Hacking, AppSec, and Bug Bounty newsletter
2017-08-14 | RE Malware 101, unserialize(), and APT Trends Report
Monday, August 14
Make it a great week!
Reverse Engineering Malware 101 by @malwareunicorn. Learn fundamentals, malware techniques, RE tools, triage analysis, static analysis, and dynamic analysis.
[spectacles.com] Bypassing quantity limit in orders [22 upvotes] $250 bounty for this report to Snapchat by @hiorws.
out of date disqus shortname usage in the web app source code [11 upvotes] - $750 bounty for this report to Starbucks by, yet again, @hirows. Have yourself a week @hiorws! Short definition of bug: Misuse of a third-party web service in starbucks[dot]com.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
PSA: Don't use unserialize() on untrusted input (see http://php.net/unserialize )
PHP will no longer treat unserialize() bugs are security bugs. - @nikita_ppv
OTHER ARTICLES WE’RE READING
USA v Marcus Hutchins, August 4 2017 Hearing [transcript]
The Jobert special: CTF Solution, reversing the password
Re: unserialize(), see also: Unserialize security policy
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
Treating unserialize issues as security creates the false sense that we expect it to be secure, when we absolutely don't. We'll continue fixing these bugs of course, But after discussing it on the security mailing list, we decided to finally stop treating those as security issues. Unserialize is inherently insecure, people should know it and act accordingly.