Application Security This Week for July 28

by Bill Sempf 28. July 2019 13:25

It's 1994 again! Encryption is on the table for law enforcement. Be ready for entry in the back door soon.

If you want to read about the LAST time we tried this, I recommend Matt Curtin's book Brute Force.


Very good analysis of the XML eXternal Entity (XXE) attack.


Gitlab's Global Developer Report has some interesting security insights.


If you write mobile apps, and your vulnerability assessment mentions "a third party malicious app could exploit this" pay attention to it.  It's really happening in the wild.


That's the news!



Application Security This Week for July 21

by Bill Sempf 21. July 2019 19:11

Awesome paper presented in France covering XXE - really good research.  Worth a read.


Those who have taken my training know how I talk about protecting the soft meaty middle - well, Slack is proving that user accounts are the gift that keeps on giving.  They reset passwords - from a breach 4 years ago.


Really neat tool for hooking executables in Windows.  I tried it, it's super neat.


Here's an I-wish-it-was-an-OWASP-project example.  Tons of research on Command injection.


That's the news folks.  Stay safe out there.


Application Security This Week for July 14

by Bill Sempf 14. July 2019 10:35

A wonderful human being put together a list of resources about hacking mainframe systems, worth a look if your organization is run on the big metal.


Apple had a not-good-very-bad week.  First, the OpenIF Foundation dinged the Mac implementation of "Sign in with Apple"

Then it was discovered that all of the magic of Zoom's conference software is due to a web server installed on MacOS, which you can't remove!  (Heeeey!)


Rhino Security released a new version of CloudGoat, an insecure-by-design cloud deployment tool.


One of my favorite attacks against file uploads that take zip files is the zipbomb.  Well, someone made a really nice one.


There is a flaw in the Android update system that allows attackers to modify updates on the fly.  Oh, and it is being exploited in the wild.


That's the news, folks.  Have a safe week!



Application Security This Week for July 7

by Bill Sempf 7. July 2019 14:47

Good article on using fuzzers as productivity tools

Reminds me of a great talk by the remarkable Craig Stuntz, worth a read.


Firefox will automatically trust certificates trusted by your OS

In other Firefox news, the UK is up in arms about Secure DNS breaking the Great British Pornwall


Next time I ping your site for not using X-FRAME-OPTIONS on a DNS endpoint, well, HAH I TOLD YOU SO NAAA NAA NAA


And that's the news, folks.


Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites