Application Security This Week for September 27

by Bill Sempf 27. September 2020 07:06

A list of Capture The Flags that are on now or forever!

https://captf.com/practice-ctf/

 

The source code to XP was leaked.  This isn't a surprise, extended support gives folks access to it.  It was bound to get out.

https://thehackernews.com/2020/09/windows-xp-source-code.html

What's funny is the comments though:

https://pastebin.com/PTLeWhc2

 

The EFF is reporting on the very real problem of student contact tracing apps violating privacy considerations.  Balance has to be found.

https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps

 

That's the news, folks.  Stay safe.

Tags:

Application Security This Week for September 20

by Bill Sempf 20. September 2020 13:38

Microsoft open sourced their fuzzing framework

https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/

 

Not new but certain worth a read - how HTTPS works

https://howhttps.works/

 

Ming Chow - a buddy of mine and did a fantastic online course on packet analysis, that includes a nod to your humble author (around minute 58)

https://www.youtube.com/watch?v=Lj2DaFLRQVI&feature=youtu.be

 

Stay safe out there.

 

Tags:

Application Security This Week for September 13

by Bill Sempf 13. September 2020 13:46

Or Maypril 319 but who is counting.

 

Here's an OLD Visual Studio project that gets AES keys from running applications.  Seems to still work!

https://github.com/mmozeiko/aes-finder

 

 Another writeup on my current favorite bug, HTTP Request Smuggling.

https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c

 

Via Matt Groves, this tool tests CouchBase databases for injection.  Pretty slick.

https://github.com/FSecureLABS/N1QLMap

 

Neat article on using Fuzzilli to fuzz JavaScript engines using an intermediate language.

https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html

 

Cool breakdown on using Mobile Device Management to get RCE on devices.

https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html?m=1

 

That's the news folks.  Stay safe.

Tags:

Application Security This Week for September 6

by Bill Sempf 6. September 2020 12:08

Cool 10,000 foot overview of web application vulnerability assessment.  Clearly written and concise.

https://www.codementor.io/@seanhiggins550/the-ins-and-outs-of-penetration-testing-for-web-apps-19jhhqsexo

 

A really well thought through attack on HTML sanitizers.

https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/

 

El Reg has a good article on spear-phishing developers to get access to back end tools.  This is why the vulnerability analysts tell you to decommission old test systems.

https://www.theregister.com/2020/09/04/disclosure_developer_targeting/

 

Nice into to blind SQL injection.

http://www.mannulinux.org/2020/09/sql-injection-filter-bypass-to-perform.html?m=1

 

That's the news, folks.  Have a good Labor Day!

Tags:

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList

Mastodon