Application Security This Week for February 23

Portswigger (the company that makes Burp Suite) is out with their Top 10 web application hacking techniques.

https://portswigger.net/research/top-10-web-hacking-techniques-of-2019

 

Solid evidence that APIs are becoming the main target for credential stuffing attacks.

https://www.csoonline.com/article/3527858/apis-are-becoming-a-major-target-for-credential-stuffing-attacks.html

 

Another decent writeup for template injection.  Attacks like this are becoming SO much more common in SPAs.

http://ghostlulz.com/angularjs-client-side-template-injection-xss/

 

That's the news, people.  Stay safe out  there.

Application Security This Week for February 16

From the Absolute AppSec Podcast - learned about a really great article on how Account Enumeration is exploited.  I get pushback when I put it on reports, but it's a real vulnerability.

https://sidechannel.tempestsi.com/once-upon-a-time-there-was-an-account-enumeration-4cf8ca7cd6c1

 

Chrome is going to start blocking mixed content downloads, which are HTTPS pages that have links to HTTP files.  Search your codebase for HTTP!

https://blog.chromium.org/2020/02/protecting-users-from-insecure.html?m=1

 

America isn't the only country leaving their data exposed.

https://www.zdnet.com/article/netanyahus-party-exposes-data-on-over-6-4-million-israelis/

 

Exposing secrets in source code is a real thing.  I discovered a very cool tool that helps (if you are working in VS Code, which you should be) called Cloak.

https://johnpapa.net/hide-your-secrets-in-vs-code-with-cloak/

 

Finally, I have mixed feelings about this one.  Firefox will stop supporting TLS 1.0 and 1.1 soon and other browsers will surely follow.  I get it, there are flaws in those protocols, but they are better than nothing.  This feels a lot like gatekeeping to me (older machines run older browsers), and regular readers know that I am not saying that out of political correctness. Lemme know what you think in the comments.

https://www.theregister.co.uk/2020/02/10/tls_10_11_firefox_complete_eradication/

 

That's the news, folks.  Stay safe.

Application Security This Week for February 2nd

Simon Bennetts reminds me that OWASP ZAP also has a shiny new web presence, and an upgraded executable to go with it.

https://twitter.com/psiinon/status/1221482927768395778

https://www.zaproxy.org/docs/desktop/releases/2.9.0/

 

Good research on abusing Windows DLL configuration

https://www.fireeye.com/blog/threat-research/2020/01/abusing-dll-misconfigurations.html

 

More Azure problems - good old fashioned buffer overflow in the Stack.

https://thehackernews.com/2020/01/microsoft-azure-vulnerabilities.html?m=1

 

That's the news.  Stay safe out there.

Application Security This Week for January 26

You know that open S3 buckets are one of my pet peeves - well guess what.  Azure isn't any better.

https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/

 

OWASP has launched their new web page based on GitHub. Controversial decision.  Starting to take shape, though.

https://owasp.org/

https://owasp.org/website/2020/01/15/website-migration-journey.html

 

Credential stuffing is rapidly becoming the appsec story of 2020. Check your users' passwords against the most common passwords list.

https://www.wired.com/story/disney-plus-hacks-credential-stuffing/

https://github.com/filtration/pullit

https://haveibeenpwned.com/Passwords

 

That's the news, folks.

Application Security This Week for January 19

Good Twitter thread on JavaScript based redirection and Cross-site Scripting.

https://twitter.com/hakluke/status/1216524131421655041

 

I use Burp Suite for a lot of my testing (though I do love ZAP as well).  Here is their roadmap for the next year or so.

https://portswigger.net/blog/burp-suite-roadmap-for-2020

 

You have probably heard that Microsoft's CryptoAPI has a bug.  The US Government has a good writeup.

https://www.us-cert.gov/ncas/alerts/aa20-014a

 

Speaking of governments, the UK cybercommand has a really creat article on security antipatterns.

https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns

 

And finally: SHA-1 is now proveably broken.  Time to move on from it as a session identifier.

https://eprint.iacr.org/2020/014.pdf

 

That's the news, folks.

Application Security This Week for January 12

Post-CodeMash edition!

 

The Government of Gibraltar had a SQL Injection vulnerability in the site that hosts their laws.  That wouldn't end well.

https://www.theregister.co.uk/2020/01/07/gibraltar_sql_vuln_allowed_law_editing/

 

There is an actual practical attack against SHA-1 that has been POCd.  If you are still using SHA-1 for session tokens, might want to consider something else.

https://www.schneier.com/blog/archives/2020/01/new_sha-1_attac.html

 

Half of WASM code is used to write malware.  I'm not completely sure, but I think I called this one.

https://www.zdnet.com/google-amp/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes/

 

Huge big ginormous remote code execution flaw in Citrix.  TrustedSec has a good writeup.

https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/

 

That's the news, folks.  Stay safe.

Application Security This Week for January 5

Pre-CodeMash Edition!

 

Adam Caudill is a personal friend of mine and has forgotten more about application security than I will learn. He manages a cool web scanner called YAWAST, which is awesome. There is news about future plans.

https://adamcaudill.com/2020/01/05/yawast-news-mission/

 

Good writeup on iOS application injection.

https://arjunbrar.com/post/ios-application-injection

 

OWASP Juice Shop has been added to the Open Reference Architecture for Security.

https://security-and-privacy-reference-architecture.readthedocs.io/en/latest/securitycourses.html#owasp-juice-shop

 

SANS Holiday Hack CTF is up.  I forgot about it earlier.

https://isc.sans.edu/diary/rss/25672

 

News from CodeMash next issue!

Application Security This Week for December 8

My favorite thing this week: SwiftOnSecurity accidentally dropped a Confluence 0-day on Twitter.  Oopsie.

https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/

 

An Android spoofing vulnerability is already being exploited by bank thieves.  Hard to write secure apps when the platform doesn't help.

https://arstechnica.com/information-technology/2019/12/vulnerability-in-fully-patched-android-phones-under-active-attack-by-bank-thieves/

 

On that topic, here's a cool primer on Android reverse engineering.

https://maddiestone.github.io/AndroidAppRE/

 

TruffleHog is a new (and still a little rough) script to sniff out secrets from GitHub repos.

https://www.darknet.org.uk/2019/12/trufflehog-search-git-for-high-entropy-strings-with-commit-history/

 

AWS built a took to yell at you if you have open S3 buckets.

https://www.theregister.co.uk/2019/12/03/aws_s3_buckets/

 

That's the news, folks.  Stay safe out there.

Application Security This Week for November 17

Great breakdown on finding bugs in an OAUTH flow

https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html

 

Only arguably appsec, but there is an artificial intelligence story writer that was determines to be too powerful to release into the wild, and it has been released into the wild

https://nakedsecurity.sophos.com/2019/11/11/ai-wordsmith-too-dangerous-to-be-released-has-been-released/

 

Remember when WordPress malware was all the rage?  Well, not it is Slack Themes

https://fletchto99.dev/2019/november/slack-vulnerability/

 

I am a web guy, not an OS guy, so I learned a ton from this rootkit primer

https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/

 

That's the news, folks.

Application Security This Week for November 3

Lawfare has a good article  by Jim Baker (former legal council for the FBI) on a new way to think about encryption.  You'll agree with some, disagree with some, but it will make you think.

https://www.lawfareblog.com/rethinking-encryption

 

From the Standard Vulnerability List: "When a session ends, first select the session ID from the client, then delete the session information from the server, then finally return the user to the login page." Session management matters, people.

https://arstechnica.com/information-technology/2019/10/five-months-after-returning-rental-car-man-still-has-remote-control/

 

Google is doing its "we are the Web so we will decide how it works" thing again, and threatening to enable samesite by default in Chrome. Here's some analysis of that.

https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/

 

Speaking of Chrome nad running the web, here's El Reg's take on DNS over HTTPS:

https://www.theregister.co.uk/2019/10/29/chrome_dns_https/

 

Oh, and still speaking of Google and glass houses and stone throwing, there's an 0-day in Chrome.

https://www.bleepingcomputer.com/news/security/chrome-zero-day-bug-with-exploit-in-the-wild-gets-a-patch/

 

You know that stupid goose game your kid is playing? There is an insecure deserialization flaw in it.

https://pulsesecurity.co.nz/advisories/untitled-goose-game-deserialization

 

And finally, a good talk out of BSides Belfast about supply-chain attacks.  Code review your open source libraries, folks!

https://www.infosecurity-magazine.com/news/bsidesbelfast-supply-chain/

 

Busy week! But that's the news.

 

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList