• tl;dr sec
  • Posts
  • [tl;dr sec] #135 - BSidesSF, Google's Cloud Forensics Utils, Running Bug Bounty Programs

[tl;dr sec] #135 - BSidesSF, Google's Cloud Forensics Utils, Running Bug Bounty Programs

Let's hang out at BSidesSF, Google's Python library to do DFIR across major clouds, Braze and GitHub on running bug bounty programs.

Hey there,

I hope you’ve been doing well!

BSidesSF this Weekend!

BSidesSF is a great conference. If you don’t already have tickets, you can get them here.

The organizers kindly opened up some additional slots in my previously sold out Semgrep workshop! So if you’d like, try registering now and/or stop by in person.

There are countless interesting BSidesSF talks, but I’ll shamelessly plug:

Also, if you find me around the con, I’ll give you some elusive tl;dr sec stickers!

(Oh hey, didn’t see you there #wokeuplikethis )

Regardless of if we hang out at the workshop, I hope we cross paths at BSidesSF or at RSA parties srs bizness events.

P.S. You can see a list of public RSA parties here.

Sponsor

📢 StackHawk’s New Integration with Snyk Code is Now Live!

With StackHawk’s new Snyk integration, teams can correlate security issues between dynamic security testing (DAST) and static security testing (SAST) to find and fix the most important application and API vulnerabilities before production.

Check out the StackHawk and Snyk in Action webinar to see how your team can automate security testing in CI/CD using these integrated tools.

📜 In this newsletter...

  • Conferences: Pwn crypto to keep it competition, LocoMocoSec registration rates increase soon, ROOTCON CFP is open

  • AppSec: Getting RCE on Rails apps

  • Web Security: Damn vulnerable web sockets walkthrough, exploiting Swagger-UI

  • Cloud Security: Bring Azure resources under Terraform management, Google's library to carry out DFIR in the cloud, AWS startup security baseline, thinking about threat detection in the cloud

  • Container Security: How to use Atomic Red Team to test Falco rules in Kubernetes

  • Blue Team: A binary authorization system for macOS, open source tool to auto-enrich alerts

  • Supply Chain: Software supply chain security reading list

  • Running Bug Bounty Programs: Eight years of the GitHub bug bounty program, learning experiences going from hacker to bug bounty program owner

  • Network Security: A network traffic analysis tool suite by CISA, Tailscale tricks for security testers

  • Scraping: CLI tool for automated web page screenshots, how to effectively scrape using Python

  • Misc: An analysis of the structure and contents of top newsletters, how to professionally say what you want in a work setting, Rego style guide, learn to tie 150 knots, Org mode that's not dependent on Emacs, the curse of strong typing

  • Quote: Your life is your message. So what are you saying?

Conferences

PWN2BTC
A smart contract & crypto hardware exploitation competition on June 7th, as a part of Off The Chain. If you pwn it, you keep the crypto.

LocoMocoSec
Registration costs increase after June 7th, so get your tickets soon! If you do, I’ll see you June 27-30 in Honolulu 😎.

ROOTCON
CFP open until July 25, conference September 28-30 in Manila.

AppSec

Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations
Bishop Fox’s Ben Lincoln walks through a number of ways to get sweet, sweet remote code execution when testing Rails apps, as well as a sample vulnerable app and example exploit code. Vulnerabilities: Kernel-level open function, insecure send, binary deserialization, YAML deserialization, and Oj JSON Deserialization.

Web Security

Damn Vulnerable Web Sockets Walkthrough
A walkthrough of the Damn Vulnerable Web Sockets app, including brute forcing the login, CSRF, file inclusion, error and blind SQL injection, and stored XSS.

Hacking Swagger-UI - from XSS to account takeovers
Vidoc Security Lab’s Dawid Moczadło found a DOM XSS in Swagger UI, which he was able to successfully report across 60 different bug bounty programs. Swagger UI had an outdated version of DomPurify, and Dawid found a new way to exploit a known DomPurify bypass.

I think this post is a good example of finding and building on related work to achieve a goal, and maximizing impact.

GitLab had CSP that did not allow me to use event handlers - <img src="1"> was blocked. The good thing with Gitlab is that they disclose all of their security issues, so I just searched for XSS and copied the CSP bypass from there;) (remember to work smart not hard)

Cloud Security

Azure/aztfy
A tool to bring existing Azure resources under Terraform’s management.

google/cloud-forensics-utils
A Python library to carry out DFIR analysis on the cloud. Currently supports GCP, Azure, and AWS.

AWS Startup Security Baseline
Guidance by AWS’ Jay Michael on a set of controls that create a minimum foundation for businesses to build securely on AWS without decreasing their agility.

How to Think about Threat Detection in the Cloud
Google’s Anton Chuvakin and Tim Peacock share their views on a foundational framework for thinking about threat detection in public cloud computing.

Container Security

How to use Atomic Red Team to test Falco rules in K8s
It’s important to test that your security controls and tools actually work! Sysdig’s Jason Avery describes how to use Red Canary’s Atomic Red Team in a Kubernetes environment to confirm that Falco’s rules flag the malicious behavior.

Blue Team

google/santa
A binary authorization system for macOS.

Avoiding Security Alert Hell: Introducing Squyre
Bill Mahony announces Squyre, a new open source tool aimed at reducing analyst fatigue by automatically enriching alerts with helpful context. It uses Lambdas and Step Functions to extract IP addresses, domains, hashes etc. from an alert body, looks them up on various services, and then adds the results to the alert in your ticketing system (e.g. Jira).

Supply Chain

Software Supply-Chain Security Reading List
A list of resources by Chainguard covering policy, incidents/threats, solutions, organizations, background, and reports and summaries.

Running Bug Bounty Programs

Eight years of the GitHub Security Bug Bounty program
By GitHub’s Jill Moné-Corallo. GitHub awarded $803,769 in bounties for 235 vulnerabilities in 2021, bringing them to ~$2.4M in total rewards via HackerOne since 2016. Npm has also been added to GitHub’s bug bounty scope.

From Hacker to Bug Bounty Program Owner: A Learning Experience
Braze’s Tommy DeVoss describes the lessons he’s learned in going from a top bug bounty researcher to building Braze’s program. Four big learnings:

  1. Launching a Bug Bounty Program Takes Cross-Team Collaboration

  2. Never Lose Sight of Your Relationship With Hackers and Researchers

  3. Bug Bounties Look Different From the Company Side

  4. The Work Doesn’t End When a Bug is Identified

Network Security

cisagov/Malcolm
A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs, by CISA.

A few Tailscale tricks for Security Testers
Pulse Security NZ’s Michael Fincham shares some interesting details about how Tailscale works, including that Tailscale currently only supports ingress access control rules, all outbound network traffic leaving a host is allowed. So if you’ve compromised a machine, you could re-install a modified version of Tailscale to allow any traffic to the device. Also:

As a tailnet administrator you still have to make sure your containers are running with tags rather than a human user if you want to avoid containers being able to leak each other’s environment variables.

See also Tailscale’s Hardening Guide. I feel like I’ve been hearing a lot of good things about Tailscale recently, I’ve been meaning to play with it when I have time.

Sponsor

📢 Developing Security Products that Can Scale.

In a recent episode of the Detection at Scale podcast, Panther Labs CEO and Founder Jack Naglieri sat down with Joren McReynolds,VP of Engineering, IT and Security at Panther Labs, to discuss the experiences and lessons over the course of Joren’s journey at Facebook, Airbnb, and how they shaped his knowledge on what building a great product takes.

I first met Joren when he was leading Detection and Response at Airbnb. Super smart dude. It was neat hearing in this podcast about Joren’s experiences in the creation of osquery at Facebook, StreamAlert at Airbnb, and navigating inter-organization dynamics as a security team. Would recommend a listen 👌

Scraping

shot-scraper: automated screenshots for documentation, built on Playwright
A CLI tool for automating screenshots of web pages, by Simon Willison. You can also have it screenshot just a subsection of the page using CSS selectors.

Web scraping with Python open knowledge
Re Analytics shares best practices for scalable and efficient to maintain web scraping in Python. See also advanced-scrapy-proxies, a Scrapy rotation proxy package with advanced functions.

Misc

Newsletter Analysis: What My Favorite Newsletters Have in Common
Super cool analysis by my friend Daniel Miessler on the structure and contents of his top 10+ favorite newsletters. Honored that tl;dr sec was one of them 😍. If you run a newsletter, Daniel recommends:

• Unless you’re over a million subscribers, include a value proposition

• Consider opening with a brief, personal intro

• Use a custom email subject that describes the episode

• Consider getting a referral program to jumpstart growth

How to professionally say
Some professional sounding wording for things you might really want to say at work, like: “That meeting sounds like a waste of my time” or “I’m not doing your job for you.”

StyraInc/rego-style-guide
A collection of recommendations and best practices for authoring Rego from Styra, the founders of Open Policy Agent (OPA).

Knots 3D
Learn how to tie over 150 useful knots. If you’re ever had challenges in this domain, it should be knot a problem after this app.

200ok-ch/organice
An implementation of Org mode without the dependency of Emacs - built for mobile and desktop browsers.

The curse of strong typing
A fun and playful, very detailed article by @fasterthanlime.

Someone, somewhere (above me, presumably) made a decision. “From now on”, they declared, “all our new stuff must be written in Rust”.

I don’t know what they see in it, to be honest. It’s like I always say: it’s not a data race, it’s a data marathon.

At any rate, I now find myself in a beautiful house, with a beautiful wife, and a lot of compile errors.

Quote

“My life is my message.” -Ghandi

So is yours. So what are you saying?

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint