Greeting from Felix
AppSec
Securely Hosting User Data in Modern Web Applications
Long time no practical tips, and here they are.
David Dworken explained how web applications could securely serve user-uploaded images or render user-controlled HTML. Two approaches allow moving from sandbox domains like googleusercontent.com to more secure solutions compatible with third-party cookie blocking. Our old friend Content-Security-Policy comes to the rescue!
Worth a read if you have a web app that displays user-controlled content.
Why is OAuth still hard in 2023?
Before putting OAuth into action, there is a lot to think about. Robin Guldener compiled a long list of problems and pains associated with OAuth implementation.
Let's delve in and discover details.
Hardware security
APT28 Attacks on Cisco Routers: What We Know So Far
Several US government sources identified APT28 as the russian General Staff Main Intelligence Directorate (GRU) 85th Special Service Centre. APT28 exploited known vulnerabilities to carry out reconnaissance and deploy malware on Cisco routers worldwide.
Read how the story unfolds.
Vulnerabilities
Remote Code Execution Vulnerability in Google They Are Not Willing To Fix
The problem cannot be solved if its existence is denied ©Google 🥲
Google has a security vulnerability that enables a dependency confusion attack and executes code on the 50+ computers of its employees... and doesn't want to fix it.
Enjoy a gripping tale between a bug bounty hunter and the Google team.
Incidents
NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains
Guess who's back, back again.
NSO Group’s evolved attack techniques. The new version of Pegasus hacks the device of human rights defenders and members of Mexico’s civil society.
Install the latest iOS and read the investigation to learn more about new zero-click exploit chains.
