Edge Flash Whitelist; Bank App Screenshot Grab; Password Manager Weaknesses
My Next Class
| Intrusion Detection In-Depth | Madrid | Mar 25th - Mar 30th 2019 |
| Defending Web Applications Security Essentials | San Diego | May 9th - May 14th 2019 |
Microsoft Edge Whitelists Facebook to Run Flash
https://bugs.chromium.org/p/project-zero/issues/detail?id=1722
Chinese Android Banking App Stores Screenshots of Other Apps
https://jqknews.com/news/141073-Jingdong_Finance_denied_stealing_user_information_saying_that_the_image_cache_was_only_local.html
Password Manager Vulnerabilities
https://www.securityevaluators.com/casestudies/password-manager-hacking/
Get a free ISC sticker (login required):
https://isc.sans.edu/sticker.html
https://bugs.chromium.org/p/project-zero/issues/detail?id=1722
Chinese Android Banking App Stores Screenshots of Other Apps
https://jqknews.com/news/141073-Jingdong_Finance_denied_stealing_user_information_saying_that_the_image_cache_was_only_local.html
Password Manager Vulnerabilities
https://www.securityevaluators.com/casestudies/password-manager-hacking/
Get a free ISC sticker (login required):
https://isc.sans.edu/sticker.html
iTunes
MP3 Download
RSS Feed
Google Play
Stitcher
Podbean
Amazon Echo
YouTube
Spreaker
iOS App
Spotify
Discussion
The Shibboleth vulnerability is quite interesting. In their example, the SAML signature covers the entire and they've made modifications to it (the changes to the uid) that should cause the signature to fail validation. This vulnerability speaks to larger architectural issues with Shibboleth. Obviously the signature validation is happening on a DIFFERENT document (the inline DTD defs are resolved and replaced) than the attribute extraction code works on (the inline DTD variables are not replaced). This is a HUGE no no and leads to the confused deputy issues that caused the vulnerability. I would bet other SP SAML parsing code is making similar mistakes.
Posted by Anonymous on Tue Jan 16 2018, 16:54
Login here to join the discussion.
| Intrusion Detection In-Depth | Madrid | Mar 25th - Mar 30th 2019 |
| Defending Web Applications Security Essentials | San Diego | May 9th - May 14th 2019 |
| Intrusion Detection In-Depth | San Antonio | May 28th - Jun 2nd 2019 |
| Defending Web Applications Security Essentials | Munich | Jul 1st - Jul 6th 2019 |
| Intrusion Detection In-Depth | London | Jul 8th - Jul 13th 2019 |
| Intrusion Detection In-Depth | Boston | Jul 29th - Aug 3rd 2019 |
| Defending Web Applications Security Essentials | San Jose | Aug 12th - Aug 17th 2019 |
| Defending Web Applications Security Essentials | Brussels | Sep 2nd - Sep 7th 2019 |
| Intrusion Detection In-Depth | London | Sep 23rd - Sep 28th 2019 |
