ITSEC Newsletter 2024-12-12

Author

Henrik Falk
December 12, 2024

An offensive Rust encore

Following up on my previous work, in this article I’ll provide some additional learning resources for intermediate-level rustaceans, to help you travel a little further along your learning path. I’ll also introduce a new offensive security tool to showcase another practical application of this programming language that regularly polls as one of the most loved.

security.humanativaspa.it/an-offensive-rust-encore

The Ruby on Rails _json Juggling Attack

The _json juggling attack is an in-band signaling attack targeting JSON parsing within Ruby on Rails. The vulnerability exists in code that handles the conflict between the following: Rails parses JSON request bodies into params, which is always a Hash-like object. Rails accepts JSON request bodies that are arrays, strings, numbers, etc which are not Hash-like.

nastystereo.com/security/rails-_json-juggling-attack.html

New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader

The standard was in fact published in 2018, but SD Express hasn’t gotten much traction since - until recently. Which is somewhat sad - the speed gains are enormous. But speed is not what got our attention - the way it’s achieved is. It appears that the “express” bit in the name stands for “PCI Express”, and when we hear “PCI”, we think “A-ha! Possible memory access!”.

swarm.ptsecurity.com/new-dog-old-tricks-damagecard-attack-targets-memory-directly-thru-sd-card-reader

A Visual Guide to OWASP API Testing with vAPI

We want to introduce you to an exceptional lab tutorial named VAPI. This dedicated resource is tailored specifically toward honing your skills in the realm of API security assessments. Using VAPI, you'll have the opportunity to navigate through real-world scenarios, uncover vulnerabilities, and gain hands-on experience in a controlled and safe environment.

www.darkrelay.com/post/owasp-api-top-10-testing-guide