Another short episode this week covering graphql attacks, a couple NoSQL injections, a few misconfigurations and a cool attack to reset monotonic counters on a Mifare card.
[00:01:25] From CTFs to the Real World
https://dayzerosec.com/tags/ctf-to-real-world/
[00:02:50] [GitHub] Exploits and Malware Policy Updates
https://github.com/github/site-policy/pull/397
https://github.com/github/site-policy/pull/397/files
[00:07:37] Mobile app developers’ misconfiguration of third party services leave personal data of over 100 million exposed
https://research.checkpoint.com/2021/mobile-app-developers-misconfiguration-of-third-party-services-leave-personal-data-of-over-100-million-exposed/
[00:13:49] QNAP MusicStation/MalwareRemover Pre-Auth RCE
https://www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/
[00:17:45] 2FA Bypass via Forced Browsing
https://infosecwriteups.com/2fa-bypass-via-forced-browsing-9e511dfdb8df
[00:24:22] That single GraphQL issue that you keep missing
https://blog.doyensec.com/2021/05/20/graphql-csrf.html
[00:32:22] Remote code execution in squirrelly [CVE-2021-32819]
https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
[00:44:30] NoSQL Injections in Rocket.Chat
https://blog.sonarsource.com/nosql-injections-in-rocket-chat/
https://hackerone.com/reports/1130721
[00:49:15] RFID: Monotonic Counter Anti-Tearing Defeated
https://blog.quarkslab.com/rfid-monotonic-counter-anti-tearing-defeated.html
[00:56:24] A Wormable Code Execution Bug in HTTP.sys [CVE-2021-31166]
https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys
https://github.com/0vercl0k/CVE-2021-31166
[01:04:15] Fuzzing iOS code on macOS at native speed
https://googleprojectzero.blogspot.com/2021/05/fuzzing-ios-code-on-macos-at-native.html
[01:05:07] RuhrSec 2018: "Keynote: Weird machines, exploitability and unexploitability", Thomas Dullien
https://www.youtube.com/watch?v=1ynkWcfiwOk
[01:07:58] Browser fuzzing at Mozilla
https://blog.mozilla.org/attack-and-defense/2021/05/20/browser-fuzzing-at-mozilla/
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@dayzerosec)