ASW #232 – Josh Grossman

"We care deeply about privacy and security at Loom." -- and this is the kind of incident report you write to demonstrate that. A cache configuration captured session cookies, which then dropped those cookies onto visitors.

The write-up goes through the prep and considerations taken before the cache change, an analysis of what happened despite that prep, and steps to avoid similar problems in the future.

GitHub starts requiring 2FA starting today. It's a year-long effort during which groups of devs will receive notifications to enable 2FA within a 45-day period.

It's a good step for security and has some nods towards usability, like unlinking an email in case of account lockout so you can reuse the email for a new account.

This is really just notable for an Apache bug surfacing in the news. They've been rare. Looking back at the 2.4 security page, request smuggling has been an ongoing bug class, as has the usual type of memory issues from C.

Last year Apache started down a path with Rust, providing modtls as a replacement for modssl. But it was the Internet Security Research Group that did the work, not the Apache Software Foundation. We'll add this to the list of projects to watch that are migrating away from C, but it's not clear whether there's more to come from httpd.

It's never good to have bugs in the root of a root of trust. Researchers found two. They look to be exploitable and could be used to leak information or escalate privileges.

Notably, the flaws were in reference code. They failed to apply length checks, which could lead to a buffer overflow.

This is another entertaining and informative article. It also reads like a checklist of basic appsec issues -- they just all happen to be within a single app.

Dropbox provides their framework for individual contributors on the Security Engineering teams. At the junior levels, there's more weight on technology fluency and threat fluency. In other words, understanding fundamentals of appsec. We'll continue to highlight tools and attacks that would help you gain knowledge and practice in those areas.

Last week we lamented the end of The Daily Swig. This week we're looking at the end of Enigma.

We had just talked with Adrian Sanabria in episode 228 about his presentation for Enigma and we've covered others in the past. Let us know your favorite conferences for staying on top of appsec trends.

Images are everywhere on the web. They're also a great attack vector since many sites allow users to upload arbitrary images and image parsers have had many buffer overflows. Talking about how to secure an image processing pipeline is a good exercise in security architecture, because you can touch on not only the binary that handles images, but how to isolate it from other parts of an app.

ImageMagick's behavior can be influenced by compile-time settings as well as at runtime by its XML-based security policy.

Read the blog post at https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html

Tl;dr: Loom's CDN sent the wrong session cookies to the wrong people (effectively meaning that people were sort of logging in as other people by lottery)

Securing not only the software that you write, but that you depend on in your supply chain is a hot topic right now. To that end, GitHub wrote many useful guides on how to secure the software supply chain, covering topics like securing your accounts, securing your code in the supply chain, and securing your build system.

One of the web's least buggy buggy websites, Juice Shop is a vulnerable web application that exists to teach people about application security and pentesting. You can either try to exploit the many vulnerabilities on your own, or choose to use built-in tutorials. You can also configure Juice Shop for CTFs and training courses at your organization.

A great video overviewing what a TPM is, how to check and see if you have one on your computer, what to do if you don't see a TPM listed, and why Microsoft insists on TPM 2.0 to run Windows 11.

A deep, technically rich dive into exploiting security vulnerabilities through the mis-implementation of OAuth on Booking.com's website.

There's a weakness in how GH handles commits from a fork of a repo. As one example, this can be used to make it look like an action is running a legitimate commit, but it's actually from a fork...

Neat project similar to the bad* series of projects that goes through various ways one should not store secrets, and the issues using these methods can cause