Hey there,
I hope youāve been doing well!
Holiday Weekend
I spent some time last weekend hanging out with a visiting friend, and we want to the Museum of Modern Art.
If you also live in the U.S., I hope you had a relaxing Labor Day weekend, and that there was no firefighting.
I never thought Iād say this, but the NSA director actually dropped a pretty good meme š
100 Issues & Over 8,000 Subscribers!
This week is the 100th issue of tl;dr sec, and itās surpassed 8,000 subscribers! š
This newsletter started about 2.5 years ago as an email I sent to a handful of friends who I had manually added to the list, after asking them 1:1 for permission.
Later, I remember sweating and shaking a bit before clicking the āSendā button every week, as there were now ~300 subscribers, many of whom I didnāt know! I was scared of embarrassing myself, bringing shame upon my family, etc.
Thankfully, that has (mostly) not happened.
For everyone whoās reached out with kind words over the years- thank you. Your kindness, and knowing you find tl;dr sec useful has inspired me and kept me going.
Iām honored you let me share great security content with you, and hereās to many more years!
Lessons Learned
Iām planning to write up some reflections and lessons learned about this journey.
What would you like to know?
Feel free to reply directly, Iād love to hear what youād find most interesting or useful so I can make sure include it.
Sponsor
š¢ Go Fuzz Yourself ā How to Find More Vulnerabilities in APIs Through Fuzzing
The general approach to web app pentesting should include testing APIs. Thereās a number of tools to choose from, but when the pentester doesnāt include fuzzing in her methodology, this can leave a number of critical vulnerabilities undetected. Alissa Knight and Detectify released new security research to show how fuzzing APIs will reveal more vulnerabilities. Get your copy of the Go Fuzz Yourself whitepaper.
Learn how to use fuzzing to security test APIsš In this newsletter...
- AppSec: Getting the max security from your C compiler
- Web Security: Effective web app authorization testing, GraphQL server fingerprinter, GraphQL security guide, survey of API token types, JavaScript anti-debugging
- Cloud Security: Open source Cloud Security Posture Management tools, replacing SSH with AWS systems manager, replacing bastion hosts in GCP
- Container Security: Kubernetes is too complex, visual guide to troubleshooting Kubernetes deployments
- Politics / Privacy: Distinguishing hacktivists on the Risky Biz newsletter, how to find hidden cameras, China's been stealing >$200B in IP from U.S. for 20 years, Australian politician remixed
- Visualizations: What happens when you type a URL into a browser, Linux kernel defense map, defense oriented infosec infographics
- The Modern Trap of Feeling Obligated to Turn Hobbies Into Hustles: It's OK to do stuff for fun
AppSec
Getting the maximum of your C compiler, for security
Airbus Security Labās RaphaĆ«l Rigo and Sarah Zennou list the flags you should use in GCC, Clang or MSVC, in order to: detect the maximum number of bugs or potential security problems, enable security mitigations in the produced binaries, and enable runtime sanitizers to detect errors (overflows, race conditions, etc.) and make fuzzing more efficient.
Web Security
Authorization Testing: AuthMatrix - Part 1
White Oak Securityās Tib3rius describes how to effectively test access controls in web apps with complicated authz logic (e.g. multiple role types with different permissions) using the AuthMatrix Burp Suite extension.
For testing authorization logic, and Iād also recommend Justin
Mooreās AutoRepeater Burp
extension.
dolevf/graphw00f
By Dolev Farhi: A fingerprinting tool for GraphQL endpoints that sends a number of benign and malformed queries to determine the GraphQL engine being used. graphw00f then provides insights into what security defences each technology provides out of the box, and whether they are on or off by default.
The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready
WunderGraphās Jens Neuse does a good job outlining common GraphQL issues and how and why they occur.
API Tokens: A Tedious Survey
Fly.ioās Thomas Ptacek gives a great, opinionated overview of various token types: simple random tokens, platform tokens, OAuth 2.0, JWT, Macaroons, throws shade on SAML, and more.
Javascript Anti Debugging ā Some Next Level Sh*t (Part 2ā Abusing Chromium Devtools Scope Pane)
Some serious JavaScript chicanery by Gal
Weizman. The Chromium Devtools Scope Pane can
allow execution of JavaScript by the devtools while the main thread is paused by
the debugger. This allowed him to write code that can determine which specific
functions are being debugged, choose what action to take when a function is
being debugged, and execute that action in a different parallel thread with full
access to the main thread.
PoC
Whatās also very cool about this trick and will give a hard time to anyone trying to debug the attackerās code is that the callback to be called when the function is being debugged cannot be debugged in the devtools because it is a piece of code that is being called by the devtools itself. Meaning the only way to successfully debug this function is via the developer tools of the developer tools!
Cloud Security
- OpenCSPM by Darkbitās Brad Geesaman and Josh Larsen (acquired by Aqua)
- magpie by Open Raven
- CloudSploit by Aqua
- Cloud Custodian, originally by Capital One
Inside Figma: getting out of the (secure) shell
Figmaās Hongyi Hu describes how they got rid of SSH and replaced it with AWS Systems Manager, Okta for SSO, and required WebAuthN for multi-factor authentication.
Great stuff: focus on developer experience, minimizing security team toil, adding guardrails for users, locking down Session Manager, and more.
Leaving Bastion Hosts Behind Part 1: GCP
Netskopeās Colin Estep discusses the GCP
services, OS Login and Identity-Aware Proxy (IAP) to show how they can be used
as an alternative to bastion hosts.
Container Security
Summer Blog Backlog: Distributed Systems
This post argues that Kubernetes has fundamentally too much accidental
complexity, and that in the future itāll replaced by something with fewer new
concepts and thatās more compositional. I found the historical references to
other domains interesting.
A visual guide on troubleshooting Kubernetes deployments
An impressively detailed and thorough guide by Daniele Polencic. Includes this great overview diagram, which, like looking up at the stars at night, reminds us of our insignificance in the face of the Kubernetesā complexity.
Politics / Privacy
Srsly Risky Biz: Thursday, September 2
If you didnāt know, Risky Biz has a newsletter! And itās great. In this edition, Tom Uren had a long chat with The Grugq on distinguishing hacktivists vs nation state actors posing as them, as well as other topics.
How to find hidden cameras in Airbnbs
TikTok by Marcus Hutchins.
Top counterintelligence official Mike Orlando on foreign espionage threats facing U.S.
Acting director of the National Counterintelligence and Security Center: the U.S. has experienced $200 billion to $600 billion dollars a year in losses to intellectual property theft by China. For the past 20 years.
How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users
WhatsApp analyzes messages in two ways: a) AI that scans unencrypted metadata
(names, profile images, phone numbers, related Facebook accounts, etc.) and b) a
content moderation team, that whenever a message is āreported,ā receives that
message + the four previous ones unencrypted.
If you want a messaging app whose financial incentives arenāt āknow everything
about you and target you with ads,ā nor is it ā0-click RCE as a serviceā (sorry iMessage): use Signal.
Gladys Berejiklian Takes Over The World
Someone remixed this Australian politician to say someā¦ mean things, hilariously.
Visualizations
Some nice visual overviews.
Wassim Chegham: What happens when you type a URL in a browserās address bar
Linux Kernel Defense
Map
Awesome
resource by Alexander Popov covering
vulnerability classes, exploitation techniques, bug detection mechanisms, and
defense technologies. The following is a small snippet:
Infosec Infographics thread by John Lambert
Lots of great ones worth reviewing, but here are two to give you a taste:
The Modern Trap of Feeling Obligated to Turn Hobbies Into Hustles
You know, errr, totally unrelated to this newsletter š But really, itās important to remember stuff like this. Something I have to work on sometimes.
Itās okay to love a hobby the same way youād love a pet; for its ability to enrich your life without any expectation that it will help you pay the rent.
What if we allowed ourselves to devote our time and attention to something just because it makes us happy? Or, better yet, because it enables us to truly recharge instead of carving our time into smaller and smaller pieces for someone elseās benefit?
How did we get to the point where free time is so full of things we have to do that thereās no room for things we get to do?
We donāt have to monetize or optimize or organize our joy. Hobbies donāt have to be imbued with a purpose beyond our own enjoyment of them. They, alone, can be enough.
āļø Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them š
Thanks for reading!
Cheers,Clint
@clintgibler