Portswigger (the company that makes Burp Suite) is out with their Top 10 web application hacking techniques.

https://portswigger.net/research/top-10-web-hacking-techniques-of-2019

Solid evidence that APIs are becoming the main target for credential stuffing attacks.

https://www.csoonline.com/article/3527858/apis-are-becoming-a-major-target-for-credential-stuffing-attacks.html

Another decent writeup for template injection.  Attacks like this are becoming SO much more common in SPAs.

http://ghostlulz.com/angularjs-client-side-template-injection-xss/

That's the news, people.  Stay safe out  there.

From the Absolute AppSec Podcast - learned about a really great article on how Account Enumeration is exploited.  I get pushback when I put it on reports, but it's a real vulnerability.

https://sidechannel.tempestsi.com/once-upon-a-time-there-was-an-account-enumeration-4cf8ca7cd6c1

Chrome is going to start blocking mixed content downloads, which are HTTPS pages that have links to HTTP files.  Search your codebase for HTTP!

https://blog.chromium.org/2020/02/protecting-users-from-insecure.html?m=1

America isn't the only country leaving their data exposed.

https://www.zdnet.com/article/netanyahus-party-exposes-data-on-over-6-4-million-israelis/

Exposing secrets in source code is a real thing.  I discovered a very cool tool that helps (if you are working in VS Code, which you should be) called Cloak.

https://johnpapa.net/hide-your-secrets-in-vs-code-with-cloak/

Finally, I have mixed feelings about this one.  Firefox will stop supporting TLS 1.0 and 1.1 soon and other browsers will surely follow.  I get it, there are flaws in those protocols, but they are better than nothing.  This feels a lot like gatekeeping to me (older machines run older browsers), and regular readers know that I am not saying that out of political correctness. Lemme know what you think in the comments.

https://www.theregister.co.uk/2020/02/10/tls_10_11_firefox_complete_eradication/

That's the news, folks.  Stay safe.

Simon Bennetts reminds me that OWASP ZAP also has a shiny new web presence, and an upgraded executable to go with it.

https://twitter.com/psiinon/status/1221482927768395778

https://www.zaproxy.org/docs/desktop/releases/2.9.0/

Good research on abusing Windows DLL configuration

https://www.fireeye.com/blog/threat-research/2020/01/abusing-dll-misconfigurations.html

More Azure problems - good old fashioned buffer overflow in the Stack.

https://thehackernews.com/2020/01/microsoft-azure-vulnerabilities.html?m=1

That's the news.  Stay safe out there.

You know that open S3 buckets are one of my pet peeves - well guess what.  Azure isn't any better.

https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/

OWASP has launched their new web page based on GitHub. Controversial decision.  Starting to take shape, though.

https://owasp.org/

https://owasp.org/website/2020/01/15/website-migration-journey.html

Credential stuffing is rapidly becoming the appsec story of 2020. Check your users' passwords against the most common passwords list.

https://www.wired.com/story/disney-plus-hacks-credential-stuffing/

https://github.com/filtration/pullit

https://haveibeenpwned.com/Passwords

That's the news, folks.

Good Twitter thread on JavaScript based redirection and Cross-site Scripting.

https://twitter.com/hakluke/status/1216524131421655041

I use Burp Suite for a lot of my testing (though I do love ZAP as well).  Here is their roadmap for the next year or so.

https://portswigger.net/blog/burp-suite-roadmap-for-2020

You have probably heard that Microsoft's CryptoAPI has a bug.  The US Government has a good writeup.

https://www.us-cert.gov/ncas/alerts/aa20-014a

Speaking of governments, the UK cybercommand has a really creat article on security antipatterns.

https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns

And finally: SHA-1 is now proveably broken.  Time to move on from it as a session identifier.

https://eprint.iacr.org/2020/014.pdf

That's the news, folks.

Post-CodeMash edition!

The Government of Gibraltar had a SQL Injection vulnerability in the site that hosts their laws.  That wouldn't end well.

https://www.theregister.co.uk/2020/01/07/gibraltar_sql_vuln_allowed_law_editing/

There is an actual practical attack against SHA-1 that has been POCd.  If you are still using SHA-1 for session tokens, might want to consider something else.

https://www.schneier.com/blog/archives/2020/01/new_sha-1_attac.html

Half of WASM code is used to write malware.  I'm not completely sure, but I think I called this one.

https://www.zdnet.com/google-amp/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes/

Huge big ginormous remote code execution flaw in Citrix.  TrustedSec has a good writeup.

https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/

That's the news, folks.  Stay safe.

Pre-CodeMash Edition!

Adam Caudill is a personal friend of mine and has forgotten more about application security than I will learn. He manages a cool web scanner called YAWAST, which is awesome. There is news about future plans.

https://adamcaudill.com/2020/01/05/yawast-news-mission/

Good writeup on iOS application injection.

https://arjunbrar.com/post/ios-application-injection

OWASP Juice Shop has been added to the Open Reference Architecture for Security.

https://security-and-privacy-reference-architecture.readthedocs.io/en/latest/securitycourses.html#owasp-juice-shop

SANS Holiday Hack CTF is up.  I forgot about it earlier.

https://isc.sans.edu/diary/rss/25672

News from CodeMash next issue!

My favorite thing this week: SwiftOnSecurity accidentally dropped a Confluence 0-day on Twitter.  Oopsie.

https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/

An Android spoofing vulnerability is already being exploited by bank thieves.  Hard to write secure apps when the platform doesn't help.

https://arstechnica.com/information-technology/2019/12/vulnerability-in-fully-patched-android-phones-under-active-attack-by-bank-thieves/

On that topic, here's a cool primer on Android reverse engineering.

https://maddiestone.github.io/AndroidAppRE/

TruffleHog is a new (and still a little rough) script to sniff out secrets from GitHub repos.

https://www.darknet.org.uk/2019/12/trufflehog-search-git-for-high-entropy-strings-with-commit-history/

AWS built a took to yell at you if you have open S3 buckets.

https://www.theregister.co.uk/2019/12/03/aws_s3_buckets/

That's the news, folks.  Stay safe out there.

Great breakdown on finding bugs in an OAUTH flow

https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html

Only arguably appsec, but there is an artificial intelligence story writer that was determines to be too powerful to release into the wild, and it has been released into the wild

https://nakedsecurity.sophos.com/2019/11/11/ai-wordsmith-too-dangerous-to-be-released-has-been-released/

Remember when WordPress malware was all the rage?  Well, not it is Slack Themes

https://fletchto99.dev/2019/november/slack-vulnerability/

I am a web guy, not an OS guy, so I learned a ton from this rootkit primer

https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/

That's the news, folks.

Lawfare has a good article  by Jim Baker (former legal council for the FBI) on a new way to think about encryption.  You'll agree with some, disagree with some, but it will make you think.

https://www.lawfareblog.com/rethinking-encryption

From the Standard Vulnerability List: "When a session ends, first select the session ID from the client, then delete the session information from the server, then finally return the user to the login page." Session management matters, people.

https://arstechnica.com/information-technology/2019/10/five-months-after-returning-rental-car-man-still-has-remote-control/

Google is doing its "we are the Web so we will decide how it works" thing again, and threatening to enable samesite by default in Chrome. Here's some analysis of that.

https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/

Speaking of Chrome nad running the web, here's El Reg's take on DNS over HTTPS:

https://www.theregister.co.uk/2019/10/29/chrome_dns_https/

Oh, and still speaking of Google and glass houses and stone throwing, there's an 0-day in Chrome.

https://www.bleepingcomputer.com/news/security/chrome-zero-day-bug-with-exploit-in-the-wild-gets-a-patch/

You know that stupid goose game your kid is playing? There is an insecure deserialization flaw in it.

https://pulsesecurity.co.nz/advisories/untitled-goose-game-deserialization

And finally, a good talk out of BSides Belfast about supply-chain attacks.  Code review your open source libraries, folks!

https://www.infosecurity-magazine.com/news/bsidesbelfast-supply-chain/

Busy week! But that's the news.