Here's an interesting article on some non-JavaScript Cross-Site Scripting vectors.

https://x-c3ll.github.io/posts/CSS-Injection-Primitives/

Timely history lesson about the gradual movement of web application from primarily server-side to primarily client-side:

https://medium.com/young-coder/an-illustrated-beginners-guide-to-server-side-and-client-side-code-723cbb1db9ea

This isn't as new of an idea as the authors would like us to believe, but it is a good PoC of the CDN-related cache poisoning attack:

https://thehackernews.com/2019/10/cdn-cache-poisoning-dos-attack.html?m=1

Public disclosure of some bugs in AutoDesk discovered by binary fuzzing. Good way to get a look into this kind of testing - look breakdowns of CVEs.

https://fuzzit.dev/2019/10/25/discovery-and-analysis-of-2-dos-vulnerabilities-in-autodesk-fbx-1-unpatched/

PHP has a vector for remote code execution (combined with other known flaws) to patch if you can! Worth a read for the process, as well.

https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html

That's the news, folks.

Here is a good writeup on the overflow error found in libssh2

https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/

Speaking of bugs in old software, here's one in sudo.

https://www.openwall.com/lists/oss-security/2019/10/14/1

Using data analysis to further research into malware sources, with PDB paths. Pretty neat!

https://www.fireeye.com/blog/threat-research/2019/10/definitive-dossier-of-devilish-debug-details-part-deux.html

And in IoT security news, the Catholic church's eRosery (no I'm not kidding) has a number of significant flaws.

https://www.msn.com/en-us/news/technology/vatican-s-wearable-rosary-gets-fix-for-app-flaw-allowing-easy-hacks/ar-AAIZICz?ocid=ARWLCHR

https://www.theregister.co.uk/2019/10/18/vatican_erosary_insecure/

That's the news, folks!

Portswigger has some good research on a new angle for cross-site leak attacks:

https://portswigger.net/research/xs-leak-leaking-ids-using-focus

Serverless inftastructures are slipping through the cracks as far as security testing goes.  Here's a new tool for Amazon Lambda - hopefully it leads to more.

https://www.darknet.org.uk/2019/10/lambdaguard-aws-lambda-serverless-security-scanner/

Mozilla isolated an interesting RCE bug in iTerm2:

https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/

Eric Lawrence (of Fiddler fame) has a good writeup on Chrome's new direction for cookies:

https://textslashplain.com/2019/09/30/same-site-cookies-by-default/

And that's the news.

This is a blog entirely dedicated to security analysis of mobine apps.  No idea who writes it but it is good.

https://theappanalyst.com/

Neat writeup on going from SQL Injection to Remote Code Execution.

https://medium.com/bugbountywriteup/sql-injection-to-lfi-to-rce-536bed29a862

I've been on a PHP project recently, and I learned about this cool tool to bypass disable_functions.

https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass

Speaking of PHP, the statis code analysis tool I learned to use was Exakat.  Steep learning curve but unbelievable reports.  And open source!

https://github.com/exakat/exakat

That's the news, folks.