Prototype pollution
Prototype pollution project yields another Parse Server RCE
Bug Bounty Radar
The latest programs for November 2022
All Day DevOps
AppSec engineer keynote says Log4j revealed lessons were not learned from the Equifax breach
Infosec beginner?
A rough guide to launching a career in cybersecurity
Cybersecurity conferences
A schedule of events in 2022 and beyond
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.
These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.
Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.
Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.
I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.
Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.
Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:
LEGO reportedly fixed a number of API security issues found by SALT Labs
ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.
The results were more than satisfactory:
In the realm of computers, where data flows like a stream
There are those that seek to exploit and cause us all to scream
They are the hackers, the codebreakers, the malicious ones
And among their favorite trick is the art of SQL injection
Chorus:
SQL injection, SQL injection
A dangerous game, a digital infection
SQL injection, SQL injection
Beware of the hackers and their devious invention
To paraphrase the great man himself, I still don’t know what I was waiting for… but it definitely wasn’t this.
RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover
John Leyden
@jleyden
Burp Suite
Vulnerabilities
Customers
Company
Insights
© 2022 PortSwigger Ltd.