• tl;dr sec
  • Posts
  • [tl;dr sec] #100 - Visualizing Security, GraphQL, API Token Survey

[tl;dr sec] #100 - Visualizing Security, GraphQL, API Token Survey

Infosec infographics, GraphQL guide and server fingerprinting tool, a survey of the trade-offs of various API token types.

Hey there,

I hope you’ve been doing well!

Holiday Weekend

I spent some time last weekend hanging out with a visiting friend, and we want to the Museum of Modern Art.

If you also live in the U.S., I hope you had a relaxing Labor Day weekend, and that there was no firefighting.

I never thought I’d say this, but the NSA director actually dropped a pretty good meme 👍

100 Issues & Over 8,000 Subscribers!

This week is the 100th issue of tl;dr sec, and it’s surpassed 8,000 subscribers! 🎂

This newsletter started about 2.5 years ago as an email I sent to a handful of friends who I had manually added to the list, after asking them 1:1 for permission.

Later, I remember sweating and shaking a bit before clicking the “Send” button every week, as there were now ~300 subscribers, many of whom I didn’t know! I was scared of embarrassing myself, bringing shame upon my family, etc.

Thankfully, that has (mostly) not happened.

For everyone who’s reached out with kind words over the years- thank you. Your kindness, and knowing you find tl;dr sec useful has inspired me and kept me going.

I’m honored you let me share great security content with you, and here’s to many more years!

Lessons LearnedI’m planning to write up some reflections and lessons learned about this journey.

What would you like to know?

Feel free to reply directly, I’d love to hear what you’d find most interesting or useful so I can make sure include it.


📢 Go Fuzz Yourself – How to Find More Vulnerabilities in APIs Through Fuzzing

The general approach to web app pentesting should include testing APIs. There’s a number of tools to choose from, but when the pentester doesn’t include fuzzing in her methodology, this can leave a number of critical vulnerabilities undetected. Alissa Knight and Detectify released new security research to show how fuzzing APIs will reveal more vulnerabilities. Get your copy of the Go Fuzz Yourself whitepaper.

📜 In this newsletter...

  • AppSec: Getting the max security from your C compiler

  • Web Security: Effective web app authorization testing, GraphQL server fingerprinter, GraphQL security guide, survey of API token types, JavaScript anti-debugging

  • Cloud Security: Open source Cloud Security Posture Management tools, replacing SSH with AWS systems manager, replacing bastion hosts in GCP

  • Container Security: Kubernetes is too complex, visual guide to troubleshooting Kubernetes deployments

  • Politics / Privacy: Distinguishing hacktivists on the Risky Biz newsletter, how to find hidden cameras, China's been stealing >$200B in IP from U.S. for 20 years, Australian politician remixed

  • Visualizations: What happens when you type a URL into a browser, Linux kernel defense map, defense oriented infosec infographics

  • The Modern Trap of Feeling Obligated to Turn Hobbies Into Hustles: It's OK to do stuff for fun


Getting the maximum of your C compiler, for security
Airbus Security Lab’s Raphaël Rigo and Sarah Zennou list the flags you should use in GCC, Clang or MSVC, in order to: detect the maximum number of bugs or potential security problems, enable security mitigations in the produced binaries, and enable runtime sanitizers to detect errors (overflows, race conditions, etc.) and make fuzzing more efficient.

Web Security

Authorization Testing: AuthMatrix - Part 1
White Oak Security’s Tib3rius describes how to effectively test access controls in web apps with complicated authz logic (e.g. multiple role types with different permissions) using the AuthMatrix Burp Suite extension.

For testing authorization logic, and I’d also recommend Justin Moore’s AutoRepeater Burp extension.

By Dolev Farhi: A fingerprinting tool for GraphQL endpoints that sends a number of benign and malformed queries to determine the GraphQL engine being used. graphw00f then provides insights into what security defences each technology provides out of the box, and whether they are on or off by default.

The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready
WunderGraph’s Jens Neuse does a good job outlining common GraphQL issues and how and why they occur.

API Tokens: A Tedious Survey
Fly.io’s Thomas Ptacek gives a great, opinionated overview of various token types: simple random tokens, platform tokens, OAuth 2.0, JWT, Macaroons, throws shade on SAML, and more.

Javascript Anti Debugging — Some Next Level Sh*t (Part 2— Abusing Chromium Devtools Scope Pane)
Some serious JavaScript chicanery by Gal Weizman. The Chromium Devtools Scope Pane can allow execution of JavaScript by the devtools while the main thread is paused by the debugger. This allowed him to write code that can determine which specific functions are being debugged, choose what action to take when a function is being debugged, and execute that action in a different parallel thread with full access to the main thread. PoC

What’s also very cool about this trick and will give a hard time to anyone trying to debug the attacker’s code is that the callback to be called when the function is being debugged cannot be debugged in the devtools because it is a piece of code that is being called by the devtools itself. Meaning the only way to successfully debug this function is via the developer tools of the developer tools!

Cloud Security

Inside Figma: getting out of the (secure) shell
Figma’s Hongyi Hu describes how they got rid of SSH and replaced it with AWS Systems Manager, Okta for SSO, and required WebAuthN for multi-factor authentication.

Great stuff: focus on developer experience, minimizing security team toil, adding guardrails for users, locking down Session Manager, and more.

Leaving Bastion Hosts Behind Part 1: GCP
Netskope’s Colin Estep discusses the GCP services, OS Login and Identity-Aware Proxy (IAP) to show how they can be used as an alternative to bastion hosts.

Container Security

Summer Blog Backlog: Distributed Systems
This post argues that Kubernetes has fundamentally too much accidental complexity, and that in the future it’ll replaced by something with fewer new concepts and that’s more compositional. I found the historical references to other domains interesting.

A visual guide on troubleshooting Kubernetes deployments
An impressively detailed and thorough guide by Daniele Polencic. Includes this great overview diagram, which, like looking up at the stars at night, reminds us of our insignificance in the face of Kubernetes’ complexity.

Politics / Privacy

Srsly Risky Biz: Thursday, September 2
If you didn’t know, Risky Biz has a newsletter! And it’s great. In this edition, Tom Uren had a long chat with The Grugq on distinguishing hacktivists vs nation state actors posing as them, as well as other topics.

Top counterintelligence official Mike Orlando on foreign espionage threats facing U.S.
Acting director of the National Counterintelligence and Security Center: the U.S. has experienced $200 billion to $600 billion dollars a year in losses to intellectual property theft by China. For the past 20 years.

How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp UsersWhatsApp analyzes messages in two ways: a) AI that scans unencrypted metadata (names, profile images, phone numbers, related Facebook accounts, etc.) and b) a content moderation team, that whenever a message is “reported,” receives that message + the four previous ones unencrypted.

If you want a messaging app whose financial incentives aren’t “know everything about you and target you with ads,” nor is it “0-click RCE as a service” (sorry iMessage): use Signal.

Gladys Berejiklian Takes Over The World
Someone remixed this Australian politician to say some… mean things, hilariously


Some nice visual overviews.

Linux Kernel Defense Map
Awesome resource by Alexander Popov covering vulnerability classes, exploitation techniques, bug detection mechanisms, and defense technologies. The following is a small snippet:

Infosec Infographics thread by John Lambert
Lots of great ones worth reviewing, but here are two to give you a taste:

You know, errr, totally unrelated to this newsletter 😅 But really, it’s important to remember stuff like this. Something I have to work on sometimes.

It’s okay to love a hobby the same way you’d love a pet; for its ability to enrich your life without any expectation that it will help you pay the rent.

What if we allowed ourselves to devote our time and attention to something just because it makes us happy? Or, better yet, because it enables us to truly recharge instead of carving our time into smaller and smaller pieces for someone else’s benefit?

How did we get to the point where free time is so full of things we have to do that there’s no room for things we get to do?

We don’t have to monetize or optimize or organize our joy. Hobbies don’t have to be imbued with a purpose beyond our own enjoyment of them. They, alone, can be enough.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!