• tl;dr sec
  • Posts
  • [tl;dr sec] #148 - OWASP Kubernetes Top 10, GraphQL Batching Attacks, Abusing Debugging in Electron Apps

[tl;dr sec] #148 - OWASP Kubernetes Top 10, GraphQL Batching Attacks, Abusing Debugging in Electron Apps

Top 10 Kubernetes ecosystem risks to consider, more effective GraphQL brute forcing woth Turbo Intruder, running arbitrary JavaScript in Electron apps.

Author

Clint Gibler
August 31, 2022

Hey there,

I hope you’ve been doing well!

Over 12,000 Subscribers 🎉

Welcome to the big group of people who joined this week! 👋

I’m excited you’re here, thanks for joining us.

Almost every Thursday for the past few years I’ve tried to share some of the best security blog posts, talks, and tools. And general interesting finds, career advice, and some humor, like:

It’s been quite the road to almost 150 issues, and to be honest I couldn’t have done it without all the kind words and encouragement people have shared.

It’s kept me going when the nights are late and I can hear other people outside having fun while I’m inside crying writing.

So thank you 🙏

Onwards!

Accepting Sponsors for 2023

Well, technically, we’ve already started booking into 2023 🙂

Is it worth it? I’ll let some prior sponsors speak for me:

“We’ll buy as many issues as you’ll sell us.” - Multiple companies

“tl;dr sec is our highest signal channel.” - Another sponsor

So far, five start-ups who sponsored tl;dr sec have been acquired. Not too shabby.

Whether you’re a scrappy start-up or security industry staple looking to keep growing, if you’d like to get your product or content in front of thousands of security professionals, reach out to [email protected].

Hope to hear from you 😀

Sponsor

📢 Accelerate mobile security research on the ONLY Arm-native platform

In today’s mobile security and pentesting world, security pros don’t have the time to matrix test countless combinations of phone models and OSs or rely on emulator tools that don’t provide real-world testing and lack advanced security tooling.

The Corellium Virtual Device Platform for iOS and Android opens the door for mobile cybersecurity R&D. It provides on-demand root access to any OS, including the latest iOS releases without needing a jailbreak.

See why enterprises, governments, and educational institutions run their mobile cybersecurity best practices on Corellium.

Corellium builds super cool tech. I’m nerding out a little bit having them as a sponsor 🤓

📜 In this newsletter...

  • Web Security: Local file inclusion discovery and exploitation tool, GraphQL batching attacks with Burp's Turbo Introder, Burp plugin to cache and automatically refresh JWT tokens

  • AppSec: Tool to keep your shell command history from leaking secrets, a review of vulnerability databases and scoring methodologies, operationalizing an IaC security program, guide to implementing an effective SAST workflow

  • Cloud Security: Centralize findings and automate deletion for unused IAM roles, creating automation creds without exposing them to users, how resource-based policies work and how they can be abused, Azure middleware agents now support auto-patching

  • Container Security: Lazy wrapper for Trivy, a Kubernetes cluster sanitizer, OWASP Kubernetes Top 10

  • Red Team: A self-modifying cross-platform P2P botnet over TOR, two repos on abusing Node.js debugging functionality to run arbitrary JavaScript

  • Misc: Generate GIFs from asciicast files, a web scraping and browser automation library, use TouchID to authenticate sudo on macOS, the Museum of Mario, comparing costs across generations, why gas is comparatively cheap in America

Web Security

hansmach1ne/lfimap
A local file inclusion discovery and exploitation tool.

GraphQL Batching Attacks: Turbo Intruder
GraphQL allows multiple queries to be sent to the server in a single request in order to reduce the number of requests that the server has to process.

White Oak Security’s Michael Rand shows how batch queries + Turbo Intruder can be used for more effective brute force attacks; for example: password brute forcing, bypassing MFA, or enumerating object IDs to access sensitive data.

Tool Release – JWT-Reauth
NCC Group intern Sam Leonard released JWT-Reauth, a Burp Suite plugin that caches authentication tokens from an “auth” URL and automatically refreshes them as needed.

AppSec

rusty-ferris-club/shellclear
A simple and fast way to secure your shell command history. Show sensitive command summary when opening a new terminal, clear sensitive commands from your shell history, stash your history command before presentations or screen sharing.

An Incomplete Look at Vulnerability Databases & Scoring Methodologies
Deep dive by Chris Hughes on some of the fundamental databases and scoring methodologies currently in use in the industry as well as some that are beginning to emerge as the digital landscape evolves.

He discusses: NVD, CVE, CVSS, the Global Security Database (GSD), Google OSV, and the Sonatype OSS Index.

Crawl, walk, run: Operationalizing your IaC security program
Bridgecrew’s Michael Urbanski shares a general plan for choosing your IaC security path, rolling out your program, and iterating along the way.

A Guide On Implementing An Effective SAST Workflow
Thirty Madison’s Anshuman Bhartiya on setting up a developer-friendly SAST workflow for free using open source tools: Semgrep and OWASP’s Defect Dojo.

He walks through several scenarios (push to the main branch, run on a schedule, when a PR is issued), and useful different scanning modes based on severity of identified issue and rule confidence (monitor only, PR comment, blocking).

Let’s say you made a strong case to buy an expensive SAST tool and ended up buying it. What happens after that? You are most likely going to put hours of your extremely valuable time triaging the findings and fine-tuning it only to realize that adoption of it across the engineering org is another herculean effort. This will soon turn out to be its own full time job - one that you most likely did not sign up for. I have had this belief for SAST tools for the longest time now until I fell in love with Semgrep.

Cloud Security

How to centralize findings and automate deletion for unused IAM roles
AWS’s Hong Pham describes how to apply resource tags on IAM roles and use Lambda/Step Functions to detect unused IAM roles and to require the owner of the IAM role (identified through tags) to take action.

Creating Automation Credentials Without Exposing Them To Users
2nd Sight Lab’s Teri Radichel continues her Automating Cybersecurity Metrics blog series, covering how to create secrets in AWS Secrets Manager with CloudFormation.

Misconfigured Resource-Based Policies
A resource-based policy is a type of policy that is attached directly to an AWS resource that describes what actions can be performed on it and by whom. Nick Frichette covers the intricacies of how resource-based policies work, and how they can be abused.

  • The “*” Principal and Risks

  • More Than Just S3 Buckets

  • Resource-Based Policy Evaluation Logic

  • “Not” Policy Elements

Securing Azure middleware agents with new auto-patching capabilities
It turns out when you require your customers to manually patch critical vulnerabilities in software you installed for them that they often don’t know they have, update rates are low. Nice work from Wiz in pushing for auto-patching functionality 👍

Sponsor

📢 Forget everything you know about SSH

Say hello to Tailscale SSH — and say goodbye to managing SSH keys, setting up bastion jump boxes, and unnecessarily exposing your private production devices to the open internet. Never deploy an infrastructure bastion again.

SSH from mobile devices, and across OSes. Tailscale SSH works where Tailscale works. Code from an iPad to your Linux workstation, without having to figure out how to get your private SSH key onto it. Answer an on-call emergency from anywhere, which means you can leave your desk now.

I haven’t played with Tailscale in detail yet, but it’s up there on my list. The response of friends of mine who have has generally been, “Oh wow, this is pretty cool,” and “Hm, worked immediately, nice!”

Container Security

owenrumney/lazytrivy
A wrapper for Trivy by Aqua Security’s Owen Rumney that allows you to run Trivy without remembering the command arguments.

derailed/popeye
A Kubernetes cluster sanitizer, by Fernand Galiana. Popeye scans live Kubernetes clusters and reports potential issues with deployed resources and configurations. It sanitizes your cluster based on what’s deployed and not what’s sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches.

OWASP Kubernetes Top 10
The list is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. It’s a prioritized list of risks backed by data collected from organizations varying in maturity and complexity.

  1. Insecure Workload Configurations

  2. Supply Chain Vulnerabilities

  3. Overly Permissive RBAC Configurations

  4. Lack of Centralized Policy Enforcement

  5. Inadequate Logging and Monitoring

  6. Broken Authentication Mechanisms

  7. Missing Network Segmentation Controls

  8. Secrets Management Failures

  9. Misconfigured Cluster Components

  10. Outdated and Vulnerable Kubernetes Components

Red Team

ThrillQuks/Pitraix
A modern self-modifying cross-platform HTTP-based peer-to-peer botnet over TOR, by Mr. Cypher.

evilsocket/jscythe
Abuse the Node.js inspector mechanism to force any Node.js/Electron/v8 based process to execute arbitrary JavaScript code even if their debugging capabilities are disabled, by Simone Margaritelli. Works on Discord, Slack, etc.

xpcmdshell/electron-probe
By @actae0n: “Electron-Probe leverages the Node variant of the Chrome Debugging Protocol to execute JavaScript payloads inside of target Electron applications. This allows an attacker to extract secrets and manipulate the application as part of their post-exploitation workflow.”

Misc

asciinema/agg
A CLI tool for generating animated GIF files from asciicast v2 files produced by asciinema terminal recorder.

apify/crawlee 
A web scraping and browser automation library for Node.js that helps you build reliable crawlers. Fast.

Use TouchID to Authenticate sudo on macOS
Your TouchID equipped Mac can easily be configured to use your fingerprint to approve sudo commands. You can also use your Apple Watch, if you have it set up to unlock your Mac.

The Museum of Mario
An interactive experience exploring the many eras of Mario. Turn on the audio and click around to find hidden interactions!

• Gen Z dollars today have 86% less purchasing power than those from when baby boomers were in their twenties.

• The cost of public and private school tuition has increased by 310% and 245%, respectively, since the 1970s.

• Gen Zers and millennials are paying 57% more per gallon of gas than baby boomers did in their 20s.

• In today’s dollars, Gen Zers and millennials are paying nearly 100% more on average for their homes compared with what baby boomers paid in the 1970s.

Why gas is actually cheap in America
Even though gas feels expensive, when you account for earnings, the U.S. has the cheapest gas in the world. The reason is other countries tax gas more heavily. There’s a chicken and egg problem: gas was cheap, which lead to urban sprawl, but low gas taxes lead to less investment in public transport, which makes people more reliant on driving.

“Governments don’t pay for anything,” said Ted Kury, director of energy studies at the University of Florida. “The people pay, and if they’re not paying through taxes, then they’re paying through convenience, comfort, and safety.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint