• tl;dr sec
  • Posts
  • [tl;dr sec] #132 - Application Hacking Methodology, Pwning Cloudflare Pages, Why You Should Be Blogging

[tl;dr sec] #132 - Application Hacking Methodology, Pwning Cloudflare Pages, Why You Should Be Blogging

Jason Haddix's new Bug Hunter's Methodology for apps, write-up of a series of Cloudflare Pages bugs, Jack Rhysider on the power of blogging.

Author

Clint Gibler
May 11, 2022

Hey there,

I hope you’ve been doing well!

SF Delivers

I wasn’t sure what I was going to include in the intro this week, but fortunately, San Francisco delivers once again.

In most normal places, people go to their job, they work, and they have friends, family, communities they’re a part of, and other ways they derive meaning and fulfillment.

But in the Bay Area, people’s work and identity are often so closely tied it’s like some Fifty Shades of Grey sequel. (Sidenote: I have an image I want to make for this but I don’t have time. Imagine something funny but MS Paint-level execution.)

Here’s something #PeakBayArea I came across at a local corner store this week:

Sponsor

📢 JupiterOne: Context and visibility into your entire cyber asset attack surface

As companies expand to the cloud, cyber asset visibility worsens. Resources are deployed and access granted without a full understanding of how it impacts a company’s vulnerability to attack, and legacy solutions like a SIEM or CSPM can’t touch every asset necessary to contextualize the entire cyber asset attack surface.

That’s where the JupiterOne Cyber Asset Management Platform comes in. We answer the complex security and infrastructure questions you weren’t able to before. Understand the contextual relationships between cyber assets and build the foundation for your cloud security program.

📜 In this newsletter...

  • AppSec: OPA/Rego pre-commit hooks, Cloudflare Pages bug write-ups

  • Web Security: Discovering origin hosts behind proxies/WAFs, CLI tool to parse Burp project files, Bug Hunter’s Methodology: Application Hacking v1

  • Supply Chain: NIST guide, three part how to SLSA guide by Google

  • Cloud Security: Lambda for website -> PDF, scan publicly accessible assets in your AWS environment, tools that use AWS logs to help with least privilege, video walkthrough series of flaws.cloud, integrating AWS Security Hub with Jira

  • Container Security: Bottlerocket OS security guidance, scanning Dockerfiles for security issues with Semgrep

  • Red Team: Convert PE so it can be injected like normal shellcode

  • Politics / Privacy: Open source tests for web browser privacy features

  • Misc: Useful Bash one liners, tracking startup layoffs, open database of >31M scholarly articles, generate memes with AI, how mindfulness can quell feelings of guilt

  • 17 reasons why you should be blogging: Jack Rhysider on the power of blogging

  • Quote: Colette on grief

AppSec

anderseknert/pre-commit-opa
Pre-commit git hooks for Open Policy Agent (OPA) and Rego development, by Styra’s Anders Eknert.

Cloudflare Pages, part 1: The fellowship of the secret
Assetnote’s James Hebden and Sean Yeoh describe finding a series of vulnerabilities in Cloudflare Pages. There’s a part 2 and 3, and see Cloudflare’s response as well. Great example of blackbox testing, getting a foothold, probing to understand attack surface, then escalating privileges.

Along this journey, we found a few things. Command injection, container escapes, our Github tokens, Cloudflare’s Github tokens, Cloudflare API Keys to Cloudflare Organisation, and Cloudflare’s Azure API tokens amongst other things.

Web Security

hakluke/hakoriginfinder
Tool by Hakluke for discovering the origin host behind a reverse proxy. Useful for bypassing WAFs and other reverse proxies. See also this Twitter thread for an overview of useful tools Hakluke has created over the years.

BuffaloWill/burpsuite-project-file-parser
A Burp Suite extension to parse project files from the command line and output the results as JSON, by Willis Vandevanter.

The Bug Hunter’s Methodology: Application Hacking v1
Slides from Jason Haddix’s NahamCon presentation (video here) on tech profiling, finding CVEs and misconfigurations, port scanning, content discovery, spidering, analyzing JavaScript, analyzing parameters for likely bug locations, and tons of useful tools along the way.

See also Jason’s threads:

Supply Chain

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
326 page PDF by NIST providing guidance on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of your organization.

How to SLSA Part 1 - The Basics
Google’s Tom Hennen walks through how three fictional organizations (a package manager, an open source OS with an enterprise distribution, a mid-sized enterprise) would apply SLSA to meet their different needs.

  • Part 1: How and when do you verify a package with SLSA? How to handle artifacts without provenance?

  • Part 2: Where is the provenance stored? Where is the appropriate policy stored and who should verify it? What should the policies check? How do you establish trust & distribute keys?

  • Part 3: What does a secure, heterogeneous supply chain look like?

Cloud Security

Website to PDF using AWS Lambda Function URLs
Arctic Wolf’s Jobin Basani describes how to use AWS CDK to create a Lambda Function URL that converts a web page into a PDF file using chrome-aws-lambda and Puppeteer.

9rnt/poro
Scan for publicly accessible assets in your AWS cloud environment. Supports: AWS ELB, API Gateway, S3 Buckets, RDS Databases, EC2 instances, Redshift Databases.

Tools That Use AWS Logs to Help with Least Privilege
Great overview by Sym’s Adam Buggia on resources and tools for creating least privilege IAM policies. He discusses deriving AWS policies from CloudTrail Data vs designing policies using Client Side Monitoring (and their respective trade-offs), and how to generate policies for a Terraform Project using Localstack.

Exploiting AWS: Flaws.Cloud | Level 1
Video walkthrough series by @daycyberwox on solving Scott Piper’s flaws.cloud challenges.

Bidirectionally integrate AWS Security Hub with Jira software
You can now automatically and manually create and update JIRA tickets from Security Hub findings.

Container Security

Bottlerocket OS Security Guidance
Bottlerocket is a Linux-based OS meant for hosting containers. This document contains a number of good hardening recommendations.

See also Bottlerocket’s Security Features, which include: automated security updates, immutable rootfs backed by dm-verify, stateless tmpfs for /etc, no shell or interpreters installed, executables built with hardening flags, and SELinux enabled in enforcing mode.

Scanning Dockerfiles for security issues + Contributing to Semgrep
Red Hat’s Florencio Cano describes scanning Dockerfiles with hadolint, realizing Semgrep has most of the same checks, trying it, and then contributing some improvements.

I saw something not working as expected and I was able to send a modification to the tool (Semgrep) to the authors which included it, again in only some hours. From idea to change in an existing tool in an afternoon. This is the power of open source.

Red Team

hasherezade/pe_to_shellcode
Converts PE so that it can be then injected just like a normal shellcode, by @hasherezade and @hh86.

Politics / Privacy

PrivacyTests.org
Open-source tests of web browser privacy for popular browsers: Brave, Chrome, Edge, Firefox, Safari, etc. State partitioning, navigation, HTTPS, fingerprinting resistance, and other tests.

Sponsor

📢 API Security Best Practices Guide

APIs drive today’s modern apps. Bad actors know the benefit of targeting APIs to get at valuable data, so API attacks are on the rise. Existing security tooling can’t stop API attacks - you need a new approach. Salt Security has compiled a set of API security best practices, drawn from customer experiences, to help you in this journey. Download the guide to build your plan for securing your external, internal, and partner APIs.

Misc

onceupon/Bash-Oneliner
A collection of handy Bash one-Liners and terminal tricks for data processing and Linux system maintenance.

Layoffs.fyi
Tracks all tech startup layoffs since COVID-19. Potential resource for finding people to hire!

Unpaywall.org
An open database of >31M free scholarly articles. Ingests Open Access content from over 50,000 publishers and repositories, and makes them easy to find, track, and use.

Supermeme.ai
Generate original memes powered by AI.

According to a new paper, mindfulness may be especially harmful when we have wronged other people. By quelling our feelings of guilt, it seems, the common meditation technique discourages us from making amends for our mistakes.

In general, mindfulness seems to calm uncomfortable feelings, he says, which is incredibly useful if you feel overwhelmed by pressure at work. But many negative emotions can serve a useful purpose, particularly when it comes to moral decision making. Guilt, for example, can motivate us to apologise when we have hurt someone else, or to take reparative action that might undo some of the damage we’ve done.

 

Great thread by Jack Rhysider. I’ve found most of these to be personally true for me as well.

10) Chances are, if you work in IT, the only people who know you’re any good are your co-workers and customers. Blogging expands that and suddenly there are people all over the world who respect you and appreciate your skills. This can open a lot of doors for new possibilities.

12) Now once you start putting content out into the world. Some magic stuff happens. First people will start correcting you. It’s inevitable. Don’t take this negatively. Take it as an opportunity to learn how to do something even better or more thoroughly.

14) Did you know blogging was the precursor for my podcast? I blogged for 7 years before starting a podcast. It taught me how to write better, and produce content. It was from there that I got the idea and skills needed to podcast. Now I podcast full time. Blogs take you places.

15) If you blog for a while, you’re now a content creator with an audience. Chances are the blog won’t be the last thing you create. You can use your blog audience to seed your next project. My blog has been one of the best places to get new listeners for my podcast.

So to recap. By blogging you will become a better writer and communicator, learn the concepts better, open new opportunities, have a fantastic notebook for self reference, maybe make money, become appreciated by more people, and show off your IT skills.

Quote

“It’s so curious: one can resist tears and ‘behave’ very well in the hardest hours of grief. But then someone makes you a friendly sign behind a window, or one notices that a flower that was in bud only yesterday has suddenly blossomed, or a letter slips from a drawer… and everything collapses.” -Colette

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint