- This Week on Absolute AppSec
- Posts
- Episode #251
Episode #251
Passive Scanning, Exploiting Chrome Extensions, CocoaPods, NVD
This week on the 251st episode of Absolute Appsec, Seth and Ken return with recent headlines from the world of application security. Specifically, the most recent episode covers tools that perform passive scanning, exploitation of Google Chrome extensions, recent vulnerabilities in the CocoaPods ecosystem, and the national vulnerability database (NVD). You can watch the full episode here:
Seth and Ken start by discussing Mozilla’s new HTTP Observatory tool for scanning and analyzing website security headers. It currently analyzes cookie configurations, CORS, HSTS, referrer policies, sub-source integrity, and content types. This tool makes it easy to ensure headers are up-to-date on publicly accessible sites by identifying low-hanging fruit in web security. However, Seth and Ken stress the importance of using the tool with context; not as a substitute for thorough security testing and penetration testing. Like many of the new rising technologies in the security world, there are concerns about the misuse of these passive analysis tools based on reports that they often lack context, leading to a misprioritization of risks. This highlights the importance of interpreting scan results correctly, especially when they impact business decisions or compliance.
“You still need to know the purpose of the site, how it’s built, what matters and what doesn’t.”
Next, our duo expands upon real-world experiences with various passive analysis tools. Many companies use this type of automated scan to assess third-party vendors out of convenience, but this can be misleading and exaggerate security concerns. Examples of this include failing security scans for minor issues, like missing CAPTCHA or non-login pages. These automated reports can cause unnecessary panic and resource allocation to address non-critical issues. To counteract this, businesses spend time and effort to refute incorrect or irrelevant findings. This discussion goes hand-in-hand with discussion on the future of continuous penetration testing and the potential role of AI in security testing, prompting individuals to prioritize maintaining context and accurate representation in security reports.
"It’s going to take some sort of metadata checks or, you know, almost context risk analysis to dig into the items that are real issues as opposed to ones that can be passed through”
Ken does an in-depth review of an exploit writeup on Universal Code Execution by Chaining Messages in Browser Extensions from Eugene Lim. This technique uses Chromes’s built-in API for messages passing between frames to break out of the web context and run code on the user’s machine via an installed browser extension.
To round out the episode, there is a brief conversation around package repository with the vulnerability discoveries within the CocoaPods ecosystem from E.V.A. Securities recent article. This leads to further discussion on the CVE ecosystem and problems reviewing exploit and vulnerability validation by NIST in the National Vulnerability Database (NVD).
As always, there is deeper conversation over in Slack. Support the podcast by joining and getting some cool new Merch from the updated store at merch.absoluteappsec.com.
This episode is sponsored by Redpoint Security. Redpoint Security. Redpoint specializes in "Code Security by Coders," bolstered by years of experience testing applications and conducting code reviews against all types of applications, including web, mobile, AI and web3 apps. Redpoint also offers training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.
Stay Secure,
Seth & Ken
https://youtube.com/live/_ENIbLadfZQ - Episode #201 - Breaches, Package Managers, Audit Logs
https://youtu.be/j093mOfawiU - Episode #168 - Secure Code Review, Package Confusion, Privacy Acts
https://youtu.be/fnm3mz01kFQ - Episode #165 - Portswigger 2021 Top 10, Supply Chain Attacks, TLS Certs
Absolute AppSec Happenings
https://www.blackhat.com/us-24/spotlight.html - DryRun Security is a finalist for the Black Hat Startup Spotlight Competition. Congrats to Ken & James!
https://owasp.org/blog/2024/07/09/new-coi-and-bylaws.html - New Articles of Incorporation and Bylaws for the OWASP Foundation. This will have an effect on how industry can use the OWASP name and project. Keeping our eye on this.
https://www.tessl.io/blog/will-ai-follow-cloud-native-and-reach-ai-native-development - Conjecture that AI Native Development methods may mirror the cloud native rollout.