Intro
Hey everyone,
this edition of DevSec Selection contains interesting application security topics for various experts, from web, mobile to DevSecOps. We start with a research presenting how quickly publicly disclosed secrets can be accessed by potential attackers. There is also an intriguing story about security flaws in Kia service that could led to control certain features remotely β all by just using the carβs license plate.
For those interested in offensive security, I included a research about security vulnerabilities in popular open-source C2 frameworks. There’s a tool to help you test for Zip Slip vulnerabilities in applications. If you’re into mobile app security, check out articles on hacking Android applications. If you’re a bug bounty hunter or securing web application using DAST, take a look at article about XSS detection with Nuclei.
Last but not least, I wrote an article sharing insights about DevSec Selection. In the article you can find details how I’m researching materials, prepare content and automating publishing with n8n solution. If you love automation, you may enjoy it!
Enjoy the materials and stay secure!
Materials
π΅οΈββοΈ Whatβs the worst place to leave your secrets?
This great research presents how quickly publicly disclosed secrets can be exploited by potential attackers. The results are astonishing, particularly for major package registries like npm and PyPI, and repository platforms like GitHub. For npm: 60 seconds, PyPI: 119 seconds, and GitHub: 127 seconds.
π Hacking Kia: Remotely Controlling Cars With Just a License Plate
Can a car be hacked remotely? This article describes vulnerabilities discovered in Kia services that allowed attackers to remotely control key functions and access personal information using just the vehicle’s license plate. Automotive cybersecurity professionals and Kia owners may find this particularly relevant.
π RCE Vulnerabilities in Open Source C2 Frameworks
Red teaming C2 frameworks might be attacked? This article dives into the architecture of C2 frameworks, details specific vulnerabilities in frameworks such as Sliver, Havoc etc., and discusses their implications. Ideal for cybersecurity professionals, pentesters, and red teamers.
π Building and Automating Cybersecurity Newsletter β DevSec Selection Case Study
Curious about automating a cybersecurity newsletter? This article for In this article, I share the insights of building and automating the DevSec Selection newsletter using tools like n8n and LLMs, making content curation and regular publishing easier. Might be interesting for anyone who enjoys automating stuff.
π Simplifying XSS Detection with Nuclei – A New Approach
How can you simplify XSS detection? This article explores leveraging Nuclei’s headless mode to enhance XSS payload detection using the waitdialog action. Aimed at security engineers and bug bounty hunters, it explains how this approach reduces complexity and increases accuracy by focusing on payload behavior.
π οΈ The Zip Slip vulnerability exploitation tool
Did you hear about the Zip Slip vulnerability? Interested how to easily create tar/zip archives to test for this vulnerability? The “zipslipper” tool is ideal for cybersecurity professionals testing the security of the applications utilising zips.
π§βπ» Managing GitHub as code: A DevSecOps approach
Are you looking to secure and standardize GitHub repository configurations? This article details Apheris’s journey using Infrastructure as Code (Terraform) for streamlined, secure repository management. Ideal for IT Security teams using Terraform and DevSecOps practices.
π 2024-09 Discord Dave Protocol Code review [pdf]
Curious about the security posture of the Discord Dave Protocol? This article provides an in-depth analysis of the Discord communication protocol’s. Recommended for software developers and security professionals interested in understanding and improving secure communication systems.
π΅οΈββοΈ Exploiting Android Client WebViews with Help from HSTS
A very interesting vulnerability write-up of a security issue existing in an Android application. The issue allowed attackers to perform account takeover by sending a maliciously crafted link to the legitimate user. After clicking on the link, the account could be potentially compromised. Recommended for mobile application security enthusiasts.
π΅οΈββοΈ Hacking Modern Android Mobile Apps & APIs with Burp Suite
Curious about hacking modern Android mobile apps? This article is perfect for mobile security enthusiasts. It discusses the challenges of API hacking on updated Android OS versions and provides a comprehensive guide on setting up an Android emulator, rooting the device, and configuring Burp Suite to intercept API traffic.
