Earlier this week, I released Websec Weekly into the wild. This blog post is about my motivation behind releasing it, and a bit more about how it works.
Throughout the last two years or so in my participation in bug bounties, I’ve found that there have been more and more tricky techniques and attack vectors introduced into the wild. To me, being a good bug bounty hunter and actually finding a lot of the harder to find yet valid security issues has often relied on my ability to keep up with such attack vectors.
Often, the security issues discovered through such “tricks” or “techniques” are not openly documented, however are shared in the form of bug reports, in mailing lists, community forums or in advisories. This can be hard to track, and I know, that at least for me, I’ve become quite compulsive in obtaining the newest information, as soon as possible, related to web app security.
Whilst not every edge case attack vector is documented, I have found that keeping well up to date and reading web security community content as it comes out has assisted tremendously in all of my engagements as a professional and also in CTFs and bug bounties I participate in.
This is why I’ve created Websec Weekly.
Let’s take for example, the following security issue that was reported and then publicly disclosed on HackerOne in 2013:
The security issue presented in the report by the researcher discusses an attack vector which may cause DoS on many services, in fact, almost any service which attempts to convert images when uploaded, but does not validate or limit the amount of memory being allocated to this process.
The PoC being very simple, and included in the report itself, I see this discovery as absolutely awesome – as not only does it apply to the service in which the researcher has found the bug in, but also in a majority of the web applications that I pentest.
This is the sort of information which Websec Weekly aims to capture. Every hour, information is gathered from a variety of sources including, but not limited to in the future:
- Reddit Netsec
- HackerOne Publicly Disclosed Reports
- Full Disclosure Mailing List
- Security @ StackExchange
Once this information is gathered and neatly put away into databases, I have a set of “managers” as I call them, which aim to get the information to me, as soon as possible.
At the moment, I have two possible solutions for enthusiasts like myself, who crave information like what is gathered from my sources:
- A weekly newsletter sent to your email every Monday.
- HipChat notifications which are sent to HipChat @ 9AM and 9PM of every day (for the more hardcore enthusiasts).
Some might argue that the information being sent through is a total overload and is possibly too much to consume. Hence, I’ve tackled this problem by relying on community based feedback (i.e. upvotes, views and/or comments and answer counts).
So far this service is in early beta stages and is just a pet project which I’ll take care of time to time. After all, I plan on using it heavily and making sure that the info that gets generated in the newsletters is actually of relevance and of importance to myself – and hopefully other enthusiasts out there.
Websec Weekly is an entirely free service. As a disclaimer, in the future, I may need to unobtrusively monetise or introduce donations, in order to pay for the emails being sent out, but for now the costs are low enough that I can just turn a blind eye to.
You can find the GitHub repo which hosts all of the DBs, APIs and Managers for this service here:
I’m very open to suggestions, so please let me know what you’d like to see in the newsletter so that I can implement it 🙂 Simply comment, or email me.