Application Security This Week for March 28

Guess who forgot to do a newsletter last week?

Cool file upload attack to get access to SSH unauthenticated.

https://blog.fadyothman.com/cve-2021-28379-gaining-rce-via-ssh-backdoor-in-vestacp/

Neat tool to MITM an iOS device.  The code is worth a look.

https://github.com/doronz88/harlogger

There is a new release of a (new to me) tool to test SAML implementations.

https://blog.compass-security.com/2021/03/saml-raider-release-1-4-0/

More cool HTTP2 vulnerabilities exploited.

https://blog.assetnote.io/2021/03/18/h2c-smuggling/

TLS 1.0 and 1.1 are formally deprecated.  These become High findings on reports now.

https://datatracker.ietf.org/doc/rfc8996/

Retire.js, one of my favorite tools, has been updated.

https://retirejs.github.io/retire.js/

And finally, spend your Sunday patching OpenSSL.

https://thehackernews.com/2021/03/openssl-releases-patches-for-2-high.html

Have a secure week, everyone.