[tl;dr sec] #104 - New Phrack, Often Missed Web Vulnerabilities, Facebook Whistleblower
New issue of Phrack, 10 often missed web vulnerabilities, Facebook whistleblower comes forward about the dangers of its products.
I hope you’ve been doing well!
Tell me X without X
A trend on Twitter is to say something like “Tell me you work in security without telling me you’re in security.”
Sometimes the threads are fun, sometimes I find them tiring.
But! I did come across this epic burn by Matt Stratton:
For context, Travis CI was bought by a private equity firm, laid off a number of senior engineers, and discontinued their free tier for OSS projects.
To be honest I feel bad about including this, because Travis was/is a truly trailblazing company and great product. Perhaps this is an example then of the value of running DevRel-y content past developers before posting.
Anywho- I’ll have an exciting update next week, stay tuned! 😎
📢 The DevSecGuide to Infrastructure as Code
🔬 Research on the state of IaC security
🦋 Practical steps for embracing a DevSecOps culture
🔐 Tips for embedding security throughout the DevOps lifecycle
📜 In this newsletter...
AppSec: Semantic search tool for C and C++, how Yandex does SAST, how to use GitHub Actions securely
Mobile Security: Decrypt iOS apps using r2frida
Web Security: 10 often missed web vulnerabilities, finding prototype pollution at scale
Cloud Security: Query your cloud environment via GraphQL, tool to analyze CloudFormation templates using IAM Access Analyzer, common API for AWS services, handling ransomware on AWS whitepaper, comparing R2 and S3
Infrastructure as Code: Interactive Terraform visualizer, infra as code for AWS orgs
Container Security: Verify container signatures in Kubernetes using Notary or Cosign, tool to configure k8s resources into re-usable supply chains
Red Team: Tool for hacking drones, new Phrack issue
Misc: How Jackie Chan does action comedy, stop motion Darth Vader
Facebook whistleblower: Tells Congress Facebook's products hurt kids and weaken democracy
A fast and robust semantic search tool for C and C++ codebases designed to help security researchers identify interesting functionality in large codebases, by Google Project Zero’s Felix Wilhelm.
Company Wide SAST: How we do SAST at Yandex
ZeroNight talk by Yandex’s Evgenii Protsenko et al discuss the orchestrator they build to unify their SAST tools and how they write custom rules for Semgrep and CodeQL.
Protect Your GitHub Actions with Semgrep
r2c’s Grayson Hardaway gives a great overview of how GitHub Actions can be insecure and the impact (stealing secrets, backdooring the repo). There’s actually a number of unexpected subtleties here that was interesting to read.
If you want to up your GitHub Action security game, this is probably one of the best posts I’ve seen in this space.
10 Types of Web Vulnerabilities that are Often Missed
Nice overview by Hakluke and Farah Hawa. HTTP/2 smuggling, XXE via Office open XML parsers, SSRF via XSS in PDF generators, XSS via SVG files, blind XSS, web cache deception, web cache Poisoning, h2c smuggling, second order subdomain takeovers, postMessage bugs.
Exploiting Client-Side Prototype Pollution in the wild
Great work by Sergey Bobrov, s1r1us and others in finding prototype pollution issues at scale. The post has some useful methodology tips and links to various tools and other resources. They found 18 vulnerable libraries, reported ~80 bugs to vulnerability disclosure programs, and overall found more than 1,000 vulnerable websites.
CloudGraph is an open-source GraphQL powered search engine that makes it easy to query your cloud infrastructure and configuration so that you can solve a host of complex security, compliance, and governance challenges.
Validate IAM policies in CloudFormation templates using IAM Access Analyzer
AWS’ Matt Luttrell introduces IAM Policy Validator for CloudFormation (cfn-policy-validator), an open source tool that extracts IAM policies from a CloudFormation template, and allows you to run existing IAM Access Analyzer policy validation APIs against the template.
AWS Cloud Control API, a Uniform API to Access AWS & Third-Party Services
Cloud Control API is a standard set of APIs to Create, Read, Update, Delete, and List (CRUDL) resources across hundreds of AWS Services and dozens of third-party services. Basically, instead of having different naming conventions across services, you have common verbs like CreateResource, GetResource, etc.
Introducing the Ransomware Risk Management on AWS Whitepaper
AWS’ Temi Adebambo announces a whitepaper that aligns the NIST recommendations for security controls related to ransomware risk management for workloads built on AWS. The whitepaper maps technical capabilities to AWS services and implementation guidance.
Who could benefit from switching
What would stop ideal customers from adopting R2
Who is better served by other providers
What we still don’t know about R2
Infrastructure as Code
Interactive Terraform visualizer. Explore the relationships and dependencies between various Terraform resources.
An Infrastructure as Code (IaC) tool for AWS Organizations.
Verify Container Signatures in Kubernetes using Notary or Cosign
Christoph Hamsen discusses v2.0 of Connaisseur, an admission controller to integrate container image signature verification and trust pinning into a Kubernetes cluster. v2.0 adds support for multiple keys and signature solutions.
“Cartographer allows users to configure Kubernetes resources into re-usable supply chains that can be used to define all of the stages that an Application Workload must go through to get to an environment,” by @OssCartographer.
Jackie Chan - How to Do Action Comedy
Since I was young, I’ve been a huge fan of Jackie Chan’s movies. I really enjoyed this breakdown of shot and editing choices as well as Jackie’s willingness to do hundreds of takes to make things perfect.
Moving Darth Vader’s Force FX Lightsaber in Stop Motion
Darth Vader playing with his pet AT-AT, pretty cute.
From Frances Haugen’s ~13min 60 Minutes interview:
To quote from one of the internal resources she shared:
Fascinatingly, apparently EU politicians reached out to Facebook after it’s 2018 algorithm change, and said they:
So politicians feel like they have to change their messaging and adopt more extreme positions to get competitive levels of engagement on Facebook.
I’m going to repeat that because it’s crazy: a social media company’s algorithms are directly impacting political rhetoric and positions, and thus the direction of nations.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!