- This Week on Absolute AppSec
- Posts
- Episode #263
Episode #263
WebApp Fuzzing, Mobile Testing, Secrets Management
Seth Law
October 11, 2024
This week on episode #263 of Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) discuss the latest news in application security. Today, the discussion focuses on the deficiencies of vulnerability and exploit-focused dynamic testing, security through client-side controls, and secrets management. Watch the full episode at https://www.youtube.com/watch?v=Br-B44xHSgA, or find us on your preferred podcast platform.
Before we break down this episode, we wanted to announce an upcoming opportunity to sharpen your software security skills through the use of Generative AI! These tools are revolutionizing secure code reviews and other application security tasks, enhancing our ability to sift through massive codebases and focus on potential vulnerabilities. AI is a critical tool for developers looking to implement better security practices efficiently. If you have been looking for an opportunity to learn how to apply Generative AI to your skillset, now is the time. Register at training.absoluteappsec.com
“People get so focused on looking for vulnerabilities, they forget what makes things vulnerable to attack in the first place.”
Spurred on by a Slack discussion on dynamic testing, Seth and Ken dive into dynamic testing and fuzzing. While security testing often focuses on static and dynamic analysis, fuzzing is a powerful technique that involves bombarding an application with random or malformed inputs to find vulnerabilities by causing unexpected behaviors. Seth argued that the industry has become overly focused on exploiting known vulnerabilities and “full exploit chains” rather than addressing the root causes— underlying software bugs. He stressed the importance of going back to basics, using fuzzing to test for software reliability issues, not just security exploits. He mentioned that modern web applications, especially with client-side JavaScript frameworks, complicate fuzzing due to how they manage data. Developers are now using headless browsers to fuzz client-side interactions effectively. However, traditional fuzzing remains a critical technique for finding hidden bugs that could later lead to major vulnerabilities, often missed by current dynamic and static tools.
“[McDonald’s mobile app] is a good study in threat modeling. Does the security you build into an application warrant the amount of threat that exists for that application?”
Next, Seth and Ken return to an older article titled ‘Trusting clients is probably a security flaw’ that discussed McDonald’s mobile app. Mobile application security testing presents its own sets of challenges, especially when it comes to protecting apps on rooted or jailbroken devices. Seth and Ken discussed how mobile developers, like those working on the McDonald’s app, often implement complex mechanisms to prevent users on rooted devices from accessing certain features, such as coupon flows or reward programs. This over-complication of client-side checks, like detecting rooted environments, can often lead to false positives, preventing legitimate users (especially developers and testers) from accessing mobile apps. In Seth’s experience, many security checks in mobile apps are too aggressive, flagging normal developer environments as potential threats, which in turn makes it harder to test the applications in a controlled environment. For security professionals testing mobile apps, Seth recommended staying aware of these checks and implementing more practical methods for bypassing them in test environments. He emphasized the importance of striking a balance between ensuring robust security without creating unnecessary roadblocks for legitimate users or testers.
Finally, our host shared their thoughts on a recent newsletter from Node.js Security on secrets management titled ‘Do not use secrets in environment variables and here’s how to do it better.’ The management of secrets— sensitive data like API keys, tokens, and passwords— is often an afterthought, especially in fast-paced development environments where code is pushed rapidly to production. While tools for scanning codebases for exposed secrets exist, many companies still fall into the trap of hardcoding credentials directly into their applications, making them vulnerable to leaks. Ken emphasized that as organizations adopt faster development cycles, secrets management must be baked into the CI/CD pipeline. Automated tools should scan for secrets continuously, flagging them before they are exposed in production. Ken and Seth also touched on some of the tools that can help developers securely manage secrets, such as HashiCorp Vault, AWS Secrets Manager, and other secrets-as-a-service platforms. These tools offer ways to dynamically generate, rotate, and control access to secrets, making it harder for attackers to exploit hardcoded credentials in production environments.
This episode is sponsored by Redpoint Security. Redpoint specializes in “Code Security. By Coders,” which is bolstered by years of experience testing applications and conducting code reviews against all types of applications, including AI, web, and mobile. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.
If you haven’t yet, show your support of Absolute AppSec by visiting the merch store and picking up our limited edition Halloween items. Stay spooky! As always, join Seth and Ken in Slack.
Stay Secure,
Seth & Ken
https://youtube.com/live/84GpBa1WWWE - Episode #227 - Token Leakage, Cybersecurity Isn't Special - Recent AI tokens leaked, just like everything else.
https://youtu.be/vVpuO_K0mWE - Episode #187 - Hacking your Health, Fortinet, Secrets in Source - Monitoring for secrets in source code using GitHub regular expressions.
https://youtu.be/w8z987qtlpw - Episode #176 - Exposed Secrets, Semgrep Rules, IoT Security Failures - More secrets revealed, post from RedHunt Labs.
Absolute AppSec Happenings
https://addisoncrump.info/important-information/why-i-dont-write-exploits/- Thoughts on writing exploits from an academic. This is an often-discussed topic by many security practitioners, but worth a read.
https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html - Google dives into the techniques they are using to eliminate memory-safety issues in Android. TL;DR - The current pattern of using memory-safe languages works.
https://www.bleepingcomputer.com/news/security/internet-archive-hacked-data-breach-impacts-31-million-users/ - In case you missed it, the Wayback Machine/Internet Archive was breached. Common response has been - “I didn’t know they had user accounts”, but still 31 million records and questions about hacktivism in general.
Upcoming Events
Can you find either Seth or Ken?
October 22-25, 2024 - SaintCon - Provo, UT - Seth will be at the AppSec Community booth most days. Come try out the beginner’s challenges or find and fix vulnerabilities in code in the AppSec Challenge.
November ??, 2024 - Harnessing LLMs for Application Security/Generative AI for Software Security - Virtual Training, date TBD. - A newly developed course that focuses on strategies for using more than just the chat interface of an LLM to secure software.
November 21-22, 2024 - DeepSec, Vienna, Austria - Seth will be presenting “Modern vs. 0ld 5k00l” where everything old is new again.