- tl;dr sec
- [tl;dr sec] #160 - Application Security Foundations, Machine Learning Uses, Blackbox Regex Fuzzing
[tl;dr sec] #160 - Application Security Foundations, Machine Learning Uses, Blackbox Regex Fuzzing
Notes from the WeHackPurple courses, a wide variety of applications of machine learning, bypassing validatoins and normalizations in web apps using regex fuzzing.
I hope you’ve been doing well!
Apologies for the radio silence last week.
I had planned to take off Thanksgiving week for awhile, but realized too late that I hadn’t mentioned this in the prior newsletter, so I decided to not email you to tell you that I was… not going to email you.
I hope you had an excellent week though!
Also, in case you’re feeling a bit down at some point during this holiday season, I wanted to share again the intro I wrote last Halloween. You are loved and cared for ✊
📢 You’re Invited to Panther's [Virtual] Detection as Code Workshop!
Ever wondered if there was an easy way to protect your AWS resources such as S3, EC2, and Guardduty with a modern SIEM?
Join Panther for an interactive, hands-on virtual experience that teaches you how to utilize detection-as-code and allows you to set up, deploy, and test your detections geared toward important AWS resources.
They’ll provide hands-on keyboard demonstrations of managing and modifying detection-as-code during the workshop.
I think managing detections as Python code is pretty neat, and we actually use Panther at my company. Should be a useful workshop!
📜 In this newsletter...
AppSec: Email graffiti, application security foundations notes, a security tools crash is coming
Web Security: More easily intercept the right requests in Burp, Burp protobuf extension improvements, exploiting CORS misconfigurations, black-box regex fuzzing tool
Cloud Security: Automatically purge and prepare AWS resources, confused deputy vulnerability in AWS AppSync, the security design of the AWS Nitro System, AWS pre:Invent 2022
Container Security: API traffic viewer for Kubernetes, new open source client for container development, the state of Kubernetes open-source security survey
Politics / Privacy: How and where the Meta Pixel is tracking you (answer: everywhere about everything)
Misc: Security, Funded has crossed 1,000 subscribers, InfoSec news aggregator, Elemental Pixar movie trailer, inspiration from UFC fighter, private YouTube client, weird thrift store shirts, open library, Tim Minchin's sentimental song about Christmas, exploring Rust as a Python developer, reflections on leading research at NCC Group
Machine Learning: Bohemian Rhapsody - But every lyric is an AI generated image, AI tools directory, image classifier to detect lewd images, AI that can play Diplomacy, AI's threat to human work, feeding your childhood diary to GPT-3 and talking with younger you
Email Graffiti: hacking old email
Truffle Security’s Dylan Ayrey describes how you can “vandalize” old emails that contain images pointing to cloud buckets that no longer exist (that you can then register). See also the video about it and tool that makes it easy.
Application Security Foundations Level 1
Ishaq Mohammed’s notes from this course by the WeHackPurple Community, covering basic through advanced and DevOps flavored AppSec activities, as well as AppSec and AppSec adjacent tooling.
See also his notes on Application Security Foundations Level 2, which covers scaling your team and program, developer education, advocacy, tips for teaching adults, metrics, and improvement. And Part 3.
Ethiack’s André Baptista describes and releases REcollapse, a tool for black-box regex fuzzing to that can bypass validations and discover normalization issues in web applications. This technique can be used to perform zero-interaction account takeovers, uncover new bypasses for web application firewalls, and more. See also his BSidesLisbon slides.
Add custom maintenance windows for AWS accounts - purge and prepare resources automatically.
A Confused Deputy Vulnerability in AWS AppSync
Datadog’s Nick Frichette discusses a cross-tenant vulnerability that abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts. It’s since been fixed.
The Security Design of the AWS Nitro System
November 2022 update of a whitepaper providing a detailed description of the security design of the Nitro System, the underlying platform for all modern EC2 instances.
AWS pre:Invent 2022
Great overview by Steampipe’s Chris Farris of AWS’s announcements in the lead-up to AWS re:Invent. Honestly, none of these stuck out to me as super exciting, but there are some nice improvements.
The API traffic viewer for Kubernetes providing deep visibility into all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster. Think TCPDump and Wireshark re-invented for Kubernetes.
Introducing Finch: An Open Source Client for Container Development
AWS announces Finch, a new CLI tool for building, running, and publishing Linux containers. It provides for simple installation of a native macOS client, along with a curated set of de facto standard open source components including Lima, nerdctl, containerd, and BuildKit.
Over half of companies are using open source for Kubernetes security.
Almost a quarter are using 5 or more open source tools (average: 3.6 tools).
Integration challenges are a major inhibitor of open source technology.
Politics / Privacy
How We Built a Meta Pixel Inspector
The Markup, in collaboration with Mozilla Ralley, conducted the first large-scale crowdsourced study of the presence of the Meta Pixel and the data it collects in real-world scenarios—when it is encountered while logging in to websites, submitting forms, buying products, and during everyday browsing activities. Great overview of what’s collected.
Here’s how to review your off-Facebook activity.
📢 Sign up for the Threat Modeling Insider Newsletter
Delivering the latest Threat Modeling articles and tips straight to your mailbox.
Our “Threat Modeling Insider” newsletter brings a combination of guest articles, white papers, curated articles and tips on threat modeling.
Join thousands of readers that bootstrap and elevate threat modeling skills every month.
Directly access the archive with articles from Adam Shostack, Izar Tarandach, Geoff Hill, and many more. Every edition features threat modeling tips.
Do not miss our next edition, register to get it in your inbox every time!
— Seba Deleersnyder, CTO Toreon, trainer at Black Hat
A newsletter on Threat Modeling, noice! I looked through a few prior issues and there’s some good links I haven’t seen elsewhere. I signed up 😎
Security, Funded has crossed 1,000 subscribers!
Congrats to my bud Mike Privette, this is awesome. If you’re interested in which companies are getting funded or acquired, funding across verticals, and more, I highly recommend checking it out. I’ve been reading it for probably over a year and have found it quite useful. Subscribe here.
All InfoSec News
An InfoSec news aggregator across Reddit, YouTube, and a variety of news outlets and podcasts.
Elemental | Teaser Trailer
Upcoming Pixar movie.
A letter to little Mol
Inspirational message from UFC fighter Molly McCann to her younger self.
FreeTube - The Private YouTube Client
A YouTube client for Windows, Mac, and Linux built around using YouTube more privately. You can enjoy your favorite content and creators without your habits being tracked.
Weird Thrift Store Shirts
Novelty Twitter account. Warning: a number are not work-appropriate.
An open, editable library catalog, building towards a web page for every book ever published. Millions of books available through Controlled Digital Lending.
White Wine In The Sun by Tim Minchin
A sentimental song about Christmas.
Carefully exploring Rust as a Python developer
How to do common programming tasks and what the tooling looks like for outputting and debugging stuff, handling errors, using external packages, writing tests, reading/writing to files, making HTTP requests, etc.
So long and thanks for all the 0day
After nearly 4 years (30+ in consulting-years) at NCC Group, Jennifer Fernick is stepping down as NCC Group’s SVP & Global Head of Research. I enjoyed her reflections on leading a security research team and a few of her favorite research projects.
It’s weird reading this historical recounting, as I was there during a lot of it. I had a blast at NCC Group- the people were amazing, interesting projects, and I think it fundamentally helped me become the security professional I am today. I’ll always be grateful to the people who believed in and supported me there. My heart swelled a little bit seeing this photo of the Research Directors at NCC Con 2020 ❤️
Bohemian Rhapsody - But every lyric is an AI generated image
The Largest AI Tools Directory. 5+ new tools added every day.
An image classifier from the dating app Bumble pretrained to detect lewd images. They’ve also released a whitepaper.
CICERO: An AI agent that negotiates, persuades, and cooperates with people
Meta announces CICERO, the first AI to achieve human-level performance in the popular strategy game Diplomacy*. CICERO demonstrated this by playing on webDiplomacy.net, an online version of the game, where CICERO achieved more than double the average score of the human players and ranked in the top 10 percent of participants who played more than one game.
AI Art Just Opened The Threat to Human Work We Were Expecting from AGI
Some predictions from Daniel Miessler.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!