🔎 Cybersecurity Challenge #6 – Spot the Vulnerability

This application fetches an image from a URL provided by the user. Sounds harmless, right? 👨‍💻

But allowing servers to request external resources based on user input can sometimes open the door to dangerous attacks.

Take a closer look at how the URL is validated and how the request is made.

⚠️ Is the validation strong enough?

Question: What security vulnerability exists in this code?

A) SQL Injection
B) Server-Side Request Forgery (SSRF)
C) External XML Entity (XXE)
D) URL Redirection

💬 Comment your answer and tell us which line reveals the vulnerability!

In the next post, I’ll reveal the correct answer and explain how attackers could exploit it in real-world environments.

#cybersecurity #infosec #ethicalhacking #websecurity #bugbounty #securecoding #CyberKid #securitychallenge #SSRF

Nice new #infosec zine focused on #securecoding with an interesting formula where each article only takes one page

https://pagedout.institute

New 2026 State of Software Security report: 82% of orgs now carry security debt, 60% have critical, highly exploitable flaws, & high-risk vulns are up 36%. You can’t fix everything—prioritize what can actually hurt you. 🔗 https://zurl.co/9ypXQ #AppSec #DevSecOps #SecureCoding

Oversecured Flags 1,575 Issues in Android Mental Health Apps
Oversecured identified 54 high-severity vulnerabilities across 10 apps totaling 14.7M+ installs.
Technical concerns include:
• Improper use of Intent.parseUri()
• Insecure PRNG via java.util.Random
• Local storage exposure
• Plaintext API endpoints in APK
• Missing root detection
These apps handle highly sensitive mental health records, including CBT notes and therapy transcripts.

Threat modeling implication:
Mobile health apps may represent high-value data reservoirs with weaker security maturity than regulated healthcare systems.

Should digital health apps undergo mandatory security audits before distribution?

Engage below.
Follow TechNadu for deep-dive cybersecurity reporting.

#Infosec #MobileAppSecurity #AndroidSecurity #SecureCoding #DigitalHealth #ThreatModeling #AppSec #CyberRisk #DataProtection

LangChain load() should be renamed to dangerousLoad(). It’s eval() in disguise. We’ve spent decades warning engineers about eval(). Repackaging it behind an abstraction doesn’t make it safer. Here’s why that design choice is dangerous.
https://x.com/secdim/status/2023626877315788853

#AppSec #SecureCoding
@LangChainAI

So amazing to see incredible friends at Wild West Hackin' Fest! Thank you Chad!!!

And thank you Black Hills for having me in to teach! #securecoding

Why secure coding is ignored in hiring, how interview practices fail to detect risk, and what organizations must change to build safer software from day one. https://hackernoon.com/why-secure-coding-ability-remains-an-afterthought-in-modern-hiring-pipelines #securecoding

age.rb – Ruby bindings for age!

If you're working with Ruby and looking for a simple, secure, and modern solution for file encryption, age.rb bridges the gap, bringing the elegance of Ruby to the robust age encryption tool.

Give it a try, explore the repo on GitHub, and let me know what you think. Contributions and feedback are always welcome!

Repository: https://github.com/tschaefer/age.rb

#Ruby #Cryptography #OpenSource #AgeEncryption #SecureCoding

🔐 Bài viết ngắn về Secure Coding: hướng dẫn thực hành khắc phục lỗ hổng IDOR, tải file không an toàn và SQL Injection qua ví dụ lab. Rất hữu ích cho lập trình viên muốn nâng cao bảo mật mã nguồn. #SecureCoding #BảoMật #IDOR #SQLInjection #FileUpload #LậpTrình

https://www.reddit.com/r/programming/comments/1q8m817/a_very_short_introduction_to_secure_coding_with/

AI Tools Make Coders More Important, Not Less https://hbr.org/2025/12/ai-tools-make-coders-more-important-not-less #AI #AICoding #coders #AITools #cybersecurity #securecoding

AI-assisted pull requests are accelerating development — but also introducing new review and trust challenges. Speed is great, assurance is essential. 🤖🧪 #SecureCoding #SecureAI

https://www.helpnetsecurity.com/2025/12/23/coderabbit-ai-assisted-pull-requests-report/

OpenAI has released GPT-5.2-Codex, positioning it as a more capable agentic coding system for long-horizon engineering and defensive cybersecurity workflows.

The company reports improvements in vulnerability research support, terminal-based task execution, and large-scale code reasoning, while also emphasizing controlled access and safeguards due to dual-use implications.

As AI becomes more embedded in security tooling, the focus increasingly shifts to governance, validation, and responsible deployment.

Source: https://openai.com/index/introducing-gpt-5-2-codex/

How do you see agentic AI fitting into real-world security operations?

Share your insights and follow TechNadu for grounded InfoSec coverage.

#InfoSec #CyberDefense #AIinSecurity #SecureCoding #ThreatResearch #ResponsibleDisclosure #TechNadu

Process Hacker, PEB et NTDLL : les clés pour des applications natives ultra-minimalistes

🤯 Dans certains cas, on veut maîtriser chaque octet. Pourtant, même un programme basique peut embarquer des DLL dont on pourrait se passer. Plongeons ensemble dans les entrailles de l'exécutable.

Un 'Hello World' basue compilé en C++ pèse environ 11KB, il dépend de Kernel32.dll et VCRuntime140.dll. Avec un lien statique avec le CRT, la taille monte à 136KB ! 😱
Le CRT gère l'appel de `main`, l'exécution des constructeurs d'objets C++, les variables comme `errno`, et les opérateurs `new`/`delete`. Mais cette commodité a un coût en taille et en dépendances.

Pour des binaires ultra-minimalistes, réduire le CRT implique de paramétrer le linker pour réduire les librairies par défaut, de désactiver la vérification de sécurité du tampon (/GS), et de modifier le point d'entrée pour `mainCRTStartup`.

Adieu `printf` ! On le remplace par `WriteConsoleA` de `Kernel32.dll` pour l'affichage. Le résultat : un exécutable de seulement 4KB, avec juste deux imports de `Kernel32.dll`. C'est une belle victoire, non ? 😎

Mais on peut aller encore plus loin: chaque processus Windows charge systématiquement `NTDLL.dll` qui propose de nombreuses fonctions similaires au CRT, comme `sprintf_s`. La subtilité : la `NtDll.lib` standard de Microsoft n'exporte pas toujours toutes ces fonctions. On a alors deux options : soit créer une bibliothèque d'import personnalisée, soit recourir au linking dynamique via `GetModuleHandle` et `GetProcAddress`. ✨

Et pour les arguments de la ligne de commande `argc`/`argv` ? Sans le CRT, le système passe à `mainCRTStartup` un unique argument : le `PPEB` (Process Environment Block) et son membre `ProcessParameters` permettent d'accéder aux informations comme `ImagePathName` ou `CommandLine`. C'est le mode de fonctionnement des applications natives.

Pourquoi s'engager dans cette démarche de "minimisation" ? 🤔 Pour les DevSecOps et Purple Teams:

* Légèreté: Pour des outils offensifs discrets, des charges utiles ou des situations avec des contraintes de taille strictes, un binaire de 4KB est un avantage considérable.
* Les applications natives, dépendant uniquement de `NTDLL`, peuvent s'exécuter très tôt dans le démarrage de Windows (comme `Smss.exe` ou `autochk.exe`). Elles offrent une perspective unique sur le fonctionnement bas niveau du système.

Pour explorer ces concepts, l'article original est une mine d'or : https://scorpiosoftware.net/2023/03/16/minimal-executables/

C'est un sujet passionnant qui conduit vers d'autres sujets de développements passionants dans le domaine de la cybersécurité offensive et du reverse engineering 🤯

Quelle méthode préférez-vous pour remplacer les fonctions CRT par NTDLL ? Débattez dans les commentaires ! 👇

#Cybersécurité #DevSecOps #ReverseEngineering #WindowsInternals #Programmation #MalwareAnalysis #ExploitDevelopment #SecureCoding #ThreatHunting

Tiny VM sandbox in C with apps in Rust, C and Zig

https://github.com/ringtailsoftware/uvm32

#HackerNews #TinyVM #Sandbox #C #Rust #Zig #VMDevelopment #CloudComputing #SecureCoding

Cal.com has patched a critical authentication bypass (CVE-2025-66489) that allowed attackers to submit any non-empty TOTP field and skip password checks. Versions ≤5.9.7 were impacted.

Update to 5.9.8 to ensure both password and TOTP verification are enforced.
How should MFA implementations be validated to prevent logic gaps like this?

Source: https://gbhackers.com/critical-cal-com-flaw-allows-attackers-to-bypass-authentication-using-fake-totp-codes/

Share your insights and follow us for more security reporting.

#infosec #appsec #CVE2025 #authentication #MFA #ThreatIntel #SecureCoding #SoftwareSecurity #VulnerabilityManagement #SecurityUpdate

This is such a good read on how secrets end up in logs and neat advice on how to prevent this by @ar: https://allan.reyes.sh/posts/keeping-secrets-out-of-logs/ #RecommendedRead #AppSec #SecureCoding

Password Security - MD5 vs Argon2

🔐 STOP USING MD5! This password security comparison will shock you. Junior developers still use MD5 (cracked in seconds!) while senior devs use Argon2ID - the strongest password hashing algorithm. See the difference and learn why password security matters. Your users' data depends on this! #PHP #PasswordSecurity #Argon2 #MD5 #WebSecurity #SecureCoding

#php #programming #coding #web development #software engineering #junior vs senior #code review #...

🎥 manual

CrowdStrike’s analysis shows DeepSeek-R1 may produce more insecure code when certain contextual or geopolitically sensitive triggers appear in a prompt - even when unrelated to the development task.

This behavior highlights a potential risk vector for AI-assisted coding and raises questions around alignment, robustness, and training data influence.

Full report:
https://www.technadu.com/deepseek-ai-vulnerabilities-tied-to-political-triggers-like-tibet-uyghurs-or-falun-gong-found-by-crowdstrike/614033/

Follow us for more cybersecurity research & updates.

#CyberSecurity #DeepSeek #AICoding #SecureCoding #LLMSecurity #CrowdStrike

via @dotnet : Post-Quantum Cryptography in .NET

https://ift.tt/osS9nPf
#PostQuantumCryptography #DotNet10 #Cryptography #PQC #MLDSA #MLKEM #SLHDSA #CompositeMLDSA #AsymmetricAlgorithms #Cybersecurity #DataProtection #Encryption #SecureCoding #TechInnovation #Ope…

Rust continues to reshape Android’s security posture.

Google reports memory-safety bugs are now under 20%, backed by:
• 1000× reduction in memory-safety bug density vs C/C++
• 4× fewer rollbacks
• Faster reviews + fewer revisions
• Rust moving deeper into kernel, firmware & Android’s security-sensitive apps
A recent “near-miss” RCE (CVE-2025-48530) in unsafe Rust was mitigated by Scudo before reaching public release.

Thoughts from the AppSec community?
Follow @technadu for more unbiased cybersecurity reporting.

#RustLang #MemorySafety #AndroidSecurity #AppSec #InfoSec #DevSecOps #SecureCoding #TechNadu