[tl;dr sec] #132 - Application Hacking Methodology, Pwning Cloudflare Pages, Why You Should Be Blogging
Jason Haddix's new Bug Hunter's Methodology for apps, write-up of a series of Cloudflare Pages bugs, Jack Rhysider on the power of blogging.
I hope you’ve been doing well!
I wasn’t sure what I was going to include in the intro this week, but fortunately, San Francisco delivers once again.
In most normal places, people go to their job, they work, and they have friends, family, communities they’re a part of, and other ways they derive meaning and fulfillment.
But in the Bay Area, people’s work and identity are often so closely tied it’s like some Fifty Shades of Grey sequel. (Sidenote: I have an image I want to make for this but I don’t have time. Imagine something funny but MS Paint-level execution.)
Here’s something #PeakBayArea I came across at a local corner store this week:
📢 JupiterOne: Context and visibility into your entire cyber asset attack surface
As companies expand to the cloud, cyber asset visibility worsens. Resources are deployed and access granted without a full understanding of how it impacts a company’s vulnerability to attack, and legacy solutions like a SIEM or CSPM can’t touch every asset necessary to contextualize the entire cyber asset attack surface.
That’s where the JupiterOne Cyber Asset Management Platform comes in. We answer the complex security and infrastructure questions you weren’t able to before. Understand the contextual relationships between cyber assets and build the foundation for your cloud security program.
📜 In this newsletter...
AppSec: OPA/Rego pre-commit hooks, Cloudflare Pages bug write-ups
Web Security: Discovering origin hosts behind proxies/WAFs, CLI tool to parse Burp project files, Bug Hunter’s Methodology: Application Hacking v1
Supply Chain: NIST guide, three part how to SLSA guide by Google
Cloud Security: Lambda for website -> PDF, scan publicly accessible assets in your AWS environment, tools that use AWS logs to help with least privilege, video walkthrough series of flaws.cloud, integrating AWS Security Hub with Jira
Container Security: Bottlerocket OS security guidance, scanning Dockerfiles for security issues with Semgrep
Red Team: Convert PE so it can be injected like normal shellcode
Politics / Privacy: Open source tests for web browser privacy features
Misc: Useful Bash one liners, tracking startup layoffs, open database of >31M scholarly articles, generate memes with AI, how mindfulness can quell feelings of guilt
17 reasons why you should be blogging: Jack Rhysider on the power of blogging
Quote: Colette on grief
Cloudflare Pages, part 1: The fellowship of the secret
Assetnote’s James Hebden and Sean Yeoh describe finding a series of vulnerabilities in Cloudflare Pages. There’s a part 2 and 3, and see Cloudflare’s response as well. Great example of blackbox testing, getting a foothold, probing to understand attack surface, then escalating privileges.
Tool by Hakluke for discovering the origin host behind a reverse proxy. Useful for bypassing WAFs and other reverse proxies. See also this Twitter thread for an overview of useful tools Hakluke has created over the years.
The Bug Hunter’s Methodology: Application Hacking v1
See also Jason’s threads:
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
326 page PDF by NIST providing guidance on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of your organization.
How to SLSA Part 1 - The Basics
Google’s Tom Hennen walks through how three fictional organizations (a package manager, an open source OS with an enterprise distribution, a mid-sized enterprise) would apply SLSA to meet their different needs.
Part 1: How and when do you verify a package with SLSA? How to handle artifacts without provenance?
Part 2: Where is the provenance stored? Where is the appropriate policy stored and who should verify it? What should the policies check? How do you establish trust & distribute keys?
Part 3: What does a secure, heterogeneous supply chain look like?
Website to PDF using AWS Lambda Function URLs
Arctic Wolf’s Jobin Basani describes how to use AWS CDK to create a Lambda Function URL that converts a web page into a PDF file using chrome-aws-lambda and Puppeteer.
Scan for publicly accessible assets in your AWS cloud environment. Supports: AWS ELB, API Gateway, S3 Buckets, RDS Databases, EC2 instances, Redshift Databases.
Tools That Use AWS Logs to Help with Least Privilege
Great overview by Sym’s Adam Buggia on resources and tools for creating least privilege IAM policies. He discusses deriving AWS policies from CloudTrail Data vs designing policies using Client Side Monitoring (and their respective trade-offs), and how to generate policies for a Terraform Project using Localstack.
Bidirectionally integrate AWS Security Hub with Jira software
You can now automatically and manually create and update JIRA tickets from Security Hub findings.
Bottlerocket OS Security Guidance
Bottlerocket is a Linux-based OS meant for hosting containers. This document contains a number of good hardening recommendations.
See also Bottlerocket’s Security Features, which include: automated security updates, immutable rootfs backed by dm-verify, stateless tmpfs for /etc, no shell or interpreters installed, executables built with hardening flags, and SELinux enabled in enforcing mode.
Scanning Dockerfiles for security issues + Contributing to Semgrep
Red Hat’s Florencio Cano describes scanning Dockerfiles with hadolint, realizing Semgrep has most of the same checks, trying it, and then contributing some improvements.
Politics / Privacy
Open-source tests of web browser privacy for popular browsers: Brave, Chrome, Edge, Firefox, Safari, etc. State partitioning, navigation, HTTPS, fingerprinting resistance, and other tests.
📢 API Security Best Practices Guide
APIs drive today’s modern apps. Bad actors know the benefit of targeting APIs to get at valuable data, so API attacks are on the rise. Existing security tooling can’t stop API attacks - you need a new approach. Salt Security has compiled a set of API security best practices, drawn from customer experiences, to help you in this journey. Download the guide to build your plan for securing your external, internal, and partner APIs.
A collection of handy Bash one-Liners and terminal tricks for data processing and Linux system maintenance.
Tracks all tech startup layoffs since COVID-19. Potential resource for finding people to hire!
An open database of >31M free scholarly articles. Ingests Open Access content from over 50,000 publishers and repositories, and makes them easy to find, track, and use.
Generate original memes powered by AI.
Great thread by Jack Rhysider. I’ve found most of these to be personally true for me as well.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!