Oracle WebCenter Interaction Multiple Security Vulnerabilities
 

Certificate Transparency is a program that we've all heard about, but might not have had direct contact with.  We do hear about it from time to time, for instance when Google (or someone else) busts a CA for generating certificates that should not exist  (which is what eventually led to the Symantec CA implosion event ..).  I kinda knew about mostly from mentions in the ISC Stormcast.

Anyway, the Cert Transparency program has Certifficate Authorities keeping a transparent log of EV certificates since Jan 1, 2015, and logs for DV and OV certificates as of May 2, 2018 (more here: https://www.certificate-transparency.org/ ).  This means that there are central, queriable repo's for all SSL certificates.  As soon as I hear "central database" and "API", I tend to ask "how can I use that for other purposes" - for instance, how I use that in Penetration Tests?

One of the truisms of of pentests is that you can only test/attack hosts or services that you know are there - that's what the recon phase of your pentest is all about.  Certificate Transparency logs gives you a whole new method of assembling a list of targets during recon.

Let's take a look at a few of the vendor interfaces to the data.  Starting with Comodo's CT interface - making a query https://crt.sh/?q=sans.org gets us a nice list of certs:

 

iOS 12 is out today - Updates for Safari, watchOS, tvOS, iOS. Full details here https://support.apple.com/en-ca/HT201222, (Tue, Sep 18th)

=============== Rob VandenBrink Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Vuln: WebKit '-webkit-backdrop-filter CSS' Property Denial of Service Vulnerability

WebKit '-webkit-backdrop-filter CSS' Property Denial of Service Vulnerability
 

Vuln: Apache SpamAssassin CVE-2017-15705 Denial of Service Vulnerability

Apache SpamAssassin CVE-2017-15705 Denial of Service Vulnerability
 

ISC Stormcast For Tuesday, September 18th 2018 https://isc.sans.edu/podcastdetail.html?id=6172, (Tue, Sep 18th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status