- tl;dr sec
- Posts
- [tl;dr sec] #153 - Postgres' Insecure Defaults, SBOM, Prototype Pollution
[tl;dr sec] #153 - Postgres' Insecure Defaults, SBOM, Prototype Pollution
How PostgreSQL server and client TLS defaults will make you sad, SBOM tools and reflections, walkthroughs to learn how prototype pollution works.
Clint Gibler
October 05, 2022
Hey there,
I hope you’ve been doing well!
🎉 Announcing: Semgrep Supply Chain
I wanted to let you know about something pretty cool my colleagues have been working hard on that just launched this week: Semgrep Supply Chain.
What’s unique about it is we use Semgrep’s code analysis capabilities to find not just that you have a dependency at a version with a known CVE, but that your code is actually calling the vulnerable methods(s) in that library.
We’ve found in practice this reduces alerts by ~98%. So you can use your political capital on getting developers to update the dependencies that matter.
A Bathroom I Wouldn’t Enjoy
I’m all for modern design and transparency in most things, but I think I’ve found my limit.
Sponsor
📢 Automated compliance. Continuous risk monitoring. Simplified audits.
In less than two years, Drata has shaken up the compliance automation space by not only offering automated evidence collection and continuous control monitoring, but also by simplifying auditor communications. With Drata, you can automate compliance for 14+ frameworks including custom frameworks and custom controls, connect over 75 deep integrations (not just plugins), and monitor risk all in one platform.
Need more evidence besides our #1 ranking for Cloud Compliance Software on G2? Book a demo and check out Drata for yourself.
📜 In this newsletter...
AppSec: Truffleproc, how Palantir manages continuous vulnerability scanning at scale
Web Security: Lessons learned from 220* IDOR bug reports, prototype poisoning explained, prototype pollution primer for pentesters
Database Security: The majority of PostgreSQL servers on the Internet are insecure, open source tool to protect your PostgreSQL traffic
Cloud Security: Cloud architecture diagrams as code, encryption in AWS and multi-account access, how to automatically build forensic kernel modules for EC2 instances
Container Security: A Kubernetes operator static analysis audit tool, Kubernetes multi-tenancy, awesome container tinkering
Politics / Privacy: Former Uber security chief convicted of covering up 2016 data breach, using facial recognition to match influencer photos with surveillance footage
Software Bill of Materials (SBOM): Catalogue all Kubernetes cluster images to multiple targets, tool to scan SBOMs for vulnerabilities, the SBOM frenzy is premature, a comparison of 5 SBOM tools
Machine Learning: A flower woman by 1500 artists, open source version control for machine learning projects, secure your machine learning code with Semgrep, prompt injection attacks against GPT-3, viral post generator
AppSec
controlplaneio/truffleproc
Hunt secrets in process memory (TruffleHog & gdb mashup), by ControlPlane.
How Palantir Manages Continuous Vulnerability Scanning at Scale
Palantir has developed a container vulnerability scanner that’s been integrated into their continuous deployment platform, and they use it to adhere to strict CVE SLAs. They use three major scanners today: Trivy, ClamAV, and Jfrog Xray. If a container or artifact scan fails a security check, it can be marked as recalled and can no longer be deployed.
Web Security
What I learnt from reading 220* IDOR bug reports
What nynan learned from scraping every IDOR report from HackerOne.
What is prototype poisoning? Prototype bugs explained!
Christoffer Jerkeby covers what prototype poisoning is, its impact, finding it with static and dynamic testing, and an overview of related work.
Of course, see also the OG prototype pollution work by Olivier Arteau, his NorthSec 2018 talk and paper.
Prototype Pollution Primer for Pentesters and Programmers
WithSecure’s Ben Berkowitz and Phil Sofia describe what JavaScript prototypes are, how they can get polluted, break down the structure of prototype pollution attacks into two stages (pollution and exploitation), demonstrate how to exploit the most recent version (v 3.6.0) of jQuery’s ajax() function in the process.
There’s also a companion HTML demo page where you can experiment with payloads and follow along with the sections in real time.
If an application does not require the ability to alter the Object prototype, the application can freeze it to prevent pollution in most cases (Object.freeze(Object.prototype)).
See also BlackFan/client-side-prototype-pollution, a list of examples of libraries that are vulnerable to prototype pollution and useful script gadgets that can be used to demonstrate the impact.
Database Security
The Majority of PostgreSQL Servers on the Internet are Insecure
Whoa, some epic results from bit.io’s Jonathan Mortensen et al. Also, this is a great example of a fairly thorough examination of an area, and detailed methodology write-up. I love reading posts like this.
At most 15% of the approximately 820,000 PostgreSQL servers listening on the Internet require encryption. In fact, only 36% even support encryption.
Most popular Postgres SQL clients will accept unencrypted connections without a warning.
Almost 12,000 (4.0%) of the certificates were expired, and more than 128,000 (43.3%) of the certificates were self-signed.
Don’t make databases available on the public internet
Impressive fast follow by Tailscale’s Dave Anderson on the above issue (Tailscale is also sponsoring tl;dr sec this week, woo!). They’ve open sourced a TLS-enforcing Postgres proxy. Great example of attacking an issue categorically instead of piecemeal.
This proxy sits between your Postgres client and your cloud-hosted database. It only accepts connections from clients over Tailscale, by using our tsnet library. This makes the client’s configuration irrelevant from a security perspective: no matter what transport security settings Postgres is using, the connection to the proxy is secured, authenticated, and authorized by Tailscale.
Cloud Security
Cloud Architecture Diagrams as Code
Create diagrams for AWS, GCP, Azure, a data ETL pipeline and more.
Encryption in AWS and Multi-Account Access
CloudQuery’s Jason Kao discusses how to encrypt everything in multi-account AWS environments and how to make encryption decisions. tl;dr:
For resources that may be shared across multiple accounts, use Customer Managed KMS Keys.
For resources that require encryption with FIPS 140-2 Level 3, have specific audit requirements, or cannot be stored in a shared environment, either use CloudHSM directly or AWS KMS with a custom key store backed by AWS CloudHSM clusters.
How to automatically build forensic kernel modules for Amazon Linux EC2 instances
This post walks through the EC2 forensic module factory solution to deploy automation to build forensic kernel modules that are required for EC2 incident response automation. Capture volatile memory with a tool like Linux Memory Extractor (LiME), and analyze the memory with a tool like Volatility2.
Sponsor
📢 Forget everything you know about SSH
Say hello to Tailscale SSH — and say goodbye to managing SSH keys, setting up bastion jump boxes, and unnecessarily exposing your private production devices to the open internet. Never deploy an infrastructure bastion again.
SSH from mobile devices, and across OSes. Tailscale SSH works where Tailscale works. Code from an iPad to your Linux workstation, without having to figure out how to get your private SSH key onto it. Answer an on-call emergency from anywhere, which means you can leave your desk now.
Container Security
controlplaneio/badrobot
By ControlPlane: A Kubernetes Operator audit tool that statically analyzes manifests for high risk configurations such as lack of security restrictions on the deployed controller and the permissions of an associated ClusterRole. The risk analysis is primarily focused on the likelihood that a compromised Operator would be able to obtain full cluster permissions.
Kubernetes Multi-tenancy
This official Kubernetes docs page provides an overview of available configuration options and best practices for cluster multi-tenancy (e.g. multiple teams within an organization, or multiple customers). Topics: control plane isolation, data plane isolation, additional considerations (e.g. priority and fairness, quality of service, etc.), and implementations.
iximiuz/awesome-container-tinkering
A list of awesome tools to tinker with containers, by Ivan Velichko. Categories:
Container runtimes
Image builders, viewers, editors
Development environments
Container networking tools
Interesting GitHub organizations
Politics / Privacy
Former Uber security chief convicted of covering up 2016 data breach
I will write more about this next week. I’ve interacted with Joe Sullivan a few times in person, and I believe he’s a good man who always aims to do the right thing.
This Controversial Artist Matches Influencer Photos With Surveillance Footage
Belgian artist Dries Depoorter created a controversial new online exhibit, The Follower, which combines facial recognition and surveillance camera footage to determine where influencer photos were taken. This was one artist, imagine what China is doing.
Software Bill of Materials (SBOM)
ckotzbauer/sbom-operator
By Christian Kotzbauer: Catalogue all images of a Kubernetes cluster to multiple targets with Syft. Currently Git, Dependency Track, OCI-Registry and ConfigMaps are supported.
devops-kung-fu/bomber
By DJ Schleen and Nick Hopkins: Tool to scans SBoMs for security vulnerabilities. Uses OSV as the default provider, and it supports the SPDX, CycloneDX, and Syft formats.
The SBOM frenzy is premature
Mark Curphey describes some SBOM caveats.
The first is that almost all package managers are non-deterministic, meaning that they will resolve dependencies by solving for all input conditions and not conditions individually.
A second problem lies again in that the primary use case being pushed is an attestation one. Procurement is a static event, open source consumption is dynamic.
5 tools for generating SBOM - Which is the best tool?
MergeBase’s Julius Musseau shares a comparison of five tools (CycloneDx, Syft, Microsoft’s tool, Fossa, Snyk) for how well they generate an SBOM both with and without source code available. Recommendation:
If you can, use CycloneDX native plugins for your software systems. These produce perfect SBOMs for your software that you can confidently share with your customers. But you must remember to enable CycloneDX for each language in your software (which can require a bit of work).
Machine Learning
A flower woman by 1500+ artists
Same prompt (“A woman with flowers in her hair in a courtyard, in the style of”), 1,500 artists.
DVC: Data Version Control
Open-source version control for machine learning projects. DVC tracks ML models and data sets, and is built to make ML models shareable and reproducible. It’s designed to handle large files, data sets, machine learning models, and metrics as well as code.
Secure your machine learning with Semgrep
To strengthen the machine learning ecosystem, Trail of Bits’s Suha Hussain has analyzed the source code of libraries and identified some common problematic patterns. They’ved turn those patterns into 11 newly released Semgrep rules so it’s easy to find and fix those potential bugs.
Prompt injection attacks against GPT-3
Neat post by Simon Willison. Prompt injection is basically SQL injection but for GPT-3 prompts. The way you use the GPT-3 API is by assembling prompts by concatenating strings together, often user input with a pre-written prompt string. This attack could leak prompts, cause unexpected behavior, etc.
Viral Post Generator
Given what you did today, some inspirational advice, and desired cringe level, this site uses AI to write the perfect LinkedIn post. Too real 😂
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint