This post covers 2023-02-20 to 2023-02-27.
Interesting Reads#
DIY malicious Chrome extension#
Matt Frisbie takes a look at the current limitations of Manifest v3. The poc simply request all possible permissions and upon installation chrome will display a warning message. He even provides the Spy Extension code on Github.
Open Software Supply Chain Attack Reference (OSC&R)#
The website pbom.dev published their OSC&R matrix. Like MITTRE ATT&CK, OSC&R is organized into a clear and structured view of the tactics, techniques, and procedures (TTPs) used by adversaries. However, OSC&R is the first and only matrix that focuses specifically on the software supply chain attacks. It covers a wide range of attack vectors, including vulnerabilities in third-party libraries and components, supply chain attacks on build and deployment systems, and compromised or malicious software updates.
PBOM stands for pipeline bill of materials. This is related to a software bill of materials (SBOM), which lists the components used to build software. Furthermore, PBOMs also include the build pipeline from design to production.
Tools#
- SysReptor - SysReptor makes Pentest Reporting easy. Currently in Beta with a Community and a Professional model.
- Sublime Security - Open, adaptable email security platform.
- passbolt - Open source password manager for teams