DevSec Selection #9 – API Security Champion, LLM TOP 10, Santander Breach

June 9, 2024


In this DevSec Selection episode, you will find some recent CVE proof of concepts, affecting GitLab and PHP, a guide to a Nuclei DAST. Also, at the end I added articles about recent breaches at Santander and Hugging Face, plus an article about serious security concerns of Microsoft Recall feature released recently.

Also, in case if you missed it, take a look at third article of Web API Security Champion series – Broken Object Property Level Authorization.


The post explains Broken Object Property Level Authorization API vulnerability – which allows attackers to modify specific object properties. It details the impact, a case study, a vulnerability fix and recommendations.

This article explains the GitLab CVE 2023 7028, where attackers can exploit a bug in the password reset feature to gain unauthorized access to accounts. It details the impact, exploitation steps, and mitigation techniques like patching, 2FA, and secure coding practices to prevent future attacks.

The ultimate guide to finding bugs with Nuclei, an efficient vulnerability scanner using YAML templates. It covers various features like custom templates, easy mode, rate limiting, and filtering options. Nuclei can be integrated into security workflows with other tools for comprehensive assessments. Advanced features such as custom headers, template variables, and custom templates are key for bug hunters seeking unique results. Start exploring Nuclei’s potential beyond default settings for effective bug bounty hunting.

This article explores a 24-year-old glibc bug used to exploit PHP’s engine through iconv, detailing the discovery, impact, and exploitation process. It covers PHP filters, including base64 encoding and iconv conversion, and discusses the bug in glibc related to ISO 2022 CN EXT charset conversion. The bug allows for a 1-3 byte overflow, posing challenges and opportunities for exploitation. The vulnerability’s historical context and potential impact are highlighted.

OWASP Top 10 for LLM Generative AI Security guides how to explore the latest risks, vulnerabilities, and mitigations for developing and securing generative AI and large language model applications. Topics include prompt injection, insecure output handling, training data poisoning, model denial of service, and more.

STRIDE GPT is an AI tool that generates threat models using GPT models based on the STRIDE methodology. It offers features like attack trees, DREAD risk scoring, and Gherkin test cases. The tool is user-friendly, supports various APIs, and is available as a Docker image.

Hackers claim to have stolen data from millions of Santander staff and customers, part of the same gang that hacked Ticketmaster. Santander confirmed the breach, but UK customer data was not affected. Experts are investigating the connection to a larger hack involving a cloud storage company. Snowflake, the company in question, denies a breach of their product. The FBI and Australian government are involved in the investigation.

Hugging Face detected unauthorized access to its AI model hosting platform Spaces, potentially compromising user data. The company revoked tokens, advised users to refresh keys, and is working with cybersecurity experts. This incident highlights growing concerns over AI security practices amid increased cyberattacks.

Microsoft’s new Copilot Recall feature in Windows 11 constantly takes screenshots, creating a searchable database of everything on your PC. However, it poses significant security risks: data can easily be accessed remotely by hackers, compromising user privacy. Microsoft’s misleading claims about security raise concerns, and the feature has sparked backlash. The potential for mass data breaches and privacy violations necessitates a recall and rework of the feature to safeguard user trust and security.

Interesting Article?

Join DevSec Selection!

DevSec Selection is a bi-weekly Newsletter with the latest outstanding articles related with DevSecOps and application security.

Notify of
Inline Feedbacks
View all comments