Web App Security Archives - Laboratory B

Jumping the CoreOS Container Linux Ship

The end is within sight for CoreOS Container Linux: May 26, 2020. For a few years now we’ve made use of Container Linux for hosting the laboratoryb.org website. Sadly, this is where our CoreOS journey ends, with end-of-life coming right around the corner.

We’ve finally jumped the CoreOS ship over to Flatcar Container Linux by Kinvolk, an OSS fork of the original project. Everything has been faithfully copied over and is once again running smoothly.

Thanks to Kinvolk for keeping the Container Linux legacy alive!

Serious 0-day Found in Every Version of IE

Stop using IE. Seriously, just stop. At least for now. A serious 0-day vulnerability which exploits MME HTML has been discovered in every existing version of Windows / IE. Until this gets patched it is essential not to use IE as a browser at all.

While this has just recently been made public, you have to wonder how long this has been exploited quietly by the “bad guys”

[External Link]

grepular: Abusing HTTP Status Codes to Expose Private Information

I think the title says it all. This is a really nice post from the Mike Cardwell’s blog about an interesting attack using status codes to disclose private info from sites such as Facebook or Gmail. [External Link]

Cripple the Google CDN’s caching with a single character

Interesting article about maintaining the integrity of https sessions while still making use of CDN caching capabilities for performance reasons. [External Link]

New Type of Denial of Service Attack Emerging

Security researchers at this weeks Black Hat detailed a new type of DoS attach which targets layer 7 on the application stack (as opposed to layer 4, eating up available bandwidth with requests). [External Link]

Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else

Really interesting article on hidden evil in “Free” wordpress themes. Be careful kiddies! [External Link]

Obama considers Internet ID for Americans

Are you ready to stop using Passwords for websites? How about ready to have all your online activity tracked under one account — your Internet ID. Big Brother is watching even closer…. [External Link]

Epic. Google. Fail.

Apparently the free, handy Website Optimization code tool provided by Google and used by many thousands of web developers and admins around the world is vulnerable to an XSS attack. Oops. Not very Optimal! [Link Here]

Hey Friend, got a sec?

Internet Storm Center about evil facebook phishing bot patterns. [Link here]

OWASP AppSec USA 2010 Videos

OWASPs AppSec 2010 conference had some awesome presentations including a keynote a by DH Moore on the web-focussed future of the Metasploit project.