Are you afraid of signing up for this newsletter with your email address because you think I’m going to use it when signing on to public Wi-Fi services that end up spamming you with promotions? Fear not! Use the RSS feed.
General Application Security
Compliance Scheme Undermines Professional Pentesting
An apparent whistle blower leak of Delve documents has revealed the inner workings of their compliance-as-a-service. Allegedly, compliance reports are produced that falsely claim that penetration testing has been conducted. In cases where testing was conducted, it appears to be an automated scan by pentest-tools.com.
AWS S3 Bucketsquatting Remedied
AWS has introduced protections in the form of a namespace to mitigate bucketsquatting (an issue I only just learned of) for new buckets.
How Burp Collaborator Client Works
I was fiddling with a private Burp Collaborator instance (yes, interact.sh is a better alternative) and I realized there was no easy way to manage and persist interaction sessions (or more specifically, the capability to poll for generated subdomains). For more reasons than this, it really is a bad tool, but it’s a tool that we have right now, so I made an effort to determine how it works.
The closest documented effort I could find (notably with the same goal of persisting sessions) requires sending an insecure (HTTP) polling request to the Burp Collaborator server, capturing it (via tcpdump/Wireshark) and then using the captured “BIID” to continue polling. Besides having to send an unencrypted request with what is effectively a secret value, I found this approach unsatisfying because we have not removed our dependence on the Burp client.
Well, thanks to vibe reverse engineering, you can read how it works here.
Router Software Is Bad
The US is banning foreign-made consumer routers. If their concern is security, this doesn’t go far enough; they should ban all consumer routers.
Even newsletters that generally accept western imperial logic are skeptical of this one:
It's not wrong in the sense that cheap, poorly-secured routers are a point of vulnerability. But from a security perspective, focusing on where the device is made is more than a bit weird.
The underlying problem here is that consumers and ISPs want cheap, fast and reliable routers, over necessarily secure ones. Without changing the incentives for manufacturers, it doesn't really matter where they are made. You'll still get vulnerable products.
Android Sideloading Protection
Android is introducing a sideloading mechanism that requires an initial 24 hour wait period before you can sideload apps from unverified developers.
There Is Always Another XS-Leak
Here is a somewhat recent write-up on a XS-Leak technique. Like any great XS-Leak, it features a number of techniques you would never think about otherwise:
Non-constant-length ETag implementations.
Request-side information leaking due to server HTTP request header size limits.
Chromium-specific status code leaking through history.length.
Will it ever be practical to know these things? Probably not, but now you do.
Methodology
Some IIS Methodology
Here is a fresh write-up on identifying and poking at IIS servers.
Praetorian Is at It Again
Last issue, I shared a new secret scanning tool published by Praetorian. This week, their fresh API authorization testing tool is making the rounds across social media and all the regular newsletters. Does there need to be another tool in this space? How does it perform compared to alternatives? Did anyone who is sharing it even use it (I haven’t)? Is everyone just going to vibe code their own tooling instead of investing in a shared platform and standard?
Identifying Third-Party Dependencies in Reverse Engineering
Assetnote has released a tool that scans DLLs and JARs and checks them against existing databases to determine whether they are known components.
Usually our goal is to analyze all the custom code for a software product, and the vendor dependencies add a lot of noise to the equation, as we typically have to decompile everything and sort through the mess of decompiled code.
…
The database is built from two sources: Maven Central for Java JARs and NuGet for .NET DLLs. The two registries work very differently, so we had to take different approaches for each.
Connect
Respond to this email to reach me directly.
RSS feed here.
Connect with me on LinkedIn.
Follow my YouTube.
