Application Security This Week for March 28

by Bill Sempf 28. March 2021 12:53

Guess who forgot to do a newsletter last week?


Cool file upload attack to get access to SSH unauthenticated.


Neat tool to MITM an iOS device.  The code is worth a look.


There is a new release of a (new to me) tool to test SAML implementations.


More cool HTTP2 vulnerabilities exploited.


TLS 1.0 and 1.1 are formally deprecated.  These become High findings on reports now.


Retire.js, one of my favorite tools, has been updated.


And finally, spend your Sunday patching OpenSSL.


Have a secure week, everyone.


Application Security This Week for March 14

by Bill Sempf 14. March 2021 12:32

Happy pi day!


Missive on the insecurity of C as a programming language.


Regex is easily exploitable for denial of service attacks.


It might be too late to register, but Veracode is holding a Capture The Flag competition for students.


Have a secure week.


Application Security This Week for March 7

by Bill Sempf 7. March 2021 16:58

This is a pop culture article about why mobile application can be insecure (from Wired) but it is well written.  It might be behind a paywall for some of you, if so I'm sorry.


Good writeup on the Apache Velocity vulnerability.


Look, more supply chain problems! Yay! 3,500 pypy packages corrupt, and a tool to discover them.


And finally, a series that begins with DLL Search Order Hijacking, something similar to what I have added to this newsletter before. Worth keeping an eye on.




Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites