SplashData has their 100 worst passwords out again this year. Remember, at least, prevent these passwords in your signin flow.
https://www.prweb.com/releases/bad_password_habits_die_hard_shows_splashdata_s_8th_annual_worst_passwords_list/prweb15987071.htm
Really good breakdown of finding hidden files and directories and using them for information gathering on web applications.
https://medium.com/@_bl4de/hidden-directories-and-files-as-a-source-of-sensitive-information-about-web-application-84e5c534e5ad
Microsoft has come out with Windows Sandbox - might be a good platform for analyzing malware, but the jury is still out.
https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849
Gah, bug in Ghostscript. Lots of vectors in the ImageMagik/PostScript space these days, watch yourselves.
https://www.rapid7.com/db/modules/exploit/multi/fileformat/ghostscript_failed_restore
And this is why I write up folks that have third party hosted JavaScript.
https://shkspr.mobi/blog/2018/11/major-sites-running-unauthenticated-javascript-on-their-payment-pages/
That's the news folks. Stay safe, and have a good holiday.
npm is a dumpster fire. Yet another malicious package discovered that it automagically brought into many projects thanks to dependencies. In other news, I learned about snyk, which is a pretty cool tool.
https://snyk.io/vuln/npm:eslint-scope
In dev news, the #1 development GUI of all time is being updated. Notepad!
https://www.theverge.com/platform/amp/2018/7/12/17563704/microsoft-windows-notepad-app-update
Apple wrote some code to appease the Chinese government and it was kind of a mess.
https://objective-see.com/blog/blog_0x34.html
Vuln-lab found a neat XSS vulnerability on an AT&T site's profile feature.
http://seclists.org/fulldisclosure/2018/Jul/44
Remember when I said "Spectre is not exploitable"? Yeah, I was wrong. Again, and again, and again...
https://arstechnica.com/gadgets/2018/07/new-spectre-like-attack-uses-speculative-execution-to-overflow-buffers/
New variation of my favorite Weblogic vuln - CVE-2017-10271.
https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/
I wrote the tests for this vulnerability for Nikto.
https://github.com/sempf/nikto/commit/530351343da18f684b57fbf7431717cf24f9eb4e#diff-05c4b2da09480ffee5450fdf8fa8faac
And that's the news.
Chinese cell phone manufacturer OnePlus (incidentally my daily carry) plans on including cryptocurrency mining baked into their next release of Oxygen in the OnePlus 6, sparking security concerns.
The IETF floated a new analog protocol for internet traffic in an attempt to get some more security in the system.
https://tools.ietf.org/html/rfc1149
I don't often talk biotech here, but Razer (the gaming hardware maker) is creating a nanobot infused energy drink for gamers. I am sure that will go well.
https://www.razer.com/campaigns/project-venom-v2
Finally some good news - plans to add a security parameter in response headers. Should be a good move toward better browser level decision making.
https://tools.ietf.org/html/rfc3514
And that's been your week in application security.