Removing Rust, Double Clickjacking, h3i CLI, JWT Mistakes, Reviewing Recursion – ASW #312

After four years, Curl's effort to bring a Rust-based HTTP/1 backend into the library has ended. The reasons provide good lessons for the appsec industry's push for memory safety and secure code.

An iteration on the clickjacking technique bypasses the pervasive browser-based solutions that effectively eradicated clickjacking. Fortunately, there are equally simple countermeasures for this version.

Given appsec's naming habits, what "double" will we see next? Double SQL injection? Double XSS? Double prompt injection?

The last jailbreak research of 2024. It shows more clever testing for edge cases. There'll surely be more prompt injection and jailbreak techniques by the end of January. Still looking for that compelling and successful use of genAI in appsec.

Building libraries for an RFC vs. building libraries to test RFC design and implementations.

To emphasize from the start, many of these vulns "...result in little or no real-world harm in most contexts."

However, there's still something to learn from parsing and handling user-supplied data. They provide opportunities to talk about recursion, edge cases, malicious input, and secure design choices.

Short and simple: Verify the signature of signed blobs. But also some challenges in dealing with stateless session tokens.

Here's a bonus JWT CVE about JWT algorithm confusion.

Some researchers came up with a simplified version of the C language, and then use that to port programs before converting to Rust. This allows them to be assured that the ported program is safe

The attackers exploited SQL injection vulnerabilities in internet-facing applications and database servers using SQLmap.