Hey there,
I hope youāve been doing well! I missed you, dear reader.
A Tryptophan-induced Reflection
Last week I did some reflecting. I have a lot to be thankful for, but I want to mention one thing in particular.
I wanted to share my writing online for a long time, but to be honest, I was scared to do itā donāt other people know more? Isnāt the Internet a Nasty and Mean Place?
But people have been really nice about tl;dr sec! š± Iāve been blown away by peopleās kind words about how they find it useful, look forward to it, how it made them laugh in a meeting and get in trouble with their boss, and more.
This encouragement has frankly been key to me continuing, when itās yet again 11:09pm on a Wednesday and Iām wrapping up another issue.
I wanted to share this anecdote because if youāre reading this and have been wanting to share your work- you should!
I know that you have knowledge that other people would love to read.
Write it down. Share it.
Weāll be glad you did.
Speaking Stuff
OWASP Israel - Tues, Dec 8th
Iāll be joining some cool speakers chatting about Kubernetes and XXE.
Empire Hacking - Tues, Dec 8th
After refocusing myself by meditating in a redwood forest, Iāll join Empire Hacking, an awesome
meet-up by Trail of Bits.
As theyāre also program analysis nerds, theyāve asked me to include more details on Semgrep internals and design decisions, so if youāre curious about how Semgrep works at a deeper level, this one will be good to check out.
Open Security Summit - Fri, Dec 11th
Iāll be giving a Semgrep workshop, where Iāll
try something Iāve never done before! Iām going to live
tweet Semgrep challenges (match this code, donāt match that code) and let people
tweet back their solutions.
Should be fun! Or it may blow up in my face, weāll see š Keep an eye on @clintgibler if you want to join, hope to see you there!
Sponsor
š¢ Secure Your Business-Critical SaaS with AppOmni
AppOmni is the leading provider of SaaS Security Posture Management (SSPM) solution. We provide data access visibility and management and security of SaaS solutions, enabling organizations to secure sensitive data. AppOmniās technology deeply scans APIs, security controls, and configuration settings to evaluate the current state of SaaS deployments and compare against best practices. With AppOmni, organizations can establish rules for data access, data sharing and third-party applications that will be continuously and automatically validated.
Get a free Risk Assessment todayš In this newsletter...
š Links:- Web Security: Chrome extension to detect DOM XSS by abusing Trusted Types, exploiting dynamic rendering engines
- AI: DeepMind's protein-folding breakthrough, 5 AI achievements in 2020, GPT-3 overview, A/B test your titles for Hacker News
- Red Team: Minimal Docker container bundled with security tools
- Cloud Security: Query your cloud config and metadata like SQL, find exposed S3 objects, an overview of interesting pre:invent announcements, find existing users and IAM roles in arbitrary AWS accounts, back up your G Suite data to AWS
- Container Security: Scan Helm charts for K8s misconfigurations
- Politics / Privacy: Maybe economic inequality, minimal social mobility, and more are the historic norm, not recent bad trends
- OSINT: Search URLs exposed by shortener services, a security tool is
accurately represented in court - Misc: Remap all git HTTP URLs to SSH, protect domains that don't send email, a proposed service for surfacing great creators
Web Security
filedescriptor/untrusted-types
A Chrome extension by
@filedescriptor
that abuses Trusted Types to find DOM XSS by logging the stack trace of all
sink calls and their changes to the DOM. If this sounds interesting, I highly
recommend also checking out Tracy, a
browser extension for web app pen testing by my friends Jake
Heath and Michael Roberts, which to my
knowledge is the best tool to trace user input in and out of web apps.
Exploiting dynamic rendering engines to take control of web apps
Dynamic rendering is a technique some web apps use to serve prerendered
web site pages to crawlers (better SEO). r2cās Vasilii
Ermilov describes techniques to exploit common
dynamic rendering tools (exfiltrating cloud metadata a la SSRF), how to
fingerprint when sites are using dynamic rendering, and more. One of the attack
chains described involves a series of nested requests that honestly hurts my
brain, but is cool to read.
AI
DeepMindās protein-folding AI has solved a 50-year-old grand challenge of biology
AlphaFold can predict the shape of proteins to within the width of an atom,
which will help scientists design drugs and understand disease. āAlQuraishi
thought it would take researchers 10 years to get from AlphaFoldās 2018 results
to this yearās. This is close to the physical limit for how accurate you can
get, he says.ā More from DeepMindās
blog.
Top 5 AI Achievements of 2020
M Umer Mirza describes 5 topics/areas: 1) GPT-3,
2) AI-enabled healthcare and drug discovery, 3) graphics, animation, image and
video processing, 4) motion and gestures, and 5) NVIDIA AIās processing power.
GPT-3 vs. Existing Conversational AI Solutions
An overview of GPT-3, things it can do well (e.g. knowledge retrieval),
limitations (inferred knowledge, knowing when it doesnāt know something), examples on
why explainability is important in ML, and some pricing info.
A/B Test your Hacker News titles with AI before publishing
Enter two potential titles and itāll recommend one. By Kimmo Ihanus.
Red Team
higatowa/bento
āA simple and minimal Docker container for penetration testers and CTF players.
It has the portability of Docker with the addition of X, so you can also run GUI
application (like Burp).ā Currently includes: Burp Suite, gobuster, seclist,
odat, impacket, sqlmap, sqlplus, mysql-client, openvpn,
bytecode-viewer, Ghidra.
Cloud Security
cloudquery/cloudquery
Ease monitoring, governance, and security by querying your cloud configuration
and metadata as SQL.
nccgroup/s3_objects_check
By NCC Groupās Xavier
Garceau-Aranda: Whitebox
evaluation of effective S3 object permissions to identify publicly accessible
objects as well as objects accessible for AuthenticatedUsers (by using a
secondary profile).
pre:Invent 2020
Chris Farris describes 29 of the 279 pre:invent announcements he found interesting, covering AWS Organizations, new security tools, serverless, ElasticSearch, and DynamoDB. Also featuring an excellent banner image š¤£
IAMFinder: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance
By Jay Chen of Palo Alto Networks:
In a recent blog, āInformation Leakage in AWS Resource-Based Policy APIs,ā Unit 42 researchers disclosed a class of AWS APIs that can be abused to find existing users and IAM roles in arbitrary accounts. The root cause of the issue is that the AWS backend validates all resource-based policies and raises alerts if a specified principal does not exist. One can abuse this feature to check whether a user or role exists in a targeted account.
Based on these findings, Unit 42 developed IAMFinder, an open source tool that currently implements APIs of four AWS services: S3, KMS, SQS, and IAM. With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment.
Setting up personal G Suite backups on AWS
Scott Piper describes how he automates the backup of his Gmail and Google Drive to AWS. Tools referenced:
- GAM: a CLI tool for Google Workspace (fka G Suite) Administrators to manage domain and user settings quickly and easily
- got-your-back: a CLI tool for backing up your Gmail messages to your local computer, using Gmailās API over HTTPS.
- Rclone: a CLI program to manage files on cloud storage.
Container Security
Scan Helm charts for Kubernetes misconfigurations with Checkov
Post by Bridgecrewās Matt Johnson. Checkov uses
helm template to output the resulting Kubernetes manifests and scans those for
insecure patterns (e.g. the CIS Kubernetes
Benchmarks).
Politics / Privacy
Welcome to the new Middle Ages
This article argues that the recent rise in economic inequality, decline in
social mobility, identity-based culture wars in politics, and more are not
necessarily current bad trends, but rather, are historical norms.
Today the richest 40 Americans have more wealth than the poorest 185 million Americans. The leading 100 landowners now own 40 million acres of American land, an area the size of New England.
Politics has returned to its pre-modern role of religion. The Internet has often been compared to the printing press, and when printing was introduced it didnāt lead to a world of contemplative philosophy; books of high-minded inquiry were vastly outsold by tracts about evil witches and heretics.
ā¦ the post-printing early modern period was the golden age of religious hatred and torture; the major witch hunts occurred in an age of rising literacy, because what people wanted to read about was a lot of the time complete garbage.
OSINT
utkusen/urlhunter
Tool by Utku Åen that enables searching URLs that
are exposed via shortener services such as bit.ly and goo.gl. Uses data from
URLTeam, who continuously
bruteforce URL shortener services and publish their results. If you pay
attention closely, you might get a slight feel for how URLTeam feels about
shorteners.
Misusing OSINT to claim election fraud
Imagine waking up one day and finding a security tool you built being horribly
misused in court š
This is basically what happened to OSINT tool
Spiderfootās author Steve
Micallef. In short, someone scanned Dominion
Votingās domain name and used the results to support claims
that the voting systems were accessible over the Internet and being controlled
by foreign countries like Iran and China. Steveās post nicely discusses how to
cautiously and accurately use OSINT info and debunks a number of the case
claims. In short:
Misc
Use the following git configuration to remap all HTTP(S) URLs to SSH
H/T Bence Nagy.
[url "[email protected]:"]
insteadOf = http://github.com/
insteadOf = https://github.com/
Protect domains that donāt send email
The UK government on how to make sure that domains that do not send email cannot be used for spoofing using SPF, DMARC, and DKIM.
Introducing Amazon Curate (I Wish)
One of the main reasons I started tl;dr sec is that I kept coming across
really great work that not enough people had heard of. So I thought this faux
AWS product by Daniel Miessler would be
pretty awesome, and help address the challenge of surfacing great work done by
(currently) relatively unknown creators.
āļø Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them š
Thanks for reading!
Cheers,Clint
@clintgibler