Application Security This week for June 30

by Bill Sempf 30. June 2019 09:46

Fascinating look into Internet routing that caused an outage last week.  We are really building this city on a bed of sticks.


Not my normal fare for this newsletter, but Microsoft added a secure vault to OneDrive.  Not in the US yes, but my Australian friends can give it a try.


There is a directory traversal vulnerability in ... this blog!  Please don't hack my.  I'll update later today.


MongoDB is adding field level encryption.  Now if folks would just use the authentication features ...


Found a VERY cool tool that lists known vulnerabilities in default containers.


A weird enge case forces the npm deployment script to push the .git folder.  Remember, complexity is the enemy of security.


And that's the news folks.



Application Security This Week for June 23

by Bill Sempf 23. June 2019 14:03

Google has decided that the API that underpins the Chrome extension kit is too powerful - and they aren't wrong.  But the changes appear to be killing adblockers.  Strange, that.


No, you aren't reading an old edition of this newsletter.  There really is another Orable Weblogic deserialization bug.


Good writeup on the current state of 2 factor authorization.


That's the news, folks.



Application Security This Week for June 16

by Bill Sempf 16. June 2019 19:34

Happy Father's Day!


Great writeup by Rapid7 about security-focused HTTP headers.


Phishing kit used by the bad guys has a gaping insecure file upload bug.


"But it's inside the firewall!" Here's 18 cases of insider attacks in the banking industry.


And, a little security related humor to lighten your week.


And that's the news.




Application Security This Week for June 2

by Bill Sempf 2. June 2019 10:09

Accidentally Took Memorial Day Weekend Off Edition


New tool: FinalRecon- OSINT Tool For All-In-One Web Reconnaissance


Permanent URL Hijack Through 301 HTTP Redirect Cache Poisoning


Didier Stevens, one of my favorite researchers, mentioned that one of his readers has made a docker container with all of his tools.


There is a POC for CVE-2019-0708. Certainly is worth a look.


Speaking of Docker, there is a bug that allows a hypervisor jump.


Finally, the always-wonderful folks at Portswigger have a cool analysis of Behavioral Fuzzing.


And that's the news! Have a great week.


Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites