Highlights from Absolute Absec Episode 158

Sep 24, 2024

Episode 158 of Absolute Absec

Hosts

  • Ken Johnson (@CKTricky on Twitter)
  • Seth Law (@SethLaw on Twitter)
  • Quick introduction and welcome back from the hosts.

Announcements

  • KernelCon:

    • Teaching a secure code review course at KernelCon in March.
    • Seats available but selling out quickly.
    • Encouragement for listeners to join the conference.

  • After Dark Episode:

    • Discussion of an item found with Laravel.io.
    • Apology for the delay in reporting a vulnerability found.
    • Laravel team was responsive and fixed the reported vulnerabilities quickly.

Vulnerability Reporting Discussion

  • Acknowledgment of delays in reporting vulnerabilities found during code reviews.
  • The idea of live vulnerability reporting while streaming discussed.
  • Importance of communicating with developers when issues are found.
  • Aim to improve future response times and communication.

Laravel Framework Review

  • Found that the vulnerability was on their community website, not inherent to the framework itself.
  • Positive remarks about Laravel's structure, comparing it to Ruby on Rails.
  • Suggestion to possibly create a Brakeman-style scanner for Laravel.

CactusCon Conference

  • Scheduled for the first week of February.
  • Vaccination required to attend in person.
  • Virtual options available.

PortSwigger List of Top 10 Web Hacking Techniques for 2021

  • Nomination phase open for community voting on web hacking techniques.
  • Discussion on techniques from the list:
    • Interest in discussing various techniques including XSS and HTTP/2 vulnerabilities.
    • Mention of supply chain-related attacks as a major concern.
    • Prototype pollution and deserialization issues highlighted.

News and Articles

  • Discussion of a Medium post about NPM package vulnerabilities:
    • Example of a hypothetical malicious package that harvests sensitive data.
    • The importance of being cautious with package dependencies.
  • Mention of Chrome's attempt to prevent CSRF attacks on internal resources:
    • Pre-flight checks and private network address verification.
    • Initial thoughts on the potential vulnerabilities this could still introduce.

Future Guests and Content

  • Upcoming guest: Neil Matital to discuss CSPs.
  • Plans to produce more AppSec content on the website.
  • Encouragement for listeners to suggest topics, speakers, or projects for code review.

Conclusion

  • Reminder to reach out with suggestions and ideas for future episodes.
  • Closing remarks from hosts and encouragement for listeners to engage in application security.