Name: Redlining the Smart Contract Top 10 – Shashank . – ASW #322
Uploaded: 2025-03-18T05:00:00.000America/New_York
Description: Redlining the Smart Contract Top 10 – Shashank . – ASW #322

The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space.

Segment Resources:

<ul>
<li><a rel="noopener" target="_blank" href="https://scs.owasp.org">https://scs.owasp.org</a></li>
<li><a rel="noopener" target="_blank" href="https://scs.owasp.org/sctop10/">https://scs.owasp.org/sctop10/</a></li>
<li><a rel="noopener" target="_blank" href="https://solidityscan.com/web3hackhub">https://solidityscan.com/web3hackhub</a></li>
<li><a rel="noopener" target="_blank" href="https://www.web3isgoinggreat.com">https://www.web3isgoinggreat.com</a></li>
</ul>

Featured image for {“vendor”:”ppworks”,”type”:”segment”,”id”:”13499″} podcast from PPWorks

Security Weekly listeners save $100 on their RSA Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit <a rel="noopener" target="_blank" href="https://securityweekly.com/rsac2025">securityweekly.com/rsac2025</a> and use the code 5U5SECWEEKLY! We hope to see you there!

RSAC 2025 Registration Discount

When ‘Lockdown Mode’ Is Just a Lock Screen Theater! Jamf Threat Labs uncovered a technique where malware can fake Apple’s Lockdown Mode, displaying all the right visuals but none of the actual protections. This post-exploitation trick gives users a false sense of security, highlighting that once a device is compromised, even Lockdown Mode can’t save the day.

Fake Lockdown Mode

The flaw stems from an API misconfiguration that neglects to verify the content-type header, allowing attackers to send malicious requests without triggering security checks. This oversight could enable adversaries to exfiltrate or poison machine learning models, posing significant risks to organizations relying on MLflow.

MLflow’s zero-day threat to model poisoning

Meta has identified a high-severity out-of-bounds write vulnerability (CVE-2025-27363) in FreeType versions 2.13.0 and earlier, potentially exploited in the wild. The flaw allows remote code execution when parsing certain font files. Despite a fix being available for almost two years, several Linux distributions, including Debian and Ubuntu 22.04, still use vulnerable versions.

Parsing RCE in FreeType

One of my favorite topics -- path traversal!

It's great to see a language primitive for handling file names more securely.

On the other hand, it's only going to benefit new code that takes advantage of these new functions. That's not bad, it just means there's work to do for existing and old codebases.

The article also notes that the underlying OS and environment may still have some inconsistencies, such as node.js remaining vulnerable to TOCTOU attacks even when using these functions.

And speaking of OS support. It mentions Plan 9(!?) lol. Does anyone use that!? The design philosophy of Plan 9 is that everything is a file, which makes traversal particularly relevant. But wow there's an OS I haven't heard mentioned for a few decades.

Traversal-resistant file APIs – The Go Programming Language

Another favorite topic -- parsers! More specifically, mismatched behavior between parsing engines and the consequences thereof.

The underlying premise of the article is likely familiar to many orgs: Do I use an open source library with known design flaws (or missing feature)? Or do I create my own? If I create my own, is its security any better than the open source version?

In this case, the ruby-saml library used two backend XML parsers that handled SAML signatures in two very different ways, which mean an attacker could use a known signature from one message (not too hard to obtain) to impersonate any other user.

Check out <a rel="noopener" target="_blank" href="https://langsec.org/spw23/papers/Ali_LangSec23.pdf">this paper</a> for more details on this class of vulns.

And check out <a rel="noopener" target="_blank" href="https://ssoready.com/blog/engineering/xml-dsig-is-unfortunate/">this blog post</a> for why SAML's design probably isn't worth saving in the first place.

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials – The GitHub Blog

Back in <a rel="noopener" target="_blank" href="https://www.scworld.com/podcast-episode/3426-top-10-web-hacking-techniques-of-2024-james-kettle-asw-318">episode 318</a> James Kettle shared his advice on sharing research, and pointed out that not all research successfully ends in an effective exploit.

Here's just the kind of article to illustrate that even a difficult-to-exploit flaw can provide a simple-to-understand information. It's a nice walkthrough of what needs to be in place for this Tomcat vuln to be exploited, the thought process of putting an exploit together, and the importance of getting intimately familiar with the inner workings of a target tech stack.

Lingua Diabolis | Analysis of CVE-2025-24813 Apache Tomcat Path Equivalence RCE

There's an implied lesson in here for appsec. Don't just tell devs to use a language because it's more secure, give them a more secure language that solves their programming needs and doesn't annoy them.

Performance and compile times are one of the biggest annoyances to any developer. That's why it's nice to see this massive improvement for TypeScript.

Also notable is Microsoft's decision to use Go. They could have made a business or ego-drive decision to use C#, but Go provided a <a rel="noopener" target="_blank" href="https://github.com/microsoft/typescript-go/discussions/411">better developer experience</a> for the domain problems they encountered in making TypeScript faster. I love seeing these kinds of decisions based on architecture considerations and how developers work with code.

A 10x Faster TypeScript

What if there was a cool memory attack that no one used?

It's not that Rowhammer isn't unusable or purely theoretical. Security researchers have demonstrated many attacks, even ones <a rel="noopener" target="_blank" href="https://github.com/isec-tugraz/rowhammerjs">using JavaScript</a>.

But the gist of this project is to evaluate how practical those attacks really are outside of labs and test environments. It's not so much about POC||GTFO as it is a way to evaluate the risks associated with an attack like this. We know its severity (bad, can leak memory), but its risk comes from that severity, exploitability, and threat scenarios.

If your org has already deployed FIDO2 keys for all employee authentication, WebAuthn (or equivalent) for all customer authentication, and your devs keep package dependencies up to date at least on a monthly basis, then you've got the luxury to start thinking about how you'd want to mitigate a Rowhammer-style attack.

FLIPPYR.AM

This is mostly for all the hardware and emulator fans out there.

I'm still thinking up what the appsec angle might be. Perhaps something about software quality degrading faster as it ages...

FUN: Super Nintendo Hardware Is Running Faster as It Ages

I think I mention fuzzing at least once every episode. (This week's SAML article mentions fuzzing.)

So I might as well highlight fuzzing education and techniques at every opportunity. Here's the latest update on fuzzing tutorials from the appsec guide curated by Trail of Bits.

LibAFL | Testing Handbook

I keep asking where LLM contributes to appsec tasks (as opposed to contributing to coding assistance for devs). Here's a good list of scanners to keep an eye on to see how they fare against the old school way of writing crawlers and fancy variations on the grep command.

FYI: open-source-llm-scanners

We covered the ByBit hack briefly back at the beginning of March in <a rel="noopener" target="_blank" href="https://www.scworld.com/podcast-episode/3428-keeping-curl-successful-and-secure-over-the-decades-daniel-stenberg-asw-320">episode 320</a>.

Here's a nice update with more technical details that's worth reading through.

FYI: In-Depth Technical Analysis of the Bybit Hack | NCC Group

A “changed files” action changed more than files—it opened the door to malicious code. This supply chain attack) reminds us all to think twice before trusting every workflow plug-and-play.

Other resources:

<a rel="noopener" target="_blank" href="https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/">https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/</a>

<a rel="noopener" target="_blank" href="https://pulse.latio.tech/p/understanding-and-re-creating-the">https://pulse.latio.tech/p/understanding-and-re-creating-the</a>

<a rel="noopener" target="_blank" href="https://news.ycombinator.com/item?id=43367987">https://news.ycombinator.com/item?id=43367987</a>

GitHub Action tj-actions/changed-files supply chain attack

Lockdown Mode is good. Use it if the security and usability trade-offs match your comfort level and threat concerns.

I'm highlighting this because good UX is critical to security features. It's also a very difficult area to get right and an impossible area to get right universally. There'll always be some subjective aspects to it, but whether you're writing tools for developers or interfaces for users, question whether they're accomplishing the tasks you intended them to do and whether you're providing the best context for them to understand those tasks.

This topic reminds me of CISA's <a rel="noopener" target="_blank" href="https://www.cisa.gov/resources-tools/resources/secure-by-design">Secure by Design</a> principle to take ownership of customer security outcomes.

Apple’s Lockdown Mode is good for security — but its notifications are baffling | TechCrunch

Application Security Weekly

About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema, the podcast focuses on helping its audience find and fix software flaws effectively. Co-hosts: John Kinsella, Kalyani Pawar.

Redlining the Smart Contract Top 10 – Shashank . – ASW #322

Announcements

Guest

Host

Related

Skype Hangs Up, Android Backdoors, Jailbreak Research, Pretend AirTags, Wallbleed – ASW #321

CISA’s Secure by Design Principles, Pledge, and Progress – Jack Cable – ASW #321

QR Codes Replacing SMS, MS Pulls VSCode Extension, Threat Modeling, Bybit Hack – ASW #320