Published on: January 30 2023 by pipiads
- Securing software supply chains is a popular topic due to the increase in attacks.
- Shopify has faced challenges and learned lessons in securing their software supply chain.
- Collaboration is necessary as we all share operating systems, languages, and libraries.
- Trust in our dependencies is a broader problem that needs to be addressed.
Challenges and Lessons:
- Finding safe container images and software can be difficult.
- Suspicious toolbars, npm packages, and go get statements can be potentially dangerous.
- Trust in our dependencies is fragile and disruptions can happen accidentally or intentionally.
- Supply chains are a target for attack, including nation-state attacks like SolarWinds.
- A remote code execution vulnerability in a ubiquitous dependency caused widespread impact.
- Collaboration is necessary to address the broader problem of trust in our dependencies.
- Supply chains are fragile and require attention to secure.
- We must remain vigilant and proactive in securing our software supply chains to prevent potential attacks.
Table of Contents About log4j shopify
- WHY fuzzers MISSED this buffer-overflow in Mozilla NSS library? 🤦♂️ (CVE-2021-43527 explained)
- SEO and Exponential Organic Traffic Growth using User Generated Content by Kevin indig
- Accidentally finding a $50,000 vulnerability - Augusto Zanellato - Bug Bounty Reports Discussed #2
- How to scan a website for vulnerabilities using Burp Scanner
- CVE-2020-2040 PAN OS Buffer overflow Critical Vulnerability Palo Alto Network - Take Action - 9.8
- Google Product Reviews Update Done Before Christmas, Lots Of Ranking Tremors & SEO Work On Holidays
WHY fuzzers MISSED this buffer-overflow in Mozilla NSS library? 🤦♂️ (CVE-2021-43527 explained)
In this article, we will be discussing the recent vulnerability found in the nss library used by Mozilla. The vulnerability, named Big Sig, is a buffer overflow that can be triggered directly from the network, making it critical.
But what's more interesting is the lessons we can learn from this vulnerability. Here are the key points to take away:
1. Missing end-to-end testing: the fuzzing harness in the project only fuzzes a subpart of the project, leaving out important functions, such as the verification functions in this case. This means there are missing areas in the fuzzing process that need to be addressed.
2. Limitations in fuzzing configuration: there is a limitation in the number of bytes that can be generated by the fuzzer, meaning it will not create bigger files than this limit. This restricts the fuzzer to only use input with a specific amount of bytes, which is not ideal.
3. Misleading coverage metrics: the current coverage metrics only take a look at the complete coverage of all the fuzzers. This can be misleading because some hard-coded values may be reached by the fuzzers, but not with enough interesting samples.
Overall, this vulnerability should not have happened, especially with the techniques we have available now, such as address sanitizer and memory sanitizer. The key takeaway here is to ensure proper end-to-end testing, review fuzzing configurations, and take a closer look at coverage metrics to avoid missing important areas in the code.
SEO and Exponential Organic Traffic Growth using User Generated Content by Kevin indig
Kevin, the Director of SEO at Shopify and creator of the Growth Memo newsletter, pays tribute to the late Hamlet Batista, a well-respected member of the SEO community. Kevin shares his personal encounter with Hamlet and highlights the importance of keeping his craft alive.
Kevin discusses the unique challenges and benefits of user-generated content (UGC) platforms for SEO, including scalability, content quality, technical SEO challenges, and potential for spam.
Kevin shares his experience working with UGC platforms at Dailymotion, Atlassian, and G2, and how he overcame challenges with indexing and crawling, content quality, schema, and spam.
Kevin emphasizes the importance of optimizing internal linking, rendering, site speed, and sitemaps for effective indexing and crawling.
Kevin shares a click curve example of how adding tags to video and text pages improved click depth on Dailymotion.
Kevin also discusses the top 8 winning products to sell on Shopify in November 2020 in a separate episode (Ep 224).
Accidentally finding a $50,000 vulnerability - Augusto Zanellato - Bug Bounty Reports Discussed #2
Bug Bounty Reaper's Disgust Podcast Episode 2: How Augusto Zanelato Accidentally Discovered a Critical Vulnerability in Shopify
Bug Bounty Reaper's Disgust Podcast Episode 2 features Augusto Zanelato, a 20-year-old computer science student and game developer based in Italy who accidentally discovered a critical vulnerability in Shopify, for which he was rewarded $50,000. In this podcast, Augusto shares his experience of discovering the bug and his reaction to receiving the reward.
• Augusto's Background and Experience
o Augusto is a computer science student and game developer who works professionally during the summer.
o Augusto found a few issues in the game they were developing and reported them to the responsible person.
o Augusto has some experience with cyber security, but it is minimal.
• How Augusto Discovered the Vulnerability in Shopify
o Augusto reviewed an Electron application, which is a desktop client for a web application that does not have an official desktop client.
o Augusto wanted to see how the third-party desktop client's added features were implemented.
o Augusto extracted the archive of the Electron application and found a .env file, which is used by developers to store config variables and credentials.
o The .env file contained three or four credential pairs, including a GitHub token, an Apple developer account email and password, and an AWS key.
o Augusto tested the GitHub token and found that it was a real profile and that the user had access to old Shopify repositories with both read and write access.
• Augusto's Reaction to the Discovery and Reward
o At first, Augusto did not believe what he had found and had to check it again.
o Augusto's friend suggested reporting the bug to Shopify, and Augusto received a $50,000 reward for his discovery.
o Augusto and his friend were shocked and excited about the reward.
Augusto Zanelato accidentally discovered a critical vulnerability in Shopify and received a $50,000 reward. This podcast discusses how Augusto found the bug and his reaction to receiving the reward. It also emphasizes the importance of security in applications and the role of bug bounty programs in ensuring their safety.
How to scan a website for vulnerabilities using Burp Scanner
In this tutorial, we will cover how to scan a website for vulnerabilities using Burp scanner, monitor scans while they are running, and export results. There are two basic ways of performing vulnerability scans using Burp: end-to-end managed scans and selecting individual items to be audited.
Performing an End-to-End Managed Scan:
- Launch a scan by clicking on New Scan on the dashboard and selecting Crawl and Audit.
- Enter a URL or multiple URLs to scan.
- Configure detailed scope settings to specify included or excluded URL prefixes.
- Fine-tune scanner behavior by configuring scan optimization, crawl strategy, login function handling, and more.
- Configure auditing options to optimize for faster or more thorough scans, configure the kind of issues to be reported, and configure detection methods.
Export results once the scan is complete.
Burp scanner is a powerful tool for identifying vulnerabilities in websites. By performing end-to-end managed scans and fine-tuning scanner behavior, you can optimize your scan for different purposes and get the most accurate results possible. With Burp scanner, you can stay ahead of potential security threats and keep your website secure.
CVE-2020-2040 PAN OS Buffer overflow Critical Vulnerability Palo Alto Network - Take Action - 9.8
- The purpose of the video is to inform subscribers about a critical vulnerability in Palo Alto's border device and the necessary actions to take.
- Palo Alto has released a critical vulnerability, CV2020-2040, related to the Pan OS system and buffer overflow.
- The severity of the vulnerability is rated as 9.8, which is the highest possible rating on the CVSS scale.
- Attack complexity is low, and no high privilege account is required to exploit the vulnerability.
- The impact on confidence, integrity, and availability is high for all three categories.
- If you're using Pan OS system, ensure that you're not affected by checking the affected version.
- Unauthenticated attackers can disrupt system processes and potentially execute arbitrary code with root privileges.
- The solution is to apply the patch or upgrade to the unaffected version.
- Other security advisories were released, including reflected cross-site scripting vulnerability.
- It's crucial to evaluate the risk and take necessary actions to ensure security.
- Stay safe and informed about security advisories.
Google Product Reviews Update Done Before Christmas, Lots Of Ranking Tremors & SEO Work On Holidays
Good morning everybody! My name is Barry Schwartz and this is the Search Buzz video recap. Today is Friday, December 24th, and I'm wishing everybody a happy and merry Christmas and happy holidays. We have a lot to discuss today, including the Google Product Reviews update that has completed rolling out, huge tremors in the past week, and SEO work during the holidays.
- Google Product Reviews update completed rolling out
- Tremors in search results over past few weeks
- SEO work during holidays discussed
Google Product Reviews Update:
- Started on December 1st, took about 20-21 days to roll out
- Supposedly targeted only product review content in English language
- If hit, check blog post on December 22nd for more information
Search Result Tremors:
- Fluctuations in search results significant over past few weeks
- Charts shared below for visualization
- If rankings jumped up and down, not alone
- John Mueller said there's no need to work on algorithm or ranking issues over holidays
Not All Websites Need to be Authorities:
- Local businesses or niche keywords don't need to be authorities to rank
- Need to be authority for competitive keywords or YMYL categories
Bing Shopify Integration:
- Can now buy products directly from Bing shopping results on Shopify website
- Bing testing ethical shopping hub in UK for sustainable, ethical fashion brands
SEO Link Building Survey Results:
- Most SEOs spend less than 25% of their time on link building
Interesting SEO Story:
- SEO company reports link from another website they owned, but it was actually hacked to link to client's website
- New feature shows top categories results in images, possibly a bug
Google Ads Conversion Bug:
- Google confirms bug in some types of reporting in Google Ads for a short period of time
- Lots of updates and tremors in search results
- SEO work during holidays not necessary, but some may still feel pressure
- Bing making strides in ethical shopping and Shopify integration
- Interesting SEO story of hacked link reported by SEO company