• tl;dr sec
  • Posts
  • [tl;dr sec] #160 - Application Security Foundations, Machine Learning Uses, Blackbox Regex Fuzzing

[tl;dr sec] #160 - Application Security Foundations, Machine Learning Uses, Blackbox Regex Fuzzing

Notes from the WeHackPurple courses, a wide variety of applications of machine learning, bypassing validatoins and normalizations in web apps using regex fuzzing.

Hey there,

I hope you’ve been doing well!

Thanksgiving

Apologies for the radio silence last week.

I had planned to take off Thanksgiving week for awhile, but realized too late that I hadn’t mentioned this in the prior newsletter, so I decided to not email you to tell you that I was… not going to email you.

I hope you had an excellent week though!

Also, in case you’re feeling a bit down at some point during this holiday season, I wanted to share again the intro I wrote last Halloween. You are loved and cared for ✊

Sponsor

📢 You’re Invited to Panther's [Virtual] Detection as Code Workshop!

Ever wondered if there was an easy way to protect your AWS resources such as S3, EC2, and Guardduty with a modern SIEM?

Join Panther for an interactive, hands-on virtual experience that teaches you how to utilize detection-as-code and allows you to set up, deploy, and test your detections geared toward important AWS resources.

They’ll provide hands-on keyboard demonstrations of managing and modifying detection-as-code during the workshop.

I think managing detections as Python code is pretty neat, and we actually use Panther at my company. Should be a useful workshop!

📜 In this newsletter...

  • AppSec: Email graffiti, application security foundations notes, a security tools crash is coming

  • Web Security: More easily intercept the right requests in Burp, Burp protobuf extension improvements, exploiting CORS misconfigurations, black-box regex fuzzing tool

  • Cloud Security: Automatically purge and prepare AWS resources, confused deputy vulnerability in AWS AppSync, the security design of the AWS Nitro System, AWS pre:Invent 2022

  • Container Security: API traffic viewer for Kubernetes, new open source client for container development, the state of Kubernetes open-source security survey

  • Politics / Privacy: How and where the Meta Pixel is tracking you (answer: everywhere about everything)

  • Misc: Security, Funded has crossed 1,000 subscribers, InfoSec news aggregator, Elemental Pixar movie trailer, inspiration from UFC fighter, private YouTube client, weird thrift store shirts, open library, Tim Minchin's sentimental song about Christmas, exploring Rust as a Python developer, reflections on leading research at NCC Group

  • Machine Learning: Bohemian Rhapsody - But every lyric is an AI generated image, AI tools directory, image classifier to detect lewd images, AI that can play Diplomacy, AI's threat to human work, feeding your childhood diary to GPT-3 and talking with younger you

AppSec

Email Graffiti: hacking old email
Truffle Security’s Dylan Ayrey describes how you can “vandalize” old emails that contain images pointing to cloud buckets that no longer exist (that you can then register). See also the video about it and tool that makes it easy.

Application Security Foundations Level 1
Ishaq Mohammed’s notes from this course by the WeHackPurple Community, covering basic through advanced and DevOps flavored AppSec activities, as well as AppSec and AppSec adjacent tooling.

See also his notes on Application Security Foundations Level 2, which covers scaling your team and program, developer education, advocacy, tips for teaching adults, metrics, and improvement. And Part 3.

A Security Tools Crash Is ComingInteresting post by Mark Curphey. Make sure to check out the “So what is this likely to mean?” section at the end.

To take a step back there are four conditions colliding.

1. Security teams want less and not more tools

2. There are way more vendors than the size of the market can support

3. The venture market has changed and many startups will run out of cash in 2023.

4. The global economic climate means security budgets are being frozen and in many cases declining.

Web Security

Static-Flow/BOR"
By Tanner Barnes: A Burp Suite extension that provides a custom context menu for marking requests to be stopped by the interceptor with only one click.

Burp Suite and Protobuf
Federico Dotta has fixed a number of bugs and made improvements in a Burp extension for handling protobufs.

If you can find an unrestricted CORS endpoint, that also responds to the HTTP override headers, then potentially you can use it to access endpoints that aren’t enabled for CORS, bypass CSRF protections, and also deliver an XST (which will give you access to cookies protected by the httpOnly attribute).

Till REcollapse
Ethiack’s André Baptista describes and releases REcollapse, a tool for black-box regex fuzzing to that can bypass validations and discover normalization issues in web applications. This technique can be used to perform zero-interaction account takeovers, uncover new bypasses for web application firewalls, and more. See also his BSidesLisbon slides.

Cloud Security

reply-fr/sustainable-personal-accounts
Add custom maintenance windows for AWS accounts - purge and prepare resources automatically.

A Confused Deputy Vulnerability in AWS AppSync
Datadog’s Nick Frichette discusses a cross-tenant vulnerability that abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts. It’s since been fixed.

The Security Design of the AWS Nitro System
November 2022 update of a whitepaper providing a detailed description of the security design of the Nitro System, the underlying platform for all modern EC2 instances.

AWS pre:Invent 2022
Great overview by Steampipe’s Chris Farris of AWS’s announcements in the lead-up to AWS re:Invent. Honestly, none of these stuck out to me as super exciting, but there are some nice improvements.

Container Security

kubeshark/kubeshark
The API traffic viewer for Kubernetes providing deep visibility into all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster. Think TCPDump and Wireshark re-invented for Kubernetes.

Introducing Finch: An Open Source Client for Container Development
AWS announces Finch, a new CLI tool for building, running, and publishing Linux containers. It provides for simple installation of a native macOS client, along with a curated set of de facto standard open source components including Lima, nerdctl, containerd, and BuildKit.

The State of Kubernetes Open-Source Security
ARMO commissioned a survey of 200 Kubernetes users, admins, and DevSecOps professionals and shares the insights, including:

  • Over half of companies are using open source for Kubernetes security.

  • Almost a quarter are using 5 or more open source tools (average: 3.6 tools).

  • Integration challenges are a major inhibitor of open source technology.

Politics / Privacy

How We Built a Meta Pixel Inspector
The Markup, in collaboration with Mozilla Ralley, conducted the first large-scale crowdsourced study of the presence of the Meta Pixel and the data it collects in real-world scenarios—when it is encountered while logging in to websites, submitting forms, buying products, and during everyday browsing activities. Great overview of what’s collected.

In case the cookies aren’t enough to match a user browsing a website to a Facebook or Instagram profile, Meta also allows the website to send personal information a user enters in a form to match them to their Facebook or Instagram profile, even if they are not logged in to Facebook at the time.

The Meta Pixel collects data on website visitors regardless of whether or not they have Facebook or Instagram accounts.

Major tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when Americans file their taxes online.

The data includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.

Sponsor

📢 Sign up for the Threat Modeling Insider Newsletter

Delivering the latest Threat Modeling articles and tips straight to your mailbox.

Our “Threat Modeling Insider” newsletter brings a combination of guest articles, white papers, curated articles and tips on threat modeling.

Join thousands of readers that bootstrap and elevate threat modeling skills every month.

Directly access the archive with articles from Adam Shostack, Izar Tarandach, Geoff Hill, and many more. Every edition features threat modeling tips.

Do not miss our next edition, register to get it in your inbox every time!

— Seba Deleersnyder, CTO Toreon, trainer at Black Hat

A newsletter on Threat Modeling, noice! I looked through a few prior issues and there’s some good links I haven’t seen elsewhere. I signed up 😎

Misc

Security, Funded has crossed 1,000 subscribers!
Congrats to my bud Mike Privette, this is awesome. If you’re interested in which companies are getting funded or acquired, funding across verticals, and more, I highly recommend checking it out. I’ve been reading it for probably over a year and have found it quite useful. Subscribe here.

All InfoSec News
An InfoSec news aggregator across Reddit, YouTube, and a variety of news outlets and podcasts.

Elemental | Teaser Trailer
Upcoming Pixar movie.

A letter to little Mol
Inspirational message from UFC fighter Molly McCann to her younger self.

FreeTube - The Private YouTube Client
A YouTube client for Windows, Mac, and Linux built around using YouTube more privately. You can enjoy your favorite content and creators without your habits being tracked.

Weird Thrift Store Shirts
Novelty Twitter account. Warning: a number are not work-appropriate.

Open Library
An open, editable library catalog, building towards a web page for every book ever published. Millions of books available through Controlled Digital Lending.

White Wine In The Sun by Tim Minchin
A sentimental song about Christmas.

Carefully exploring Rust as a Python developer
How to do common programming tasks and what the tooling looks like for outputting and debugging stuff, handling errors, using external packages, writing tests, reading/writing to files, making HTTP requests, etc.

So long and thanks for all the 0day
After nearly 4 years (30+ in consulting-years) at NCC Group, Jennifer Fernick is stepping down as NCC Group’s SVP & Global Head of Research. I enjoyed her reflections on leading a security research team and a few of her favorite research projects.

It’s weird reading this historical recounting, as I was there during a lot of it. I had a blast at NCC Group- the people were amazing, interesting projects, and I think it fundamentally helped me become the security professional I am today. I’ll always be grateful to the people who believed in and supported me there. My heart swelled a little bit seeing this photo of the Research Directors at NCC Con 2020 ❤️

Machine Learning

Futurepedia
The Largest AI Tools Directory. 5+ new tools added every day.

bumble-tech/private-detector
An image classifier from the dating app Bumble pretrained to detect lewd images. They’ve also released a whitepaper.

CICERO: An AI agent that negotiates, persuades, and cooperates with people
Meta announces CICERO, the first AI to achieve human-level performance in the popular strategy game Diplomacy*. CICERO demonstrated this by playing on webDiplomacy.net, an online version of the game, where CICERO achieved more than double the average score of the human players and ranked in the top 10 percent of participants who played more than one game.

Diplomacy has been viewed for decades as a near-impossible grand challenge in AI because it requires players to master the art of understanding other people’s motivations and perspectives; make complex plans and adjust strategies; and then use natural language to reach agreements with other people, convince them to form partnerships and alliances, and more. CICERO is so effective at using natural language to negotiate with people in Diplomacy that they often favored working with CICERO over other human participants.

CICERO can deduce, for example, that later in the game it will need the support of one particular player, and then craft a strategy to win that person’s favor – and even recognize the risks and opportunities that that player sees from their particular point of view.

It is important to recognize that CICERO also sometimes generates inconsistent dialogue that can undermine its objectives.

While CICERO is only capable of playing Diplomacy, the technology behind this achievement is relevant to many real world applications. Controlling natural language generation via planning and RL, could, for example, ease communication barriers between humans and AI-powered agents. For instance, today’s AI assistants excel at simple question-answering tasks, like telling you the weather, but what if they could maintain a long-term conversation with the goal of teaching you a new skill?

Something like 80% of most “knowledge work” is about to get replaced by artificial intelligence.

Shit is about to get crazy. We’re about to see an explosion of tech startups that are using transformers and other AI tech to automate human work. It’s going to feel like a tech boom, and it will be, but it’ll be a tech boom based on doing thousands of knowlege work tasks as good—and then better—than humans.

At scale. With no breaks. For a whole lot cheaper than having human staff.

 

I kept diaries for about 10+ years of my life, writing almost everyday — about my dreams, fears, secrets… I used GPT-3 as my playground, and ended up taking samples of text from a bunch of different entries that I felt were representative of my personality and values during that time… this way, i could accurately simulate what it would be like to talk to my childhood self, based on real data sources during that time period.

“I would say, for me personally - the kindness and understanding I felt from my ‘past self’ helped me untangle some knots and stuckness that I felt,” as she puts it. “It illuminated to me how hard I was on myself, but how much I extended understanding to others. It felt really rewarding to receive this kindness as well, from a younger version of myself.

When I told her that she was loved, cared for, and safe: the words that my past self always wanted to hear

It felt like I was reaching into the past and giving her a giant hug, and I felt it ripple back into the present

“From a broader learnings [perspective], what stood out to me was the ability for technology to be used for mental health and wonder.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint