[tl;dr sec] #100 - Visualizing Security, GraphQL, API Token Survey
Infosec infographics, GraphQL guide and server fingerprinting tool, a survey of the trade-offs of various API token types.
I hope you’ve been doing well!
I spent some time last weekend hanging out with a visiting friend, and we want to the Museum of Modern Art.
If you also live in the U.S., I hope you had a relaxing Labor Day weekend, and that there was no firefighting.
I never thought I’d say this, but the NSA director actually dropped a pretty good meme 👍
100 Issues & Over 8,000 Subscribers!
This week is the 100th issue of tl;dr sec, and it’s surpassed 8,000 subscribers! 🎂
This newsletter started about 2.5 years ago as an email I sent to a handful of friends who I had manually added to the list, after asking them 1:1 for permission.
Later, I remember sweating and shaking a bit before clicking the “Send” button every week, as there were now ~300 subscribers, many of whom I didn’t know! I was scared of embarrassing myself, bringing shame upon my family, etc.
Thankfully, that has (mostly) not happened.
For everyone who’s reached out with kind words over the years- thank you. Your kindness, and knowing you find tl;dr sec useful has inspired me and kept me going.
I’m honored you let me share great security content with you, and here’s to many more years!
Lessons LearnedI’m planning to write up some reflections and lessons learned about this journey.
What would you like to know?
Feel free to reply directly, I’d love to hear what you’d find most interesting or useful so I can make sure include it.
📢 Go Fuzz Yourself – How to Find More Vulnerabilities in APIs Through Fuzzing
The general approach to web app pentesting should include testing APIs. There’s a number of tools to choose from, but when the pentester doesn’t include fuzzing in her methodology, this can leave a number of critical vulnerabilities undetected. Alissa Knight and Detectify released new security research to show how fuzzing APIs will reveal more vulnerabilities. Get your copy of the Go Fuzz Yourself whitepaper.
📜 In this newsletter...
AppSec: Getting the max security from your C compiler
Cloud Security: Open source Cloud Security Posture Management tools, replacing SSH with AWS systems manager, replacing bastion hosts in GCP
Container Security: Kubernetes is too complex, visual guide to troubleshooting Kubernetes deployments
Politics / Privacy: Distinguishing hacktivists on the Risky Biz newsletter, how to find hidden cameras, China's been stealing >$200B in IP from U.S. for 20 years, Australian politician remixed
Visualizations: What happens when you type a URL into a browser, Linux kernel defense map, defense oriented infosec infographics
The Modern Trap of Feeling Obligated to Turn Hobbies Into Hustles: It's OK to do stuff for fun
Getting the maximum of your C compiler, for security
Airbus Security Lab’s Raphaël Rigo and Sarah Zennou list the flags you should use in GCC, Clang or MSVC, in order to: detect the maximum number of bugs or potential security problems, enable security mitigations in the produced binaries, and enable runtime sanitizers to detect errors (overflows, race conditions, etc.) and make fuzzing more efficient.
Authorization Testing: AuthMatrix - Part 1
White Oak Security’s Tib3rius describes how to effectively test access controls in web apps with complicated authz logic (e.g. multiple role types with different permissions) using the AuthMatrix Burp Suite extension.
By Dolev Farhi: A fingerprinting tool for GraphQL endpoints that sends a number of benign and malformed queries to determine the GraphQL engine being used. graphw00f then provides insights into what security defences each technology provides out of the box, and whether they are on or off by default.
The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready
WunderGraph’s Jens Neuse does a good job outlining common GraphQL issues and how and why they occur.
API Tokens: A Tedious Survey
Fly.io’s Thomas Ptacek gives a great, opinionated overview of various token types: simple random tokens, platform tokens, OAuth 2.0, JWT, Macaroons, throws shade on SAML, and more.
Inside Figma: getting out of the (secure) shell
Figma’s Hongyi Hu describes how they got rid of SSH and replaced it with AWS Systems Manager, Okta for SSO, and required WebAuthN for multi-factor authentication.
Great stuff: focus on developer experience, minimizing security team toil, adding guardrails for users, locking down Session Manager, and more.
Summer Blog Backlog: Distributed Systems
This post argues that Kubernetes has fundamentally too much accidental complexity, and that in the future it’ll replaced by something with fewer new concepts and that’s more compositional. I found the historical references to other domains interesting.
A visual guide on troubleshooting Kubernetes deployments
An impressively detailed and thorough guide by Daniele Polencic. Includes this great overview diagram, which, like looking up at the stars at night, reminds us of our insignificance in the face of Kubernetes’ complexity.
Politics / Privacy
Srsly Risky Biz: Thursday, September 2
If you didn’t know, Risky Biz has a newsletter! And it’s great. In this edition, Tom Uren had a long chat with The Grugq on distinguishing hacktivists vs nation state actors posing as them, as well as other topics.
Top counterintelligence official Mike Orlando on foreign espionage threats facing U.S.
Acting director of the National Counterintelligence and Security Center: the U.S. has experienced $200 billion to $600 billion dollars a year in losses to intellectual property theft by China. For the past 20 years.
How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp UsersWhatsApp analyzes messages in two ways: a) AI that scans unencrypted metadata (names, profile images, phone numbers, related Facebook accounts, etc.) and b) a content moderation team, that whenever a message is “reported,” receives that message + the four previous ones unencrypted.
If you want a messaging app whose financial incentives aren’t “know everything about you and target you with ads,” nor is it “0-click RCE as a service” (sorry iMessage): use Signal.
Gladys Berejiklian Takes Over The World
Someone remixed this Australian politician to say some… mean things, hilariously
Some nice visual overviews.
Linux Kernel Defense Map
Awesome resource by Alexander Popov covering vulnerability classes, exploitation techniques, bug detection mechanisms, and defense technologies. The following is a small snippet:
Infosec Infographics thread by John Lambert
Lots of great ones worth reviewing, but here are two to give you a taste:
You know, errr, totally unrelated to this newsletter 😅 But really, it’s important to remember stuff like this. Something I have to work on sometimes.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!