More and more of my effort in reviewing the latest write-ups and methodology involves filtering out LLM-generated content polluting the ecosystem. Not great!

No, Not Like That
Bugcrowd leverages AI to automate triage. Bugcrowd gig workers and AI startups submit AI bugs to the AI triage. The latter is not going well for Bugcrowd.

Meanwhile, the Canadian province of Alberta is spending $40M on software upgrades to reduce cybersecurity incidents, insisting that "AI may reduce implementation timelines by up to 90 per cent."

In other LLM news, Claude will automatically resort to hacking web apps. Side note: the Truffle folks linked a now non-existent PortSwigger SQL Injection tracking page (the Daily Swig was ended in 2023). More web security history turning to dust.

Was the Data Worth It?
Another analytics/marketing platform was hijacked to serve malicious JavaScript. There are, in theory, more secure ways to enable embedded analytics, but developers seem to have no interest in rearchitecting applications to sandbox these services, so these events will probably continue to occur.

Salesforce Again
Salesforce is in the news again for a Telus Digital breach. The breach appears to be connected to the compromise of Salesloft Drift OAuth tokens (for Salesforce integrations) via GitHub, highlighting the risk once again of trusting third parties that do not take security seriously.

No Tools Required
Some of my favourite vulnerabilities are those that can be identified from just clicking around a UI and seeing what happens. Here is one demonstrating the power of the browser’s back button. More details here, though they fail to investigate the technical mechanism (presumably assignment of an over-privileged cookie).

Salesforce Experience Cloud Security Testing
Mandiant released some new tooling for SF Experience Cloud and Aura framework testing. The write-up itself is one of the better introductions into the ecosystem. Despite personally never encountering a secure SF environment, tooling and methodology documentation for security testing has been quite limited to date. I’ve been thinking about putting together a video series for testing SF.

If you do test a SF target, keep in mind that they have specific rules of engagement.

Please Just One More Secret Scanning Tool
The first effort in advancing new scholarship in academia involves evaluating the existing landscape of your field (literature review) and finding a gap for future work. The first effort in building a new cybersecurity tools is coming up with a catchy name. No lit review required.

This past month, we have seen the release of two newly public open-source secret scanning tools:

To be fair, these do seem like thoughtfully designed tools, but do we need more distinct tools in this category? There are so many scanning tools now that there is even a benchmark for tool comparison. Oh wait, there are actually multiple existing benchmarks and even a dataset of false positive results from various tools (it is out-of-date). Regardless, none of the tool builders appear to adhere to an overlapping set of benchmarks or evaluation criteria.

So, which tools should you use in your testing workflow? All of them, I guess.

Sanitizer API
The Sanitizer API is now supported in Chrome and Firefox to mitigate XSS. Here is a simple example that uses setHTML (if present):

The API can also be used to make custom sanitizer:

See this discussion for the challenges and relationship between the Sanitizer API and Trusted Types.

Respond to this email to reach me directly.

Connect with me on LinkedIn.

Follow my YouTube.