• tl;dr sec
  • Posts
  • [tl;dr sec] #109 - Breaking Stateless Authentication, Secrets, Unicode Chicanery

[tl;dr sec] #109 - Breaking Stateless Authentication, Secrets, Unicode Chicanery

A tool to detect misconfigured session implementations, scanning Docker Hub for secrets and determining the impact of leaked secrets, Semgrep rule for the Trojan Source bug.

Hey there,

I hope you’ve been doing well!

Password Advice

As you know, secrets and passwords are critical for security.

You’ll see some great work in that space further down this issue.

But I wanted to start straight out of the gate with some helpful advice from this TikTok:

r2c and Semgrep Updates

A bit ago my colleagues wrote about our Fall Updates.

tl;dr: Semgrep’s taint mode has been improved, Terraform support has been added, and the new mode --config=auto automatically, dynamically selects relevant Semgrep Registry rules for you based on your project’s language and frameworks.

But most of all, I wanted to share with you this line by my bud Bence Nagy, which is probably one of my favorite sentences I’ve read in awhile 🤣

Of course, this ain’t but a quaint example to acquaint you with taint mode, so to paint a less faint picture of it, we also published a much more in-depth article.


📢 API Security for Dummies eBook

APIs have dramatically altered the application attack surface. As part of our continuing mission to educate organizations, Salt Security recently released “API Security for Dummies” to address how and why the app dev world has changed and why additional protections are needed. Download the eBook here to learn the most critical elements of API security and get ten prioritized steps you can follow now to start securing APIs for your organization.

📜 In this newsletter...

  • AppSec: OWASP Global AppSec 2020 videos, beginner's guide to game hacking

  • Secrets: Hunting for secrets in Docker Hub, know if private keys are sensitive

  • Unicode Chicanery: Semgrep rule to detect the Trojan Source bug, more Unicode tricks in JavaScript

  • Web Security: How to evade bot detection, a tool for breaking stateless authentication, tool to search for default creds

  • Cloud Security: Automatically generate diagrams from AWS CDK, tool that automatically scans all IAM Managed Policies with Cloudsplaining, detailed walkthrough of impactful Azure bug

  • Continuous Compliance: Streamline 15 SOC 2 controls, continuous compliance on AWS

  • Container Security: A Kubeconfig canarytoken, Kubernetes API access security hardening

  • Politics: What happens when your city's budget is kept afloat by rich donors

  • Misc: A visual diagram of 188 cognitive biases

  • Humor: Things to say when you're losing a tech argument, Corey Quinn's updated mottos for companies

  • Aphorism: By Polya


OWASP Global AppSec Virtual 2020
YouTube playlist with talks on AppSec, web security, threat modeling, IoT, machine learning, cloud and container security, and more.

A Beginner’s Guide to Understanding Game Hacking Techniques
Free ~500 page PDF covering the basics, debugging and reversing, RTS and FPS hacks, multiplayer, tool development, and more, by Game Hacking Academy.


Secrets exposed in Docker images: Hunting for secrets in Docker Hub
GitGuardians’s Henri Hubert describes scanning 2,000 public Docker containers and finding secrets in ~7% of them. The post has some useful tips in how secrets can make their way into Docker containers, and how to search them: use the Docker manifest file to focus on layers where either files are manually added or copied, or environment variables are modified.

H/T Daniel Bilar for the heads-up on this related talk:

Driftwood: Know if Private Keys are Sensitive
Excellent work by Truffle Security’s Dylan Ayrey in determining the impact and blast radius of leaked secrets. Basically, they found 50,000 secret keys using TruffleHog, then compiled a database of billions of TLS (from certificate transparency) and SSH (from GitHub, which lets you authenticate via SSH) public keys.

By comparing these, you find a bunch of TLS certs you can now transparently intercept, and GitHub repos you can push to.

Interestingly, a number of the keys were found in repos totally unrelated to the impacted user, and in some cases were in directories marked as “test” or “tutorial.” They’ve open sourced driftwood, a tool that lets you look up if a private key is used for things like TLS or as a GitHub SSH key for a user.

Unicode Chicanery

Dropbox’s April King’s Semgrep rule for the Trojan Source bug
It flags bidirectional characters in source code. See the rule on GitHub here, play with it in your browser here. Run it on your source code via CLI:

$ semgrep --config "p/supply-chain"

The Invisible JavaScript Backdoor
Certitude Consulting’s Wolfgang Ettlinger points out other Unicode subtleties, including an invisible Unicode character that can be interpreted as an identifier/variable in JavaScript, and mentions a potential homoglyph attack involving Unicode characters that look like various operators (e.g. “/”, “−”, etc.).

Web Security

By Dariusz Niespodziany: This is probably one of the most detailed breakdowns I’ve seen about evading bot detection and scraping the web without getting blocked.

Introducing CookieMonster: a tool for breaking stateless authentication
Very cool work by Ian Carroll. CookieMonster is a high performance tool for detecting misconfigured session implementations in web apps. It can rapidly find misconfigured secret keys in applications using Laravel, Flask, Django, JWTs, and more.

By Viral Maniar: Search default credentials for network devices, web applications and more. 523 vendors and their 2084 default passwords.

Cloud Security

By Tom Roshko: Automatically generate diagrams for your AWS CDK provisioned infrastructure. Uses Graphviz.

A tool that automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and runs Cloudsplaining on them. By Victor Grenu and Tenchi Security’s Alexandre Sieira.

ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough
Great walkthrough example of exploring attack surface, escalating privileges, and lateral movement by Wiz’s Nir Ohfeld and Sagi Tzadik.

This is the full story of the Azure ChaosDB Vulnerability… where we were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers… [and] ultimately allowed us to retrieve numerous internal keys that can be used to manage the service.

We walk you through every step of the way, to the point where we even gained administrative access to some of the magic that powers Azure.

Continuous Compliance

Streamline Fifteen SOC 2 Controls with AWS Config and AWS Security Hub
ByteChek’s AJ Yawn provides a detailed list of controls and its associated SOC 2 criteria, AWS Config Rule, and AWS Security Hub CIS Benchmark.

Continuous compliance on AWS
8th Light’s Connor Mendenhall provides a nice overview. I like how Connor compares how many orgs treat compliance audits to the old, bad ways of building software: a focus on point in time testing when the stakes are high (quarterly audits, the “big launch”), viewing software systems and compliance requirements as static, even though both may have changed by the end of the process, etc.

Container Security

A Kubeconfig Canarytoken
Thinkst Canary has released a new Kubeconfig Token, which emulates a kubeconfig file, the configuration text file that ordinarily contains credentials to interact with a Kubernetes cluster. If an attacker uses it, you get an alert.

Kubernetes API Access Security Hardening
Teleport’s Sakshyam Shah provides quite a detailed list of things to consider, including securing access to the Kubernetes control plane (API server), Kubelet, and additional security considerations for API access control.


How the Super Rich Changed a City, For Better or Worse
With many small times having budget difficulties, some are being funded by wealthy philanthropists, who then gain (implicit) significant say over public policy. “One dollar one vote,” as the saying goes 😆


The Cognitive Bias Codex
A neat visual diagram on 188 biases, grouped by category (what should we remember, too much info, not enough meaning, and need to act fast), linked to their Wikipedia pages.


  • That won’t scale.

  • That’s been proven to be O(N^2) and we need a solution that’s O(NlogN).

  • There are, of course, various export limitations on that technology.

  • I don’t think that’s altogether clear. Please write it up in UML for me.

  • I don’t think you’re considering the performance trade-offs.

  • What kind of benchmarks have you been running?

  • Palo Alto: “We named our company after the most expensive city in the US because we don’t do subtle.”

  • Costco: When your snack cupboard has its own loading dock.

  • Electronic Arts: “AWS Billing for Games”

  • Tesla: “Theranos for Cars”

  • Tupperware: “Docker for Vegetables.”

  • Palantir: “Facebook for Governments”

  • Coinbase: “First Bank of Libertarianism.”

  • Huawei: “A publicly traded NSA”

  • Salesforce: “Naming rights to a bus station couldn’t be wrong!”

  • Datadog: “Tinder for Pets”

  • Wizards of the Coast: “You’re Pretending It Wrong”

  • Rust Foundation: “A vi vs. emacs holy war now accepts donations.”

  • Y Combinator: “A training program for lottery winners.”

  • Alibaba: “Uber for manufacturing designs you don’t own”

  • Enron: “The parts of bitcoin cryptobros don’t want to talk about”

  • Taco Bell: “Low latency egress”

  • Activision Blizzard: “We love everyone except our customers, our employees, and women.”


“It is foolish to answer a question that you do not understand. It is sad to work for an end that you do not desire.” - Polya

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!