A few weeks ago my friend (1) and I attended a hackathon sponsored by a local ISSA chapter (2). The hackathon was a hands-on event where participants learned about common web application vulnerabilities in a fun, gamified environment. The technical platform for this hackathon was provided by Security Innovation (3).
At the end of the event, the two of us finished first and second, with nearly half of the available points each. Security Innovation, however, graciously kept the game open for a few more days to give the participants an opportunity to continue to play and learn.
We used this opportunity to find and exploit more vulnerabilities in the application, and ultimately discover the one that allowed us to completely own the application server.
During a project working with Hydra, a Network Login Auditor, we discovered and corrected a buffer overrun issue with possible security implications that might include the auditor being attacked by the auditee.
TL;DR Attacker using Hydra or Medusa can get pwn'd by the victim website responding with remote code execution via buffer overrun exploit.
For those who weren't able to attend GrrCon 2016, here's Aspect's Tony Miller, Principal Application Security Engineer, speaking about intelligent AppSec prioritization at the conference.
On November 6, Stephen Breen of Foxglove Security (@breenmachine) published a blog post outlining vulnerabilities in components of several Java Web Application Servers (WebSphere, JBoss, and WebLogic) as well as a popular development automation framework (Jenkins).
All of these vulnerabilities follow a similar pattern. And as worrying as that is, it's only the tip of the iceberg (as Foxglove’s post articulates).
So what can you do? This blog post will provide background and information on how to defend against vulnerabilities in Java serialization introduced by Apache Commons Collections affecting common Web App Servers such as WebSphere, JBoss, and Web Logic, as well as common applications like Jenkins.
For those who weren't able to attend AppSec USA, OWASP has kindly been posting session recording on their YouTube channel. Here's Aspect's CEO, John Pavone, speaking at AppSec USA 2015!
I am very excited about the Women in AppSec (WIA) program at the AppSec USA 2015 conference. This year, WIA is hosting a panel of speakers who will be talking about how to encourage gender diversity in information security. Additionally, WIA is sponsoring a series of Birds of a Feather sessions during the day on Thursday where anyone (you too!) can suggest meet-up topics in real-time at the conference.
As part of our panel, WIA was able to raise enough funds to bring two speakers based in India to the conference, Apoorva Giri and Shruthi Kamath, to discuss their organization, InfoSec Girls.
Cross-Site Request Forgery, also known as CSRF and XSRF, is a type of attack that has been around for years and we know how to prevent it. Yet we still find this vulnerability in hundreds of assessments and penetration tests every year.
In this post, we want to make developers aware of the vulnerability and its significance, show how a hacker can perform an attack against a sample application, and (most importantly) explain how you can protect an application from this style of attack by using controls built-in to the ASP.NET MVC framework.
NIST released thier publication Vetting the Security of Mobile Applications (SP 800-163) in January as a high-level guide for organizations creating secure mobile applications.
I’ve spent some time with the document and it does an excellent job outlining why mobile application security must be vetted at an organization. However, the publication’s misses the mark in two very important areas: manual testing and server side controls.
OpenSAMM (Software Assurance Maturity Model) v1.0 was released just over 6 years ago. It was one of the first projects of its kind to take on the large challenge of measuring software assurance maturity. Since then it has been used by organizations and application security companies to evaluate their software assurance efforts. Fast forward to 2015, SAMM is once again in the news.
The spat of SSL and TLS issues over the last year have caused concern about the quality of the encrypted tunnel in Internet communications. The various creatively named BEAST, CRIME, & POODLE attacks against SSLv3 have effectively killed the entire SSLv3 protocol. Bugs in different encryption libraries have created additional means of exploit, such as with OpenSSL's HeartBleed affecting TLS and Apple's GotoFail SSL and (partial) TLS attack. In these cases, the TLS protocol itself is safe, but the implementation of TLS reduced the overall level of protection.