• tl;dr sec
  • Posts
  • [tl;dr sec] #169 - Top 10 Web Hacking Techniques of 2022, Finding Malicious Dependencies, Fearless CORS

[tl;dr sec] #169 - Top 10 Web Hacking Techniques of 2022, Finding Malicious Dependencies, Fearless CORS

Portswigger released a curated list of awesome web security research from last year, some approaches to finding malicious dependencies + open source tools, a great deep dive into CORS + principles on making a solid CORS middleware library

Hey there,

I hope you’ve been doing well!

Coffee Snobs Aficionados

I’m not a big coffee person, but it seems like being into coffee is one of those Bay Area things.

A number of my friends have their go-to coffee shops, brands, and have experimented with (and own) 4+ ways to make coffee in their house.

I came across this and I had to share, I hope you feel seen, dear reader:

Have a great rest of your week and weekend!

PS. My colleagues and I at Semgrep just released some exciting new stuff, more details towards the end.

Sponsor

 📢 Wiz’s 2023 State of the Cloud Report

Wiz’s State of the Cloud 2023 report provides analysis of trends in cloud usage such as multi-cloud, use of managed services and more. In addition, the report highlights notable cloud risks based on our scanning of over 200,000 cloud accounts, including more than 30% of the Fortune 100 environments. For instance, our data shows that 47% of companies have at least one database or storage bucket publicly exposed to the internet, and an attacker can discover and access an exposed bucket with a guessable name (e.g. “wiz-backup”) in less than 13 hours.

📜 In this newsletter...

  • AppSec: Secrets patterns database, data-first security scanner, attacking SaltStack

  • Web Security: Burp Suite Certified Practitioner Exam study notes, Fearless CORS, 10 web hacking techniques of 2022

  • Cloud Security: Protecting your AWS environment from ransomware, role chain juggling, how adversaries can persist with AWS user federation

  • Container Security: Authenticate to Kubernetes with AWS IAM creds

  • Supply Chain: ATT&CK but for supply chain security, OpenVEX spec, evaluating supply chain security at Mercari + their threat model

  • Sigstore: Sigstore Python client, a guide to running Sigstore locally

  • Detecting Malicious Dependencies: Overview of obfuscation techniques used by malicious packages, GuardDog now supports npm + has new heuristics

  • Machine Learning: CloudGPT, 30% of professionals have used ChatGPT at work, is ChatGPT useful for secure code review?, openai-to-sqlite, summarize arXiv papers with ChatGPT, ChatGPT's caricature of a New York Times story intro

  • Misc: 2023 predictions distilled, visually simulate Git operations, pranking my roommate with targeted facebook ads, a proposal of OWASP changes, a language for describing cloud service APIs and generating code, replace your ex with red flags, IBM and the Holocaust

AppSec

mazen160/secrets-patterns-db
By Mazin Ahmed: Over 1,600 regexes for detecting secrets, passwords, API keys, tokens, and more.

Bearer/curio
By Bearer: A data-first security scanner that finds risks and vulnerabilities in your code so you can protect sensitive data (PHI, PD, PII).

A-Salt: attacking SaltStack
Skylight Cyber Security’s Alex Hill introduces a series of common misconfigurations they’ve seen in the wild in the IT orchestration platform SaltStack, as well as a novel template injection technique that can achieve remote code execution on a salt-master (or master-of-masters) server.

Sponsor

 📢 CCPA, CTDPA, VCDPA... Digging into US Data Privacy in 2023

Recently, more states have joined California and passed consumer data protections, including Connecticut, Colorado, Virginia, and Utah, with additional data privacy laws in the works at both the state and federal levels. How should businesses respond? Join the webinar on March 1 with Matt Cooper, Sr. Manager, Privacy, Risk & Compliance at Vanta, and Arlo Gilbert, CEO and Co-founder at Osano, to learn about the changing privacy landscape in the US and how to build trust and win new business in 2023.

Web Security

botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study
Juan Botes’s on the PortSwigger Academy Burp Suite Certified Practitioner (BSCP) Exam topics, covering gaining a foothold, privilege escalation, data exfiltration, and more.

Fearless CORS: a design philosophy for CORS middleware libraries (and a Go implementation)
Epic deep dive by Julien Cretel on why developers struggle with CORS, his proposal for “Fearless CORS”, a design philosophy for better CORS middleware libraries with 12 principles, and a production ready Golang CORS middleware library fcors. If you’ve seen a more thorough treatise on CORS, please send it to me.

Top 10 web hacking techniques of 2022
Portswigger’s James Kettle et al share the list of some excellent research, including:

  1. Account hijacking using dirty dancing in sign-in OAuth-flows by Detectify’s Frans Rosén.

  2. Browser-Powered Desync Attacks by Portswigger’s James Kettle

  3. Zimbra Email - Stealing Clear-Text Credentials via Memcache injection by Simon Scannell

Cloud Security

Updated ebook: Protecting your AWS environment from ransomware
By AWS’s Megan O’Neil and Merritt Baer: The new ebook includes the top 10 best practices for ransomware protection and covers new services and features that have been released since the original published date in April 2020.

Role Chain Juggling
Overview by Nick Frichette on a technique to maintain access to an AWS environment for an extended period of time when you don’t have the ability to create a new IAM user or create a new key for existing users.

How Adversaries Can Persist with AWS User Federation
CrowdStrike’s Vaishnav Murthy describes a technique that allows attackers to persist beyond credential revocation. How it works: obtain valid AWS API credentials with the necessary STS and IAM permissions, then use the sts:GetFederationToken API call to create a federated user session. Permissions and access to the federated sign-in session survive the deactivation of the base user’s API credentials.

Container Security

kubernetes-sigs/aws-iam-authenticator
A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster.

Supply Chain

Open Software Supply Chain Attack Reference
Like MITRE ATT&CK but for supply chain security. OSC&R provides a comprehensive and actionable approach to understanding attacker behavior and techniques (TTPs) in the context of the software supply chain.

Chainguard to Accelerate VEX Adoption through OpenVEX Specification
Chainguard and collaborators have released OpenVEX, an implementation of the Vulnerability Exploitability Exchange (VEX) that is designed to be minimal, compliant, interoperable, and embeddable. VEX complements SBOMs, allowing suppliers to communicate the exploitability of components with known vulnerabilities in the context of the product in which they are used (that is, just because a product includes a vulnerable component does not mean it is exploitable).

Supply-Chain Security: Evaluation of Threats and Mitigations
Mercari’s Hashimoto Wataru details his research into attacks and mitigations related to supply chain security by examining the effectiveness of each countermeasure. The article provides a specific example of how Mercari was directly affected by the compromise of an external code coverage tool in their CI/CD pipeline.

…we clarified the limited effectiveness of recently trending countermeasures such as a software bill of materials (SBOM) which are often adopted without much thought given to their actual efficacy as a solution.

Based on the results of our threat modeling, we proposed the need for a centralized CI pipeline that takes care of operations related to supply chain security through a single point of entry. A centralized CI pipeline can better enforce security requirements to developers, and replace pipelines where responsibility for security ends up delegated to the individual developers of each component in the pipeline.

It is important to evaluate which policies can act as a defense against which type of attacks.

Sigstore

sigstore/sigstore-python
A Python tool for generating and verifying Sigstore signatures. You can use it to sign and verify Python package distributions, or anything else!

A Guide to Running Sigstore Locally
Felix Wolff and Andrew Block have written a guide that demonstrates how to stand up a Sigstore deployment on your own infrastructure using Kubernetes. This can be useful in a corporate context with private repositories and private artifacts, so you don’t leak info to competitors about what you’re building or potential context for supply chain attacks.

Detecting Malicious Dependencies

How to identify and avoid malicious code in your software supply chain
In the final installment of his malicious package series, Jfrog’s Jonathan Sar Shalom describes several obfuscation techniques attackers use to hide malicious payloads (public obfuscator tools, control flow flattening, homoglyph characters, bidirectional control characters, anti-debug techniques) as well as best practices for detecting and preventing malicious packages.

Announcing GuardDog 1.0, with npm support, new heuristics, and easier CI integration
Datadog’s Christophe Tafani-Dereeper and Vladimir de Turckheim announce a new major version of GuardDog, an open source project that aims to identify malicious packages using Semgrep and package metadata analysis. The new version adds support for:

  • Scanning npm packages

  • Integration in CI pipelines with GitHub Actions and GitHub Code Scanning

  • Verifying PyPI package integrity

Machine Learning

CloudGPT
Use ChatGPT to analyze AWS policies for vulnerabilities, by Mike Felch.

Nearly 30 percent of professionals say they have used ChatGPT at work
From a poll by the social network Fishbowl conducted from Jan. 4 to 8 among almost 4,500 professionals from various companies, including Amazon, Bank of America, Edelman, Google, IBM, JPMorgan and Twitter.

Security Code Review With ChatGPT
NCC Group’s Chris Anley walks through having ChatGPT explain several vulnerabilities in the ‘Damn Vulnerable Web Application’ (DVWA) and analyzes its results.

TL;DR: Don’t use ChatGPT for security code review. It’s not meant to be used that way, it doesn’t really work (although you might be fooled into thinking it does), and there are some other major problems that make it impractical. Also, both the CEO of OpenAI and ChatGPT itself say that you shouldn’t.

simonw/openai-to-sqlite
Utilities for interacting with OpenAI APIs and storing the results in a SQLite database, by Simon Willison.

hunkimForks/chatgpt-arxiv-extension
A browser extension that uses ChatGPT to summarize papers on arXiv, and generate: key insights, questions for the author, suggestions for related topics/future research directions, and relevant references.

Tom Brady and Gisele Bündchen Face Off in AI Rap Battle
At a recent hackathon, a team build AI rap battle, which lets you enter the names of two famous people, pitting their stick-figure forms against each other in robot-voice rap battle, all set to a steady hip-hop beat.

Semgrep ❤️

Semgrep keeps getting better!

Here are some exciting things we launched (on Valentine’s Day 🎁):

  • The OSS engine now has initial support for Rust and a few Lisps (Clojure, Scheme, etc.)

  • The Semgrep Pro Engine now supports inter-file analysis for Java and JavaScript

  • There are now >350 Semgrep Pro rules (high signal, artisanally crafted by Semgrep’s security research team, leveraging the latest engine features) covering secrets, XXE, deserialization, and more

  • plus other stuff

You can read more on the announcement blog post.

If there’s anything you want more of, feel free to let me know!

Misc

2023 predictions
Rami McCarthy synthesizes 2023 predictions from 19 other posts/talks/etc.

git-sim: Visually simulate Git operations in your own repos
Easily get a visual picture of what any git command is going to do without running it.

owasp-change/owasp-change.github.io
An open letter to the OWASP Board on how some core projects and community members would like things to change for their projects and communities to succeed and grow in the future.

microsoft/cadl
A language for describing cloud service APIs and generating other API description languages, client and service code, documentation, and other assets. Using Cadl, you can create reusable patterns for all aspects of an API, along with the ability to check for and flag known anti-patterns. These patterns establish “guardrails” for API designers and make it easier to follow best practices than deviate from them.

Replace Your Ex with Red Flags, Snakes and more with Picsart’s AI Replace
New feature from photo and video editing tool PicsArt.

The book is a breathtaking history with the kind of rigor that is exceedingly rare. Hundreds of people across the globe contributed primary source research to it, making it one of the most meticulously rich archives of crime and conspiracy ever produced.

It reads like a beautiful thriller telling one of the most important stories of modern history: the role of American corporation IBM in making the Holocaust possible, and profiting from it. You will never look at IBM–or any corporate entity–the same way ever again.

IBM’s tabulation technology & employees powered Nazi Germany, to the enormous profit of IBM. IBM was essential to nearly everything Hitler did to accomplish genocide, from detailed census tracking/identification of European Jewry to the timing of the trains to the gas chamber.

✉️ Wrapping Up 

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint