beginners-guide-to-server-side-and-client-side-code-723cbb1db9ea

 

This isn't as new of an idea as the authors would like us to believe, but it is a good PoC of the CDN-related cache poisoning attack:

https://thehackernews.com/2019/10/cdn-cache-poisoning-dos-attack.html?m=1

 

Public disclosure of some bugs in AutoDesk discovered by binary fuzzing. Good way to get a look into this kind of testing - look breakdowns of CVEs.

https://fuzzit.dev/2019/10/25/discovery-and-analysis-of-2-dos-vulnerabilities-in-autodesk-fbx-1-unpatched/

 

PHP has a vector for remote code execution (combined with other known flaws) to patch if you can! Worth a read for the process, as well.

https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html

 

That's the news, folks.

Tags:

Application Security This Week for October 20

by Bill Sempf 20. October 2019 09:45

Here is a good writeup on the overflow error found in libssh2

https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/

 

Speaking of bugs in old software, here's one in sudo.

https://www.openwall.com/lists/oss-security/2019/10/14/1

 

Using data analysis to further research into malware sources, with PDB paths. Pretty neat!

https://www.fireeye.com/blog/threat-research/2019/10/definitive-dossier-of-devilish-debug-details-part-deux.html

 

And in IoT security news, the Catholic church's eRosery (no I'm not kidding) has a number of significant flaws.

https://www.msn.com/en-us/news/technology/vatican-s-wearable-rosary-gets-fix-for-app-flaw-allowing-easy-hacks/ar-AAIZICz?ocid=ARWLCHR

https://www.theregister.co.uk/2019/10/18/vatican_erosary_insecure/

 

That's the news, folks!

Tags:

Application Security This Week for October 13

by Bill Sempf 13. October 2019 09:31

Portswigger has some good research on a new angle for cross-site leak attacks:

https://portswigger.net/research/xs-leak-leaking-ids-using-focus

 

Serverless inftastructures are slipping through the cracks as far as security testing goes.  Here's a new tool for Amazon Lambda - hopefully it leads to more.

https://www.darknet.org.uk/2019/10/lambdaguard-aws-lambda-serverless-security-scanner/

 

Mozilla isolated an interesting RCE bug in iTerm2:

https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/

 

Eric Lawrence (of Fiddler fame) has a good writeup on Chrome's new direction for cookies:

https://textslashplain.com/2019/09/30/same-site-cookies-by-default/

 

And that's the news.

Tags:

Application Security This Week for October 6

by Bill Sempf 6. October 2019 12:40

This is a blog entirely dedicated to security analysis of mobine apps.  No idea who writes it but it is good.

https://theappanalyst.com/

 

Neat writeup on going from SQL Injection to Remote Code Execution.

https://medium.com/bugbountywriteup/sql-injection-to-lfi-to-rce-536bed29a862

 

I've been on a PHP project recently, and I learned about this cool tool to bypass disable_functions.

https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass

 

Speaking of PHP, the statis code analysis tool I learned to use was Exakat.  Steep learning curve but unbelievable reports.  And open source!

https://github.com/exakat/exakat

 

That's the news, folks.

 

Tags:

AppSec

Application Security This Week for September 29

by Bill Sempf 29. September 2019 08:57

The big news of the week is that every iPhone from 1 to X is apparently vulnerable to a bootROM flaw, and it is a hardware problem so Apple can't patch it.  Now, this won't help malware writers fortunately, but it will make it easier to jailbreak your phone, and there are some more sinister uses as well.  Several articles:

https://blog.malwarebytes.com/mac/2019/09/new-ios-exploit-checkm8-allows-permanent-compromise-of-iphones/

https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/

https://github.com/axi0mX/alloc8

https://github.com/axi0mX/ipwndfu

 

McAfee published a conglomeration of their studies on Cloud security, and as I am sure you can imaging the news isn't good.

https://www.theregister.co.uk/2019/09/24/mcafee_cloud_leak_study/

 

And there was a vulnerability discovered in Cold Fusion, so make sure you patch ... wait people still use Cold Fusion?

https://helpx.adobe.com/security/products/coldfusion/apsb19-47.html

Tags:

Application Security This Week for September 15

by Bill Sempf 15. September 2019 15:02

Here's a neat Android reverse engineering game.

https://0x00sec.org/t/reversing-hackex-an-android-game/16243

 

A tool to edit images to have payloads.  Use it t o test and see if your imagine processing components have vulnerabilities!

https://github.com/chinarulezzz/pixload

 

I have been running into HTTP Request Smuggling a lot recently after the new research by PortSwigger.  Here is an interesting writeup.

https://medium.com/@memn0ps/http-request-smuggling-cl-te-7c40e246021c

 

That's the news, folks.

Tags:

Application Security Weekly for September 8

by Bill Sempf 8. September 2019 13:58

Only Rails 6.x and 5.2.x are getting security updates.  Plan your development accordingly.

https://rubyonrails.org/security/

Jason Karns was kind enough to pass along this awesome upgrade helper for Rails:

https://blog.testdouble.com/posts/2019-09-03-3-keys-to-upgrading-rails

 

I regularly write apps up for failure to disable autofill, and this article is a good explainer.

https://www.social-engineer.com/disable-autofill-browsers/

 

Bruce has a really good set of reasoning on why there is no difference between "commercial" encryption and "consumer" encryption.

https://www.schneier.com/blog/archives/2019/08/the_myth_of_con.html

 

iOS doesn't get a lot of malware love because it's only 12% of the phone market, but the bad guys realized that 12% has a lot of money, so here are a BOATload of exploits that Google found them.

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html?m=1

 

I also write folks up for clickjacking a lot, and it is making a comeback.  It's just a header people, add it.

https://nakedsecurity.sophos.com/2019/08/29/web-clickjacking-fraud-makes-a-comeback-thanks-to-javascript-tricks/

 

Some RCE flaws discovered in PHP. Update if you can, mitigate if you can't.

https://thehackernews.com/2019/09/php-programming-language.html?m=1

 

That's the news.  Stay safe.

 

Tags:

Application Security Weekly for August 25

by Bill Sempf 25. August 2019 14:56

Chrome is finally starting to defend against clickjacking

https://www.theregister.co.uk/2019/08/19/clickjacking_countermeasures_chrome/

Dan Kaminsky only presented the solution in 2015

https://dankaminsky.com/2015/08/09/defcon-23-lets-end-clickjacking/

 

Facebook is in more access control hot water

https://nakedsecurity.sophos.com/2019/08/19/did-facebook-know-about-view-as-bug-before-2018-breach/

 

THERE IS AN IOS 12.4 JAILBREAK!  Man this made my life easier.

https://thehackernews.com/2019/08/ios-iphone-jailbreak.html?m=1

 

Oh man, a Zigbee toolset.  I've done some of this in C#, but this is WAY cooler

https://www.darknet.org.uk/2019/08/zigdiggity-zigbee-hacking-toolkit/

 

That's the news folks.  Stay safe out there.

Tags:

Application Security Weekly for August 18

by Bill Sempf 18. August 2019 18:54

Apache called out for reporting incorrect versions in Struts vulnerabilities

https://www.infosecurity-magazine.com/news/apache-struts-incorrect-security/

 

A new breach at First American Financial, a mortgage company, might have exposed nearly a billion records

https://krebsonsecurity.com/2019/08/sec-investigating-data-leak-at-first-american-financial-corp/

 

Fireeye is using machine learning to grade the severity of vulnerabilities

https://www.fireeye.com/blog/threat-research/2019/08/automated-prioritization-of-software-vulnerabilities.html

 

Netflix and Google discovered a set of DDoS vulnerabilities in HTTP/2

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

 

Looks like Paige took a lot more than Capital One's stuff

https://www.theregister.co.uk/2019/08/14/capitalone_hacker_court/

 

That's the news!

 

Tags:

Application Security Weekly for August 11

by Bill Sempf 11. August 2019 12:01

A researcher found out that you can discover if a user is in incognito mode in Chrome using a timing attack.

https://blog.jse.li/posts/chrome-76-incognito-filesystem-timing/

 

That Microsoft RDP attack we talked about earlier?  Yeah, it works in Azure.

https://thehackernews.com/2019/08/reverse-rdp-windows-hyper-v.html?m=1

 

In unrelated news, Microsoft has launched Azure Security Lab, a safe space to do appsec testing.

https://msrc-blog.microsoft.com/2019/08/05/azure-security-lab-a-new-space-for-azure-research-and-collaboration/

 

A cool bug was discovered in the Electron Framework.

https://www.contextis.com/en/blog/basic-electron-framework-exploitation

 

Frequent readers know that I am no fan of Apple's closed garden when it comes to app testing.  Well, it might be opening a little.  They have enhanced their bug bounty, and more importantly are going to offer quasi-jailbroken phones to researchers.  I'll be in line for that.

https://www.theverge.com/2019/8/8/20756629/apple-iphone-security-research-device-program-vulnerabilities

 

That's the news!

Tags:

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList

Mastodon