- tl;dr sec
- Posts
- [tl;dr sec] #117 - WebSocket Security, Securing Dependencies, Authorization Approaches
[tl;dr sec] #117 - WebSocket Security, Securing Dependencies, Authorization Approaches
Great talk on WebSocket security + tool release, understanding your dependencies and the power of lockfiles, enforcing authz at compile time and authz in microservices.
Hey there,
I hope you’ve been doing well!
WiFi Passwords and… Romance?
A good movie poster or trailer inspires more questions than it answers. And man is that true here.
Like, did he change his network name to “HeyCutie” as a way to flirt?
Is she an international cyber criminal who cracked his WiFi password (because he was using WEP like a noob) to access her C2 servers through his home network to deflect attribution? And he’s a lonely sys admin, locking down his network on a Friday night, only to discover this unexpected traffic, leading him to find The One to fill the pi-hole in his heart?
Did she shine a laser through his window and use the vibrations as a side channel to recover his GitHub creds and SSH password so she could push a cryptominer to his widely popular NPM package? But he’s actually a former CIA agent and has the OPSEC to understand this is happening, so he starts typing her romantic poems in the git commit messages on his private dotfiles repo that he knows she can see read, until they fall in love?
SO MANY QUESTIONS.
Also, Netflix employees, if you like these premises and know someone that needs some screen writing assistance, hit me up, you know where to find me.
No, not curled up under my desk in a fetal position (though true), I mean you can reply to this email.
Sponsor
📢 Build internal tools faster without risking security
Internal tools—like the custom security tools you use at work—help you work faster. And they touch your most important data and systems, so they need to be secure. Retool makes building secure internal tools remarkably fast—you create any UI you want via drag and drop, and then securely connect it to any data source. Access controls and audit logs are built in, so you can focus on what matters.
📜 In this newsletter...
Mac: Four 0days and UXSS in Safari write-up
Career: 5 questions to ask your prospective manager when interviewing
AppSec: Crazy pen test war stories, Python NaN injection, autogenerating realistic vulnerable code
Supply Chain: Tool to automatically build a dependency graph/SBOM/more, and the power of lockfiles
Authorization: Rust library that turns authz bugs into compile errors, patterns for authorization in microservices
Web Security: Tool for reversing JS and CSS from sourcemaps, abusing reverse proxies, WebSocket security talk
Cloud Security: AWS Lambda powertools, create limited scope AWS creds that can only read/write a specific bucket (and prefix), best practices for securing backups
Container Security: Automatically generate and keep up to date Docker images through GitHub Actions
Red Team: Tool to cover your tracks on a Linux box
Politics / Privacy: Cyber defense will win the war, AI is eating the world's workforce through job automation
OSINT / Recon: Hundreds of prepackaged offense-focused Docker images
Humor: Worst snake oil cybersecurity pitches you've heard, Nature on open access
Misc: SimRefinery, GitHub Actions by example, Stripe and YC are the mob bosses of Silicon Valley, security developer messaging
Mac
Webcam Hacking (again) - Safari UXSS
Excellently detailed write-up by BugPoC’s Ryan Pickren, which lead to 4 0days and a $100,500 bounty from Apple.
Gaining unauthorized camera access via Safari UXSS: the story of how a shared iCloud document can hack every website you’ve ever visited.
Career
5 questions you should ask your future manager when interviewing for a job
Great thread by Lily Konings.
When was the last time you promoted someone on your team? How did it happen?
Why did the last person in this role leave?
How do you nurture psychological safety in your team?
When was the last time you supported a direct report’s growth, even if it meant leaving your team or company?
Most/all of my interviewers were men. Can I speak to some women on the team to hear more about their experience?
AppSec
Hackers, what is your craziest pentest story?
Twitter thread with a number of war stories, by Luke Tucker.
Python NaN Injection
Bit Discovery’s Robert Hansen (RSnake) describes how supplying NaN for input in Python can lead to unexpected and/or insecure behavior. For example, math operations with an int or float + NaN outputs NaN, so NaN spreads through the execution flow. This could cause unexpected sorting behavior, integer overflows/underflows, business logic bypasses, and more.
This repo has slides and example vulnerable code and validation logic.
Brendan Dolan-Gavitt Receives NSF Career Award
Congrats! The grant is for automatically creating highly realistic vulnerability corpora, which will be super useful for test cases for security tooling or manual learning. That is, this research may preempt the need to rely on manually created Goat apps, which are often simple and not necessarily representative of complex, real code bases. See the NSF page or the LAVA: Large-scale Automated Vulnerability Addition paper for more details.
Supply Chain
What does your code use, and is it vulnerable? It-depends!
Tool release by Trail of Bits: it-depends, which can automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.
You can use it to enumerate all third party dependencies for a software package, map those dependencies to known security vulnerabilities, as well as compare the similarity between two packages based on their dependencies (e.g. Wait, why are we using 3 libraries that do a similar thing?). Handles a bunch of languages, can determine dependencies on native libraries using dynamic analysis, and other fancy things.
The best free, open-source supply-chain security tool? The lockfile
r2c’s Isaac Evans describes why lockfiles are essential for supply-chain security: in the face of a malicious new version of a dependency, they empower you to know exactly which systems were affected and when, which is critical during incident response.
The post also details setting up lockfiles properly across ~9 different package managers, compares their security properties, and includes some open source Semgrep rules to check if you’re using lockfiles effectively. Here are some snippets from two useful tables, more in the post:
resyncgg/dacquiri
A strong, compile-time enforced authorization framework for Rust applications, by @resync_gg. That is, Dacquiri turns authorization vulnerabilities into compile-time errors.
Patterns for Authorization in Microservices
Oso’s Graham Kaemmer provides an overview of 3 popular approaches and their relative trade-offs, with some nice diagrams.
Leave the data where it is, and have services ask for it directly.
Use a gateway to attach the data to all requests, so it’s available everywhere.
Centralize authorization data into one place, and move all decisionmaking to that place.
Web Security
paazmaya/shuji
Tool for reverse engineering JavaScript and CSS sources from sourcemaps, by Juga Paazmaya.
Abusing Reverse Proxies, Part 1: Metadata
Project Discovery’s Chris Sullo discusses in part 1 and part 2 how misconfigured reverse proxies can be abused to access cloud metadata services, port scan other ports on the proxy, and scan the proxy’s internal network. A number of accompanying nuclei templates have been open sourced as well.
We’re not in HTTP anymore: Investigating WebSocket Server Security
Excellent OWASP Global AppSec US 2021 talk by Palindrome Technologies’s Erik Elbieh. Erik provides an overview of how WebSockets differ from HTTP, does a survey of prior WebSocket security work, describes how to find websites that support WebSockets at scale, releases a tool (STEWS) that fingerprints the likely WebSocket implementation being used, and then tests if the server is vulnerable to a number of known CVEs.
Good talks have an original idea or two or a useful trick you can use. Great talks provide an overview of the problem space, do a deep dive of related work, examine the issue at scale, and release a tool to make it all easier. This is a great talk.
Erik also released:
awesome-websocket-security: a collection of WebSocket security resources.
WebSockets-Playground: a script to easily jump start multiple local WebSocket servers in parallel.
See also Portswigger’s Web Security Academy WebSocket labs.
Cloud Security
awslabs/aws-lambda-powertools-typescript
A suite of utilities for AWS Lambda Functions that makes structured logging, creating custom metrics asynchronously and tracing with AWS X-Ray easier.
Weeknotes: s3-credentials prefix and Datasette 0.60
Simon Willison describes s3-credentials, a tool for creating limited scope AWS credentials that can only read and write from a specific S3 bucket. The latest release adds the ability to specify a prefix and get credentials that are only allowed to operate on keys within a specific folder within the S3 bucket.
Container Security
cybersecsi/RAUDI
A repo to automatically generate and keep updated a series of Docker images through GitHub Actions, by SecSI.
Red Team
mufeedvh/moonwalk
A small, standalone binary for covering your tracks on a Linux box by capturing the state of system logs and filesystem timestamps pre-exploitation and reverting them after you’re done, by Mufeed VH.
Politics / Privacy
Offense will win some battles, but cyber defense will win the war
Proofpoint’s Selena Larson argues that while offensive efforts do impose some costs on ransomware operators, ultimately investment in defense and resolving underlying weaknesses is required for moving the needle long term. I enjoyed the details and context provided in this post.
AI is quietly eating up the world’s workforce with job automation
It seems that great inequality leads to political polarization, unrest, and other bad stuff. One of the things that concerns me most right now is how quickly so many people are (or will be) out of work, yet few are sounding the alarm.
AI job automation has already replaced around 400,000 factory jobs in the U.S. from 1990 to 2007, with another 2 million on the way.
~85% of customer interactions are already handled without human interaction. There are currently ~3 million customer service reps in the U.S.
A 2020 research paper showed that a Transformer-based deep learning system could outperform human language translators.
Sponsor
📢 Register for ZAPCon 2022 ⚡️
ZAPCon 2022 is a free virtual event for ZAP users and those looking to level-up their automated application security testing game.
Register now to hear from speakers like Jim Manico and ZAP creator Simon Bennetts.
OSINT / Recon
HOUDINI: Hundreds of Offensive and Useful Docker Images for Network Intrusion
What a backronym 🙌 A big set of Docker images for security tools, maintained by SecSI, including OSINT and recon tools (e.g. Amass), web security scanners (e.g. Arachni, ffuf), dirbusting, spiders, mobile app reversing tools, and more.
Humor
Sean Wright: Worst snake oil cybersecurity pitch you’ve ever had?
Congrats to all vendors named 🤣
The Academic Journal Nature does Open Access
Short comedic video skewering the economics of academic publishers. As they deserve in my opinion.
Misc
The sprawling, must-read history of Maxis’ former “serious games” division
Huh, apparently the company that made SimCity also made serious games, like SimRefinery.
GitHub Actions by Example
An introduction through a series of annotated examples, by Ted Summer.
Stripe and YCombinator, the Mob Bosses of Silicon Valley, a thread
Bolt CEO Ryan Breslow accuses Stripe of strategically getting investors in a way that precludes future finance-related start-ups from being successful, HN of burying posts about Bolt, and more. Your weekly 🌶️ take and hot goss.
Aidan Steele on Security <-> Developer Messaging
To move the security needle, we (security professionals) need buy-in, support, and mutual respect with developers. How can we make things secure by default and not expect developers to also be security experts?
I feel like it’s unfair and hurtful to characterise committing secrets as a result of “careless developers” though.
When I built something similar a few months back, there was a clear pattern: the majority of leaks were due to templates that set newbies up to fail. e.g. encouraging credentials to be copy-pasted into a config.js file and not gitignoring it.
I don’t think that a junior developer following a tutorial is being careless. I don’t think we can expect them to be intimately familiar with ever-evolving infosec best practices.
And I don’t think it helps them feel welcome when they are called careless for learning new things.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint