[tl;dr sec] #169 - Top 10 Web Hacking Techniques of 2022, Finding Malicious Dependencies, Fearless CORS

Hey there,

I hope you’ve been doing well!

Coffee Snobs Aficionados

I’m not a big coffee person, but it seems like being into coffee is one of those Bay Area things.

A number of my friends have their go-to coffee shops, brands, and have experimented with (and own) 4+ ways to make coffee in their house.

I came across this and I had to share, I hope you feel seen, dear reader:

Have a great rest of your week and weekend!

PS. My colleagues and I at Semgrep just released some exciting new stuff, more details towards the end.

AppSec

mazen160/secrets-patterns-db
By Mazin Ahmed: Over 1,600 regexes for detecting secrets, passwords, API keys, tokens, and more.

Bearer/curio
By Bearer: A data-first security scanner that finds risks and vulnerabilities in your code so you can protect sensitive data (PHI, PD, PII).

A-Salt: attacking SaltStack
Skylight Cyber Security’s Alex Hill introduces a series of common misconfigurations they’ve seen in the wild in the IT orchestration platform SaltStack, as well as a novel template injection technique that can achieve remote code execution on a salt-master (or master-of-masters) server.

Web Security

botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study
Juan Botes’s on the PortSwigger Academy Burp Suite Certified Practitioner (BSCP) Exam topics, covering gaining a foothold, privilege escalation, data exfiltration, and more.

Fearless CORS: a design philosophy for CORS middleware libraries (and a Go implementation)
Epic deep dive by Julien Cretel on why developers struggle with CORS, his proposal for “Fearless CORS”, a design philosophy for better CORS middleware libraries with 12 principles, and a production ready Golang CORS middleware library fcors. If you’ve seen a more thorough treatise on CORS, please send it to me.

Top 10 web hacking techniques of 2022
Portswigger’s James Kettle et al share the list of some excellent research, including:

1. Account hijacking using dirty dancing in sign-in OAuth-flows by Detectify’s Frans Rosén.

2. Browser-Powered Desync Attacks by Portswigger’s James Kettle

3. Zimbra Email - Stealing Clear-Text Credentials via Memcache injection by Simon Scannell

Cloud Security

Updated ebook: Protecting your AWS environment from ransomware
By AWS’s Megan O’Neil and Merritt Baer: The new ebook includes the top 10 best practices for ransomware protection and covers new services and features that have been released since the original published date in April 2020.

Role Chain Juggling
Overview by Nick Frichette on a technique to maintain access to an AWS environment for an extended period of time when you don’t have the ability to create a new IAM user or create a new key for existing users.

How Adversaries Can Persist with AWS User Federation
CrowdStrike’s Vaishnav Murthy describes a technique that allows attackers to persist beyond credential revocation. How it works: obtain valid AWS API credentials with the necessary STS and IAM permissions, then use the sts:GetFederationToken API call to create a federated user session. Permissions and access to the federated sign-in session survive the deactivation of the base user’s API credentials.

Container Security

kubernetes-sigs/aws-iam-authenticator
A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster.

Supply Chain

Open Software Supply Chain Attack Reference
Like MITRE ATT&CK but for supply chain security. OSC&R provides a comprehensive and actionable approach to understanding attacker behavior and techniques (TTPs) in the context of the software supply chain.

Chainguard to Accelerate VEX Adoption through OpenVEX Specification
Chainguard and collaborators have released OpenVEX, an implementation of the Vulnerability Exploitability Exchange (VEX) that is designed to be minimal, compliant, interoperable, and embeddable. VEX complements SBOMs, allowing suppliers to communicate the exploitability of components with known vulnerabilities in the context of the product in which they are used (that is, just because a product includes a vulnerable component does not mean it is exploitable).

Supply-Chain Security: Evaluation of Threats and Mitigations
Mercari’s Hashimoto Wataru details his research into attacks and mitigations related to supply chain security by examining the effectiveness of each countermeasure. The article provides a specific example of how Mercari was directly affected by the compromise of an external code coverage tool in their CI/CD pipeline.

Sigstore

sigstore/sigstore-python
A Python tool for generating and verifying Sigstore signatures. You can use it to sign and verify Python package distributions, or anything else!

A Guide to Running Sigstore Locally
Felix Wolff and Andrew Block have written a guide that demonstrates how to stand up a Sigstore deployment on your own infrastructure using Kubernetes. This can be useful in a corporate context with private repositories and private artifacts, so you don’t leak info to competitors about what you’re building or potential context for supply chain attacks.

Detecting Malicious Dependencies

How to identify and avoid malicious code in your software supply chain
In the final installment of his malicious package series, Jfrog’s Jonathan Sar Shalom describes several obfuscation techniques attackers use to hide malicious payloads (public obfuscator tools, control flow flattening, homoglyph characters, bidirectional control characters, anti-debug techniques) as well as best practices for detecting and preventing malicious packages.

Announcing GuardDog 1.0, with npm support, new heuristics, and easier CI integration
Datadog’s Christophe Tafani-Dereeper and Vladimir de Turckheim announce a new major version of GuardDog, an open source project that aims to identify malicious packages using Semgrep and package metadata analysis. The new version adds support for:

• Scanning npm packages

• Integration in CI pipelines with GitHub Actions and GitHub Code Scanning

• Verifying PyPI package integrity

Machine Learning

CloudGPT
Use ChatGPT to analyze AWS policies for vulnerabilities, by Mike Felch.

Nearly 30 percent of professionals say they have used ChatGPT at work
From a poll by the social network Fishbowl conducted from Jan. 4 to 8 among almost 4,500 professionals from various companies, including Amazon, Bank of America, Edelman, Google, IBM, JPMorgan and Twitter.

Security Code Review With ChatGPT
NCC Group’s Chris Anley walks through having ChatGPT explain several vulnerabilities in the ‘Damn Vulnerable Web Application’ (DVWA) and analyzes its results.

simonw/openai-to-sqlite
Utilities for interacting with OpenAI APIs and storing the results in a SQLite database, by Simon Willison.

hunkimForks/chatgpt-arxiv-extension
A browser extension that uses ChatGPT to summarize papers on arXiv, and generate: key insights, questions for the author, suggestions for related topics/future research directions, and relevant references.

Daniel Miessler asked GPT to caricature a New York Times story intro
I think it nailed it.

Tom Brady and Gisele Bündchen Face Off in AI Rap Battle
At a recent hackathon, a team build AI rap battle, which lets you enter the names of two famous people, pitting their stick-figure forms against each other in robot-voice rap battle, all set to a steady hip-hop beat.

Semgrep ❤️

Semgrep keeps getting better!

Here are some exciting things we launched (on Valentine’s Day 🎁):

• The OSS engine now has initial support for Rust and a few Lisps (Clojure, Scheme, etc.)

• The Semgrep Pro Engine now supports inter-file analysis for Java and JavaScript

• There are now >350 Semgrep Pro rules (high signal, artisanally crafted by Semgrep’s security research team, leveraging the latest engine features) covering secrets, XXE, deserialization, and more

• plus other stuff

You can read more on the announcement blog post.

If there’s anything you want more of, feel free to let me know!

Misc

2023 predictions
Rami McCarthy synthesizes 2023 predictions from 19 other posts/talks/etc.

git-sim: Visually simulate Git operations in your own repos
Easily get a visual picture of what any git command is going to do without running it.

The Ultimate Retaliation: Pranking My Roommate With Targeted Facebook Ads
Epic prank, I like it.

owasp-change/owasp-change.github.io
An open letter to the OWASP Board on how some core projects and community members would like things to change for their projects and communities to succeed and grow in the future.

microsoft/cadl
A language for describing cloud service APIs and generating other API description languages, client and service code, documentation, and other assets. Using Cadl, you can create reusable patterns for all aspects of an API, along with the ability to check for and flag known anti-patterns. These patterns establish “guardrails” for API designers and make it easier to follow best practices than deviate from them.

Replace Your Ex with Red Flags, Snakes and more with Picsart’s AI Replace
New feature from photo and video editing tool PicsArt.

Book: IBM and the Holocaust

✉️ Wrapping Up 

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint