Intro
Hi!
In this DevSec Selection episode, you will find some recent CVE proof of concepts, affecting GitLab and PHP, a guide to a Nuclei DAST. Also, at the end I added articles about recent breaches at Santander and Hugging Face, plus an article about serious security concerns of Microsoft Recall feature released recently.
Also, in case if you missed it, take a look at third article of Web API Security Champion series – Broken Object Property Level Authorization.
Materials
📄 Web API Security Champion Part III: Broken Object Property Level Authorization (OWASP TOP 10)
The post explains Broken Object Property Level Authorization API vulnerability – which allows attackers to modify specific object properties. It details the impact, a case study, a vulnerability fix and recommendations.
📄 GitLab CVE-2023–7028 (Account Takeover) PoC
This article explains the GitLab CVE 2023 7028, where attackers can exploit a bug in the password reset feature to gain unauthorized access to accounts. It details the impact, exploitation steps, and mitigation techniques like patching, 2FA, and secure coding practices to prevent future attacks.
📄 The Ultimate Guide to Finding Bugs With Nuclei
The ultimate guide to finding bugs with Nuclei, an efficient vulnerability scanner using YAML templates. It covers various features like custom templates, easy mode, rate limiting, and filtering options. Nuclei can be integrated into security workflows with other tools for comprehensive assessments. Advanced features such as custom headers, template variables, and custom templates are key for bug hunters seeking unique results. Start exploring Nuclei’s potential beyond default settings for effective bug bounty hunting.
📄 Exploiting the glibc to hack the PHP engine – CVE-2024-2961 PoC
This article explores a 24-year-old glibc bug used to exploit PHP’s engine through iconv, detailing the discovery, impact, and exploitation process. It covers PHP filters, including base64 encoding and iconv conversion, and discusses the bug in glibc related to ISO 2022 CN EXT charset conversion. The bug allows for a 1-3 byte overflow, posing challenges and opportunities for exploitation. The vulnerability’s historical context and potential impact are highlighted.
📄 OWASP LLM TOP 10
OWASP Top 10 for LLM Generative AI Security guides how to explore the latest risks, vulnerabilities, and mitigations for developing and securing generative AI and large language model applications. Topics include prompt injection, insecure output handling, training data poisoning, model denial of service, and more.
📄 https://github.com/mrwadams/stride-gpt
STRIDE GPT is an AI tool that generates threat models using GPT models based on the STRIDE methodology. It offers features like attack trees, DREAD risk scoring, and Gherkin test cases. The tool is user-friendly, supports various APIs, and is available as a Docker image.
🔓 All Santander staff and millions of customers have data hacked
Hackers claim to have stolen data from millions of Santander staff and customers, part of the same gang that hacked Ticketmaster. Santander confirmed the breach, but UK customer data was not affected. Experts are investigating the connection to a larger hack involving a cloud storage company. Snowflake, the company in question, denies a breach of their product. The FBI and Australian government are involved in the investigation.
🔓 Hugging Face says it detected ‘unauthorized access’ to its AI model hosting platform
Hugging Face detected unauthorized access to its AI model hosting platform Spaces, potentially compromising user data. The company revoked tokens, advised users to refresh keys, and is working with cybersecurity experts. This incident highlights growing concerns over AI security practices amid increased cyberattacks.
🔓 Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible with two lines of code — inside the Copilot+ Recall disaster.
Microsoft’s new Copilot Recall feature in Windows 11 constantly takes screenshots, creating a searchable database of everything on your PC. However, it poses significant security risks: data can easily be accessed remotely by hackers, compromising user privacy. Microsoft’s misleading claims about security raise concerns, and the feature has sparked backlash. The potential for mass data breaches and privacy violations necessitates a recall and rework of the feature to safeguard user trust and security.