Daily Dave

Syndicate content
This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Updated: 3 days 15 hours ago

Immunity is throwing a shindig in Laurel MD Nov 21st!

13 October, 2016 - 09:24

Posted by Dave Aitel on Oct 13


It's not just about the beer - it's really more about sharing our
experiences throughout the year writing and enjoying the delicious brew
that is modern exploits! We have two talks, both of which will be great.
Please email admin () immunityinc com to RSVP!


Re: Book Reviews

12 October, 2016 - 08:19

Posted by JJ Gray on Oct 12

Even small scale (but high event) focussed testing can have unexpected
results, case in point as happened some time ago on a remote application
test. In short the basic fuzzing of a small form field killed the
corporate mail server. It turned out that at some point early in the
applications life cycle the developer added an email alert on every
error condition. This continued through the application life cycle until
Live except at this point the...

Re: Book Reviews

11 October, 2016 - 15:03

Posted by Thomas Ptacek on Oct 11

Yeah, this rang false to me too. It’s also the reason you can’t take a
client with 100 applications and run a tool that spams every discovered
endpoint with XSS vectors; their customers scream bloody murder when every
other page starts popping an alert box.

(This comes up a lot because people who don’t do large-scale testing tend
to believe XSS is something you can safely test for everywhere).

"You cannot deface websites with...

Re: Book Reviews

11 October, 2016 - 14:34

Posted by Dave Aitel on Oct 11

Yes, in theory. There are scenarios where you can do all those things. None
of those are what the authors meant, to put it kindly.


Re: Book Reviews

11 October, 2016 - 14:25

Posted by Eric Schultz on Oct 11

"You cannot deface websites with cross-site-scripting"

You can with stored cross site scripting.

You if the app is also vulnerable to cross site request forgery.

You can if you steal a privileged session and you have network access.


Book Reviews

10 October, 2016 - 10:21

Posted by Dave Aitel on Oct 10

2 Book Reviews in this post.

1. Lab Girl
Probably the best book I've read all year. Immediately go and purchase and
read this. Speaks well to the hacker spirit, but is written like poetry.

Read my review...

Why there's an INFILTRATE

29 September, 2016 - 10:12

Posted by dave aitel on Sep 29

It was one of our first INFILTRATEs when Thomas Lim gave a keynote
in specific, that there were far too many security conferences. And he
was, of course right. And also one of our first keynotes when Thomas
Dullien talked about weird machines and JIT engines
the philosophy of bug...

Re: Deep down the certificate pinning rabbit hole of "Tor Browser Exposed"

19 September, 2016 - 12:09

Posted by Ryan Duff on Sep 19

Hey everyone,

I have posted a full technical writeup and wrap-up for this bug. Check it
out here:



Deep down the certificate pinning rabbit hole of "Tor Browser Exposed"

15 September, 2016 - 11:36

Posted by Ryan Duff on Sep 15

Hey everyone,

I spent a decent portion of my day looking into the claim by the Tor-Fork
developer that you could get cross-platform RCE on Tor Browser if you're
able to both MitM a connection and forge a single TLS certificate for
addons.mozilla.org. This is well within the capability of any decently
resourced nation-state. Definitely read @movrcx's write-up first to see his
claim. It's here:...

Re: The difference between block-based fuzzing and AFL

15 September, 2016 - 11:28

Posted by Michal Zalewski on Sep 15

I don't look at the it this way.

To put it bluntly, the overriding principle behind AFL is that it
intentionally takes away choice and forces you to simplify problems
instead of complicating the test suite.

Quite often, that's the right thing to do, even if it *feels*
insulting or wrong to a pro. There are fuzzing frameworks that are
incredibly flexible and expressive, allowing you to create complex
protocol specs, fiddle with dozens...

Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale

14 September, 2016 - 01:18

Posted by Joshua on Sep 13

Howdy folks,

An article was written on how a nation state could conduct an attack on all Tor Browser platforms. Enjoy!

Dailydave mailing list
Dailydave () lists immunityinc com

Re: iPhone Security

14 September, 2016 - 01:10

Posted by Kristian Erik Hermansen on Sep 13

Thanks to Apple for finally fixing the issues today with latest
updates and not crediting where credit is due. And, you should really
update to get the patches just released...

"CVE-2016-4741: Description: An issue existed in iOS updates, which
did not properly secure user communications. This issue was addressed
by using HTTPS for software updates."

Re: The difference between block-based fuzzing and AFL

14 September, 2016 - 01:00

Posted by Ryan Stortz on Sep 13

I don't think it's an apples-to-oranges comparison to compare these fuzzers
against the Cyber Grand Challenge test set (
https://github.com/trailofbits/cb-multios). In fact, the CGC test set is a
perfect shooting gallery. The test set is entirely comprised of network
services that implement protocols that represent real world software.
DECREE has no knowledge of file systems or files at all. The protocols are
frequently simplified, but...

Re: The difference between block-based fuzzing and AFL

14 September, 2016 - 00:41

Posted by Andrew Ruef on Sep 13

The benefit of a tool like AFL is that it’s black-box: you don’t need a grammar, you don’t need a complicated, rich and
deep specification of a protocol like RPC that encapsulates checksums, encryption, etc.

AFL (and fuzzers like it) have a strategy to work around their lack of knowledge/a deep specification, though: just
recompile your application to skip checksums and turn off encryption.

Augh! It’s so cheesy! The indignity! You...

The difference between block-based fuzzing and AFL

13 September, 2016 - 10:34

Posted by Dave Aitel on Sep 13

So let's take a quick break from thinking about how messed up Wassenaar is
or what random annoying thing the EFF or ACLU said about 0day today and
talk about fuzzers. AFL has everyone's mind share, but I you have to point
out that it is still a VERY specialized tool.

The process of taking a file, sending it into some processing unit, and
then figuring out if it crashes, sounds easy and generic. But in practice
you have to carefully...

Dealing with large colony sizes

13 September, 2016 - 06:50

Posted by dave aitel on Sep 13

https://vimeo.com/181992289 Tagging and Automation

https://vimeo.com/182118990 Web Powershell Channel

Ant colonies used to be very small. Some of the features Ants needed to
develop (specialized genes for controlling size in various castes of the
colony, for example) took eons to evolve. Likewise, the algorithms that
drive large ant colonies are hugely complex - they are quite
intelligent, in other words....

t2'16: Challenge to be released 2016-09-10 10:00 EEST

31 August, 2016 - 08:38

Posted by Tomi Tuominen on Aug 31

It is that time of the year again.

Unicorns attract competitors, copycats and charlatans. For a VC, the road to losing the principal is paved with poor
decisions, bad luck and ultimately betting on the wrong horse. One of the challengers in the unregulated
pay-per-hitchhike app industry, Astley Auto Association, has been trying to raise a C round. Its founder and CEO, a
controversial character, is claimed to represent the darker side of the...

Lawfareblog podcast on the VEP

30 August, 2016 - 07:57

Posted by dave aitel on Aug 30


You'll notice that there isn't really a pushback to the arguments in
this podcast from the usual suspects. Maybe that's because after they
listen to it, they kinda agree? My favorite question is when the editor
of Lawfare asks us "Why should anyone even listen to you guys anyways?"
I only tell one...

nullcon 8-bit Call for Papers is open

25 August, 2016 - 12:46

Posted by nullcon on Aug 25

Dear Hackers and Security Pros,

Welcome to nullcon 8-bit!
nullcon is an annual security conference held in Goa, India. The focus
of the conference is to showcase the next generation of offensive and
defensive security technology. We happily open doors to researchers
and hackers around the world and the universe , working on the next
big thing in security and request everyone to submit their new

What is 8-bit?
As a tradition of...

SAINTCON 2016 Details

23 August, 2016 - 10:59

Posted by Troy Jessup on Aug 23


SAINT CON (SAINT is an Acronym for "Security Advisory and Incident Network Team") is a moderate sized hacking
conference based in Utah. SAINTCON is a non-profit event where we provide a security conference focused on training,
discussion, and information sharing.

When you attend SAINTCON, you will experience one of the best information security conferences that combines
professional, casual, and social...