• tl;dr sec
  • Posts
  • [tl;dr sec] #124 - GraphQL Cop, GitLab CI/CD CTF, NSA's Network Infrastructure Security Guidance

[tl;dr sec] #124 - GraphQL Cop, GitLab CI/CD CTF, NSA's Network Infrastructure Security Guidance

Tool to test GraphQL APIs, learn to exploit and pivot a target GitLab instance, PDF by NSA on hardening your network.

Hey there,

I hope you’ve been doing well!

Pitch Deck

Last week I shared a link to a hilarious card game about pitching ridiculous, fabricated start-ups.

Apparently, it’s not the only one such game, as my friend Maya Kaczorowski pointed out: Pitch Deck also exists.

An example from their home page:

What a time to be alive 🤣

Sponsor

📢 🎟 Code To Cloud: The Security Summit For Practitioners By Practitioners

Register for the free virtual event at the intersection of Security, DevOps, and Cloud on March 23-24! You’ll learn from 20+ of the leading DevSecOps experts in 24 hours of keynotes, panels, breakout sessions, lightning talks, and hands-on labs. The Code to Cloud Summit will feature security insights across cloud-native tech stacks—from IaC and open-source packages to containers and workloads.

Speakers include Srinath Kuruvadi (Netflix), Nancy Gariché (GitHub Security Lab and OWASP DevSlop), Madhu Akula (Miro and KubernetesGoat), Shannon Lietz (Adobe), Ashish Rajan (PageUp and Cloud Security Podcast), and more.

📜 In this newsletter...

  • Conferences: LocoMocoSec CFP is open!

  • CI/CD: GitLab CI/CD themed CTF you can run in your AWS account, Top 10 CI/CD security risks

  • AppSec: Security for package managers, turning language doc recommendations into continuous code checks

  • Web Security: Tool to test GraphQL APIs for common security issues, how to Burp good, Burp extension to finding and exploit PKCS padding oracles

  • Cloud Security: Simple Lambda to monitor CloudTrail for manual Console actions, infrastructure as data, using AWS Step functions for continuous monitoring, security dashboards as code

  • Network Security: Debugging certificate errors, NSA's network infra security guidance

  • Exploitation: Exploit mitigation overview for various OS's and apps, survey of why memory safety is still a concern

  • Misc: Web app to remove unwanted things from images, free online editor for animated sprites and pixel art, Simple Wikipedia, find words on the tip of your tongue, iOS app to find public restrooms

  • Humor: A walk sign asking you to change your password, CNCF puzzle, security vendors unmasked

Conferences

LocoMocoSec 2022 CFP is Open!
A great single track conference in Hawaii 🏖️ CFP closes April 3rd.

CI/CD

CI/CDon’t
An AWS and GitLab CI/CD themed CTF that you can run in your own AWS account, by Nick Frichette.

Top 10 CI/CD Security Risks
By Cider Security, including an overview, the impact, and recommendations for each.

  1. Insufficient Flow Control Mechanisms

  2. Inadequate Identity and Access Management

  3. Dependency Chain Abuse

  4. Poisoned Pipeline Execution (PPE)

  5. Insufficient PBAC (Pipeline-Based Access Controls)

  6. Insufficient Credential Hygiene

  7. Insecure System Configuration

  8. Ungoverned Usage of 3rd Party Services

  9. Improper Artifact Integrity Validation

AppSec

Security for package maintainers
Guide by Seth Larson on how open source package maintainers can secure their accounts, the platforms and roles for various package repositories, securing your package repository, and more.

Scaling Semgrep rule coverage by spidering language documentation
Many languages and frameworks have extensive docs, and somewhere in them, there are periodic Warning call-out blocks that say something like, “Make sure not to do this, it’s dangerous.” But who has time to read and remember hundreds of pages of docs?

Neat post by r2c’s Kurt Boberg on writing a scraper to extract all of these Warnings from the MSDN docs, so now you can get programmatically warned about dangerous C# code using open source Semgrep rules. And there’s a bunch of other new C# rules for all major OWASP vulnerability classes.

Web Security

dolevf/graphql-cop
Tool by Dolev Farhi to run common security tests against GraphQL APIs. ~10 detections for DoS, CSRF, and info leaks.

How to Burp Good
Great walkthrough by @n00py1 of how to do useful things in Burp, like: password brute forcing, password spraying, handling CSRF tokens, re-validating sessions, targeted scanning, finding hidden pages, SSL stripping, and more.

Padding Oracle Hunter
New Burp Extension by the Singapore government that helps penetration testers quickly identify and exploit the PKCS#7 and PKCS#1 v1.5 padding oracle vulnerability. More context by Eugene Lim.

Cloud Security

ClickOops
A simple Lambda that monitors your CloudTrail log files to find manual actions taken in your accounts, by Paul Zietsman. Valuable intel for when your cloud state is getting out of sync with your infrastructure as code.

Idem Project
A collaboration from VMWare and SaltStack that aims to simplify cloud configuration from Infrastructure as Code to Infrastructure as Data. It can scan your current cloud deployments and generate all the data needed to manage them. Idem can manage not just cloud providers, but any API driven system, such as GitLab.com.

Why Step Functions is the Best AWS Service You Are Not Using
stackArmor’s Matthew Venne describes the power of using AWS Step Functions to implement continuous security monitoring, such as tracking SSL configuration status to meet FedRAMP requirements.

Recent changes make this much easier:

  • You can now call AWS API calls directly from State Machines instead of stitching together simple Lambdas for every action.

  • Workflow Studio is a slick browser-based wizard where you can drag and drop to to define your flow.

Dashboards as Code with HCL + SQL
Steampipe now supports defining various Dashboards as Code, giving you real-time insight into your cloud environment, compliance posture, and more. They’ve released 79 AWS Insights dashboards that include security reports and visualizations of VPC & IAM entity relationships.

Network Security

Debugging Certificate Errors
Great walkthrough by Jan Schaumann on various debugging techniques to better make sense of errors: cert expired, wrong name on the cert, incomplete cert chain, unknown root, and more.

Network Infrastructure Security Guidance
~60 page PDF by NSA covering topics including:

  • Network architecture and design

  • Security maintenance

  • Authentication, authorization, and accounting

  • Logging and monitoring

  • Routing

Exploitation

nccgroup/exploit_mitigations
By NCC Group: A knowledge base of exploit mitigations available across numerous operating systems (Windows, Linux, Android, iOS, and more), architectures and applications (Firefox, Edge, Chrome, Office) and versions.

Why is memory safety still a concern?
PhD candidacy exam write-up by Columbia’s Mohamed Hassan. ~200 slides here.

Sponsor

📢 Trail of Bits’ ZK Docs: comprehensive and interactive documentation on implementation of zero-knowledge proof systems

Trail of Bits released ZKDocs: free and open source documentation for non-standardized cryptographic primitives. ZKDocs provides comprehensive implementation details and security considerations for developers using zero-knowledge proofs and other non-standard primitives. We hope this extensive collection of information will help devs avoid introducing bugs.

Whoa, ☝️ is pretty cool.

Misc

Magic Eraser - Remove unwanted things from images in seconds
Upload an image, mark the bit you need removed, download the fixed up image.

Piskel
A free online editor for animated sprites & pixel art. Create animations in your browser.

Simple Wikipedia
Wikipedia, but using basic English words and shorter sentences, making it easier to read for children and people learning English.

Tip of My Tongue
Find that word that you’ve been thinking about all day but just can’t seem to remember. Search and filter by partial word, letters, word meaning, length.

Flush - Toilet Finder & Map
iOS app to help you find public restrooms.

Humor

A walk sign continually repeating “CHANGE PASSWORD”
Nothing to see here, everything is fine.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint