[tl;dr sec] #177 AWS KMS Threat Model, DOM Invader, Forensics in the Cloud

Hey there,

I hope you’ve been doing well!

Easter

Ah Easter, the American holiday where we celebrate the resurrection of Jesus by hiding eggs for children to find.

When I was young, my parents would also sometimes hide Easter baskets, with candy or some small, personalized gifts in them.

One year, my siblings got some very thoughtful, customized gifts in their baskets and I got… a single, not inflated blue balloon 😆

It was clearly not a big deal, as I still remember it to this day.

But now I’m older, work at a start-up, and have Glengarry Glen Ross quotes tattooed on my body, so the only Easter present I need is:

#EggsAreForClosersOnly

AppSec Evolution - Functional Steps to Real Progress

I’m stoked to be doing a LinkedIn Live panel with Matt Johansen (Principal Security Architect at Reddit) and Harshil Parikh (former CISO and now CEO of Tromzo).

We’ll have an honest conversation about real application and product security challenges modern development teams are facing, with actionable insights on how leading organizations are tackling them.

When: Next Tuesday April 18, 10:30 AM PT

Where: here

AppSec

RefactorSecurity/vscode-security-notes
By Refactor Security’s Guillermo Gabarrin: Create notes during a security code review in VSCode and import your favorite SAST tool findings.

Rule Writing for CodeQL and Semgrep
Eugene Lim provides a detailed overview of the differences between writing rules for CodeQL and Semgrep, and includes some nice program analysis background.

Hakumarachi/Bropper
An automatic Blind Return Oriented Programming (ROP) exploitation tool, written in Python.

Argument Injection Vectors
A curated list of exploitable options when dealing with argument injection bugs, by Sonar Research. The payloads are categorized by the capability they provide: run a command, file write, file read, or load a library. For example:

BSidesSF and RSA

Phew, so many awesome things are coming up.

Here are a few things I and/or my colleagues at Semgrep will be up to.

BSidesSF
You can still register here!

Semgrep SF Community Happy Hour
Friday April 21st 3:30pm-5:30pm at Harlan Records

The rest on Saturday, April 22nd.

Workshop: Finding Bugs and Scaling Your Security Program with Semgrep
Learn about Semgrep from the people making it

Panel: Level Up Your Career: A Panel on Staff + Engineering
This is going to be 🔥 See also the Staff Security Engineer Stories.

Talk: When is a vulnerability, not a vulnerability?
Overcoming the inundation of noisy security alerts

RSA
RSA Executive Breakfast
Tuesday April 25th 8:30am at Shelby’s Rooftop Lounge. With Jim Manico and Tromzo!

Learning Lab: Adding SAST to CI/CD, Without Losing Any Friends
Wednesday April 26th 1:15pm-3:15pm. I’m finally giving a workshop with my bud Tanya Janca 🥰

Session: 5 Open Source Security Tools All Developers Should Know About
Thursday April 27th 10:50am-11:40am at RSA. With Semgrep co-founder Luke O’Malley and Jit co-founder David Melamed.

Web Security

How to use DOM Invader
Portswigger’s Gareth Heyes joins Lewis Ardern to discuss the awesome Burp Suite extension DOM Invader, a browser-based tool that helps you test for DOM XSS vulnerabilities using a variety of sources and sinks, including both web message and prototype pollution vectors.

EJS - Server Side Prototype Pollution gadgets to RCE
Kevin Mizu writes about his research on NodeJS templating libraries and how a Server Side Prototype Pollution gadget in the EJS library could be turned into RCE.

WebSockets are a Pain - A Journey in Learning and Leveraging
Andy Gill explores the technical aspects of WebSockets, explaining what they are and how they work. Additionally, Andy shares information about standalone implementations and C2 add-ons that can be utilized in frameworks such as Cobalt or Mythic to efficiently exchange data within an environment.

Opaque IDs: The ultimate protection against enumeration attacks 
Ricardo Ivan delves into the topic of resource IDs and highlights two types of attacks that can compromise their security: timing and enumeration attacks. Ricardo examines multiple techniques that can mitigate such attacks and provides readers with an npm package that utilizes AES-GCM to generate opaque, immutable, and secure IDs.

PHP filter chains: file read from error-based oracle
Synacktiv’s Remi Matasse explains various techniques that could be used to disclose the contents of a file through an error-based oracle in PHP filter chains. Remi explores different vulnerable patterns, potential mitigations, and provides a tool to automate the exploitation of this type of vulnerability.

Cloud Security

Intro to forensics in the cloud: A container was compromised. What’s next? 
Wiz’s Avigayil Mechtinger provides guidelines for ensuring a successful forensics process, a cheat-sheet that outlines recommended data sources and tools, and she walks through a real-life attack scenario of handling a compromised container.

The Complete Guide to SecDataOps and Vulnerability Management on AWS
Whitepaper by Lightspin’s Jonathan Rau on:

• The history and background of vulnerability management

• A tactical walkthrough of specific data capture tasks

• Key Risk Indicators for your security program as well as operational excellence metrics for demonstrating maturity of a SecDataOps program

AWS KMS Threat Model
Airwalk Reply’s Costas Kourmpoglou presents a threat model for the AWS Key Management Service (KMS) and uses an attack tree to illustrate the possible risks and mitigation strategies associated with various approaches to key management, from what happens when an adversary gets physical access to what happens when an AWS region is down.

The Old Faithful: Why SSM Parameter Store still reigns over Secrets
ManagerYan Cui explains why the Systems Manager (SSM) Parameter Store service is still the preferred choice over Secrets Manager due to its cost effectiveness, simplicity, and flexibility. However, there are three use cases where Secrets Manager may be preferable:

1. Replication secrets for multi-region applications

2. When working with large (> 8kb) secrets

3. If you need to share secrets cross-account.

Container Security

containerd completes fuzzing audit
ADA Logics’s Adam Korczynski and AWS’s Phil Estes describe how adding 28 fuzzers and using OSS-Fuzz uncovered four issues.

Helm completes fuzzing security audit
ADA Logics’s Adam Korczynski and David Korczynski and IBM’s Martin Hickey describe how adding 38 fuzzers and using OSS-Fuzz (via Go-fuzz) uncovered nine bugs.

Docker Desktop 4.18: Docker Scout Updates, Container File Explorer GA
Docker’s Chris McLellan and Nuno Coracao share various updates, the security-relevant ones related to Docker Scout, a tool that provides visibility into image vulnerabilities and recommendations for quick remediation.

New Scout features include a vulnerability quickview, image recommendations directly on the command line, improved remediation guidance with BuildKit SBOM utilization, and a preview feature comparing images (imagine using diff, but for container images).

Machine Learning

I’ve been reading about LangChain recently (H/T my bud Daniel Miessler for the encouragement), which is basically a glue library that makes it easy to do a bunch of things:

• Connect an LLM like GPT-4 with external data sources like APIs, your Google Docs, …

• Connect multiple models

• Do multi-step operations, even letting the model itself decide what to do next (and then do it)

• Easily ingest PDFs, chunk up large text so it can be processed, and much more.

I’ve found the YouTube series by Data Independent useful and very easy to follow. Super cool stuff, and amazing to see how fast progress is happening.

Announcing OpenAI’s Bug Bounty Program
They’re running it on Bugcrowd’s platform, rewards range from $200 to $20,000, and the top all-time submitters will be spared in the inevitable robot uprising.

Defamed by ChatGPT: My Own Bizarre Experience with Artificiality of “Artificial Intelligence”
ChatGPT falsely reported that the author, a professor, had been accused of sexual harrassment on a trip that hadn’t occurred, referencing a Washington Post article that doesn’t exist. Yikes.

pgosar/ChatGDB
Harness the power of ChatGPT inside the GDB or LLDB debugger, by Pranay Gosar.

yoheinakajima/babyagi
An example of an AI-powered task management system. You give it an objective, and then it uses OpenAI and Pinecone APIs to create, prioritize, and execute tasks. It can create tasks based on the result of previous tasks and the objective. The point here is you’re not giving it a detailed list of subtasks, you’re giving it a high level objective and it tries to figure out how to do that.

Very neat. Although I can’t help but read the name as “Baba Yaga” and think about John Wick, instead of Baby AGI.

Glaze
Academic project to add a cloak layer to digital art that makes it harder for AI to mimic.

GPT-4 Week 3. Chatbots are yesterdays news. AI Agents are the future. The beginning of the proto-agi era is here
Nice quick round-up.

AutoGPT Thread
A list of examples in which basically ML agents can be given a task, break it down into subcomponents, and then try to execute it- browse the web, interact with various APIs, summarize and/or reason about what it finds, etc.

GPT 4 Can Improve Itself - (ft. Reflexion, HuggingGPT, Bard Upgrade and much more)
Excellent high level overview of a number of recent academic papers. LLMs are becoming able to check their own work and correct errors, and are requiring less human-driven training and tuning. They can also call other models or tools that specialize in specific tasks.

From HuggingGPT: Solving AI Tasks with ChatGPT and its Friends in Hugging Face:

I’m dating a chatbot trained on old conversations between me and my ex

Should we automate the CEO?
NetDragon Websoft, a Hong Kong-based online gaming firm with $2.1B in annual revenue, appointed an AI to be CEO. Since doing that, the company has outperformed Hong Kong’s stock market.

Misc

Fly Spaceships, Battle Aliens and Drive a ‘Crazy Taxi’ at This Oakland Museum
A profile on the Bay Area’s only all-playable video game museum. Sounds awesome.

Eric Clapton, Luciano Pavarotti, East London Gospel Choir - Holy Mother (Live)
My mom shared this with me. Pretty moving.

Chris Farley Song - SNL
Adam Sandler sings a tribute to his friend and Saturday Night Live alum Chris Farley.

Chai-ching: Bubble tea is brewing up serious profits in the US
In 2023, the US market is estimated to be worth $640m, and $2.2B in a decade.

Comparing Star Wars and Harry Potter

✉️ Wrapping Up 

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint