[tl;dr sec] #135 - BSidesSF, Google's Cloud Forensics Utils, Running Bug Bounty Programs

Hey there,

I hope you’ve been doing well!

BSidesSF this Weekend!

BSidesSF is a great conference. If you don’t already have tickets, you can get them here.

The organizers kindly opened up some additional slots in my previously sold out Semgrep workshop! So if you’d like, try registering now and/or stop by in person.

There are countless interesting BSidesSF talks, but I’ll shamelessly plug:

• My colleagues’ talk on The power of guardrails and

• Buying Security: A Client’s Guide by my bud Rami McCarthy.

Also, if you find me around the con, I’ll give you some elusive tl;dr sec stickers!

(Oh hey, didn’t see you there #wokeuplikethis )

Regardless of if we hang out at the workshop, I hope we cross paths at BSidesSF or at RSA parties srs bizness events.

P.S. You can see a list of public RSA parties here.

Conferences

PWN2BTC
A smart contract & crypto hardware exploitation competition on June 7th, as a part of Off The Chain. If you pwn it, you keep the crypto.

LocoMocoSec
Registration costs increase after June 7th, so get your tickets soon! If you do, I’ll see you June 27-30 in Honolulu 😎.

ROOTCON
CFP open until July 25, conference September 28-30 in Manila.

AppSec

Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations
Bishop Fox’s Ben Lincoln walks through a number of ways to get sweet, sweet remote code execution when testing Rails apps, as well as a sample vulnerable app and example exploit code. Vulnerabilities: Kernel-level open function, insecure send, binary deserialization, YAML deserialization, and Oj JSON Deserialization.

Web Security

Damn Vulnerable Web Sockets Walkthrough
A walkthrough of the Damn Vulnerable Web Sockets app, including brute forcing the login, CSRF, file inclusion, error and blind SQL injection, and stored XSS.

Hacking Swagger-UI - from XSS to account takeovers
Vidoc Security Lab’s Dawid Moczadło found a DOM XSS in Swagger UI, which he was able to successfully report across 60 different bug bounty programs. Swagger UI had an outdated version of DomPurify, and Dawid found a new way to exploit a known DomPurify bypass.

I think this post is a good example of finding and building on related work to achieve a goal, and maximizing impact.

Cloud Security

Azure/aztfy
A tool to bring existing Azure resources under Terraform’s management.

google/cloud-forensics-utils
A Python library to carry out DFIR analysis on the cloud. Currently supports GCP, Azure, and AWS.

AWS Startup Security Baseline
Guidance by AWS’ Jay Michael on a set of controls that create a minimum foundation for businesses to build securely on AWS without decreasing their agility.

How to Think about Threat Detection in the Cloud
Google’s Anton Chuvakin and Tim Peacock share their views on a foundational framework for thinking about threat detection in public cloud computing.

Container Security

How to use Atomic Red Team to test Falco rules in K8s
It’s important to test that your security controls and tools actually work! Sysdig’s Jason Avery describes how to use Red Canary’s Atomic Red Team in a Kubernetes environment to confirm that Falco’s rules flag the malicious behavior.

Blue Team

google/santa
A binary authorization system for macOS.

Avoiding Security Alert Hell: Introducing Squyre
Bill Mahony announces Squyre, a new open source tool aimed at reducing analyst fatigue by automatically enriching alerts with helpful context. It uses Lambdas and Step Functions to extract IP addresses, domains, hashes etc. from an alert body, looks them up on various services, and then adds the results to the alert in your ticketing system (e.g. Jira).

Supply Chain

Software Supply-Chain Security Reading List
A list of resources by Chainguard covering policy, incidents/threats, solutions, organizations, background, and reports and summaries.

Running Bug Bounty Programs

Eight years of the GitHub Security Bug Bounty program
By GitHub’s Jill Moné-Corallo. GitHub awarded $803,769 in bounties for 235 vulnerabilities in 2021, bringing them to ~$2.4M in total rewards via HackerOne since 2016. Npm has also been added to GitHub’s bug bounty scope.

From Hacker to Bug Bounty Program Owner: A Learning Experience
Braze’s Tommy DeVoss describes the lessons he’s learned in going from a top bug bounty researcher to building Braze’s program. Four big learnings:

1. Launching a Bug Bounty Program Takes Cross-Team Collaboration

2. Never Lose Sight of Your Relationship With Hackers and Researchers

3. Bug Bounties Look Different From the Company Side

4. The Work Doesn’t End When a Bug is Identified

Network Security

cisagov/Malcolm
A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs, by CISA.

A few Tailscale tricks for Security Testers
Pulse Security NZ’s Michael Fincham shares some interesting details about how Tailscale works, including that Tailscale currently only supports ingress access control rules, all outbound network traffic leaving a host is allowed. So if you’ve compromised a machine, you could re-install a modified version of Tailscale to allow any traffic to the device. Also:

See also Tailscale’s Hardening Guide. I feel like I’ve been hearing a lot of good things about Tailscale recently, I’ve been meaning to play with it when I have time.

I first met Joren when he was leading Detection and Response at Airbnb. Super smart dude. It was neat hearing in this podcast about Joren’s experiences in the creation of osquery at Facebook, StreamAlert at Airbnb, and navigating inter-organization dynamics as a security team. Would recommend a listen 👌

Scraping

shot-scraper: automated screenshots for documentation, built on Playwright
A CLI tool for automating screenshots of web pages, by Simon Willison. You can also have it screenshot just a subsection of the page using CSS selectors.

Web scraping with Python open knowledge
Re Analytics shares best practices for scalable and efficient to maintain web scraping in Python. See also advanced-scrapy-proxies, a Scrapy rotation proxy package with advanced functions.

Misc

Newsletter Analysis: What My Favorite Newsletters Have in Common
Super cool analysis by my friend Daniel Miessler on the structure and contents of his top 10+ favorite newsletters. Honored that tl;dr sec was one of them 😍. If you run a newsletter, Daniel recommends:

How to professionally say
Some professional sounding wording for things you might really want to say at work, like: “That meeting sounds like a waste of my time” or “I’m not doing your job for you.”

StyraInc/rego-style-guide
A collection of recommendations and best practices for authoring Rego from Styra, the founders of Open Policy Agent (OPA).

Knots 3D
Learn how to tie over 150 useful knots. If you’re ever had challenges in this domain, it should be knot a problem after this app.

200ok-ch/organice
An implementation of Org mode without the dependency of Emacs - built for mobile and desktop browsers.

The curse of strong typing
A fun and playful, very detailed article by @fasterthanlime.

Quote

So is yours. So what are you saying?

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint