• tl;dr sec
  • Posts
  • [tl;dr sec] #170 - Prototype Pollution, Fuzzing, SOC Metrics

[tl;dr sec] #170 - Prototype Pollution, Fuzzing, SOC Metrics

Black-box prototype pollution without the DoS, fuzzing curl and gaining coverage with LLMs, and useful metrics to build an effective SOC.

Hey there,

I hope you’ve been doing well!

Focusing on the Right Stuff

I was going to write you a lovely intro, but unfortunately I’m behind this week.

So instead I shall briefly leave you with some things that made me smile.

It’s worth watching the video:

And from a classic novelty Twitter account:


 📢 Drata’s Compliance Trends Report 2023

74% of GRC teams aren't addressing known vulnerabilities for lack of bandwidth. This isn’t surprising when these same teams are spending over four thousand hours annually just to achieve or maintain compliance.

Fortunately, established and enterprise companies are shifting compliance from a burden to a business accelerator through processes that promote scalability and continuous compliance. If you’re interested to learn how and get the latest on the current and future state of compliance, check out our 2023 Compliance Trends Report.

📜 In this newsletter...

  • Web Security: Tool to extract secrets and paths, run Semgrep in Burp, turning self-XSS into account takeover in SSO, CSS injection -> SSRF write-up, a smart black-box fuzzer for web apps

  • Prototype Pollution: Portswigger on black-box detection techniques without DoS, detecting via a tool that injects hooks via AST rewriting, find prototype pollution via required parameters, paper that uses CodeQL to find universal gadgets and RCE

  • Fuzzing: cURL audit: How a joke led to significant findings, using Codex for better fuzzing coverage

  • Cloud Security: Create SCPs with Terraform, creating a black glass role for emergency use, create a Console session from IAM creds, overview of AWS' new policy language Cedar

  • Container Security: Restricting cluster-admin permissions, OWASP Kubernetes Top 10

  • Blue Team: Extracting TTPs and other info from threat intel docs using GPT2, prevent sensitive link leakage when using URLScan, Airbnb’s approach to access management at scale, useful SOC performance metrics

  • Misc: Why do modern pop songs have so many credited writers?, the rewriting of Roald Dahl, the ‘enshittification’ of TikTok

Web Security

By Damian Strobel: A tool written in Go to extract secrets and paths from files or URLs.

@gand3lf’s Burp Suite extension that adds Semgrep rules into passive scan checks is now live on the BApp Store.

SSO Gadgets: Escalate (Self-)XSS to ATO
Lauritz Holtmann provides an overview of the fundamentals of OAuth2 and OIDC, while raising awareness about the potential impact of incorrect SSO configurations. Lauritz explores how SSO gadgets can turn a seemingly benign self-XSS vulnerability into account takeover, and provides real-world examples that demonstrate each gadget, as well as mitigation strategies to counteract them.

Unleashing the power of CSS injection: The access key to an internal API
Alserda’s Sander Wind writes about how he and other researchers were able to turn a CSS injection identified in an application’s PDF generator into reading local files and SSRF, and via SSRF probe internal hosts. The library used to render PDF files defined a property (reading the docs 🤘) that allowed JavaScript code to be included and executed when a PDF file was opened.

Firefly: a smart black-box fuzzer for web applications testing
YesWeHack’s Brumens shares Firefly, a new black-box web application fuzzer inspired by James Kettle’s Backslash-powered scanner. After first determining an app’s baseline responses, it starts fuzzing with different payloads and input modifications to determine how the app modifies and transforms data, which can be used to detect backend functions, normalizations, and/or bypass security filters used by the system.


 📢 We Hack Purple – Everything You Need to Learn Secure Coding, and More!

Learn how to create secure software, from industry experts! Our fun, live, virtual training teaches developers to code more securely, with checklists, free access to on-demand courses, and a supportive online community, all for one price. Hire us to train your AppSec team, as we build your custom application security program, together! With customized training available, we have something that fits every organization’s software security training needs.

Prototype Pollution

Server-side prototype pollution: Black-box detection without the DoS
PortSwigger’s Gareth Heyes explores various techniques that can be safely used to identify server-side prototype pollution without compromising the core functionality of the application, and releases a free Burp extension that implements the tests. In addition, Gareth provides some tips for debugging Node applications and techniques to prevent these type of vulnerabilities.

Server side prototype pollution, how to detect and exploit
YesWeHack’s BitK describes prototype pollution, how to find gadgets, and introduces pp-finder, a tool that makes it easier to find prototype pollution in JavaScript codebases.

PP Finder works by using the TypeScript parser to generate ASTs for each file, then modifies the tree to inject hooks that detect if an undefined property is accessed. You then run the modified code and PP Finder reports potential gadgets and tells you the relevant piece of code. Rad. Using PP Finder, they found vulnerabilities in Express, Fastify, VueJS, JSDom, and Axios.

Detecting Server-Side Prototype Pollution
Intruder’s Daniel Thatcher describes another black-box method to detect server-side prototype pollution:

  1. Find an endpoint that fails if a certain argument isn’t provided.

  2. Then attempt to prototype pollute with that argument name across each other endpoint, checking the original endpoint after each request.

  3. If the original request succeeds without you provided the required argument, then you have successfully found prototype pollution.

We build the first multi-staged framework that uses multilabel static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets, notably, by analyzing the Node.js source code. We implement our framework on top of GitHub’s static analysis framework CodeQL to find 11 universal gadgets in core Node.js APIs, leading to code execution. Furthermore, we use our methodology in a study of 15 popular Node.js applications to identify prototype pollutions and gadgets. We manually exploit eight RCE vulnerabilities in three high-profile applications such as NPM CLI, Parse Server, and Rocket.Chat.


cURL audit: How a joke led to significant findings
Trail of Bits’s Maciej Domanski describes extending AFL++ to better support fuzzing CLI arguments, and how that enabled them to find use-after-free, double-free, and memory leaks in libcurl, which is used by many applications.

Some additional tips I liked: using curl’s man page to seed the fuzzing dictionary, and using iptables to redirect all TCP packets to localhost and then using netcat to listen for connections from cURL.

We augment search-based unit test generation for Python with queries to Codex, asking Codex to create test-cases for functions with low coverage when coverage stalls (N generations with no coverage increases)

Codex is particularly good at generating “special strings” (a.k.a. “magic” strings), a recurring issue in automated testing. But it also brings benefits in being able to guess to right types of arguments when this is missing in Python, and using more complex syntactic structures.

My higher-level thoughts: while the Codex generated tests definitely gave coverage advantages, I don’t think LLMs are the be-all-end-all technique here. Codex is particularly good at “magic strings”, but not so good at the exploration we get from randomness-aided search.

Cloud Security

Set up a template to easily create and apply AWS Service Control Policies (SCPs) with Terraform.

Create a break glass role for emergency use in order to limit production console access. Configure automatic alerts and logging of activities in the role to secure its use in production environments.

Create a Console Session from IAM Credentials
If you’re performing an AWS assessment and you encounter IAM credentials, Nick Frichette describes how to spawn an AWS Console session using a tool like aws-vault.

Cedar: A new policy language
Ian Mckay from One Cloud Please writes about Cedar, a new language created by AWS to define access permissions using policies, similar to the way IAM policies work today. Ian covers why Cedar was created, how to author policies, and some additional language features.

Cedar can be used for non-AWS applications, is written in Rust, and was designed to be simple to reason about if two policies are exactly equivalent.

Container Security

Restricting cluster-admin Permissions
By Giant Swarm’s Marcus Noble: By default, Kubernetes cluster operators are assigned to the cluster-admin ClusterRole, allowing them to perform any action. RBAC only allows for adding permissions, so if you need to block an action performed by cluster admins, you can leverage an admission controller like Kyverno.

OWASP Kubernetes Top 10
Sysdig’s Nigel Douglas groups the OWASP Kubernetes Top 10 into three categories in order of likelihood (misconfigurations, lack of visibility, and vulnerability management), describes the risks, mitigations, and shares relevant tools.

Blue Team

Extract Actionable Intelligence from Text-based Threat Intel using Sentinel Notebook
Microsoft’s Vani Asana introduces the MitreMap Notebook, a notebook that uses the GPT2 language model to map unstructured descriptive text of an incident to the relevant MITRE ATT&CK Enterprise techniques, as well as identify the tools, techniques and procedures (TTPs) used by the actor group and the Indicators of Compromise (IoCs) in the report.

How to Categorize and Prevent Risks of Sensitive Links in URLScan
Tinder Security Labs’ Rojan Rijal, Johnny Nipper and Tanner Emek write about how misconfigurations on the URLScan service used to identify potentially malicious websites could sometimes expose internal assets, domains and sensitive information to the public and be leveraged to gain access into corporate systems.

Airbnb’s Approach to Access Management at Scale
Airbnb’s Paul Bramsen discusses how the implementation of a centralized, self-serve access control platform has helped enable Airbnb’s large team of employees, contractors, and call center workers to perform their jobs efficiently and effectively in almost every region of the world. This has also helped Airbnb maintain trust while complying with legal requirements.

Performance metrics, part 1: Measuring SOC efficiency
Expel’s Jon Hencinski writes on how ineffective operations management can lead to SOC burnout and shares his vision on how to set up a measurement framework that helps SOC leads ensure goals are being met, creating a metrics strategy, and three metrics they believe are fundamental to managing a SOC:

  1. When do alerts show up? (alert seasonality)

  2. How long do alerts wait before a robot or an analyst attends to them? (alert latency)

  3. How long does it take to go from alert to fix? (remediation cycle time)

Goals are things you want, strategy is how you’re going to get there and measurements tell you where you are in that journey.

Clear aims + ownership of the problem + data for learning + persistence = success


Why Do Modern Pop Songs Have So Many Credited Writers?
How modern songwriting evolved into a game of aggressive credit—even for the people who didn’t technically do the composing.

The publishers have given themselves licence to edit the writer as they see fit, chopping, altering and adding where necessary to bring his books in line with contemporary sensibilities. By comparing the latest editions with earlier versions of the texts, The Telegraph has found hundreds of changes to Dahl’s stories.

Language related to weight, mental health, violence, gender and race has been cut and rewritten. Remember the Cloud-Men in James and the Giant Peach? They are now the Cloud-People. The Small Foxes in Fantastic Mr Fox are now female. In Matilda, a mention of Rudyard Kipling has been cut and Jane Austen added.

The ‘Enshittification’ of TikTok
By Cory Doctorow, with examples of Amazon, Facebook, Google, and TikTok.

Here is how platforms die: First, they are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die.

I call this enshittification, and it is a seemingly inevitable consequence arising from the combination of the ease of changing how a platform allocates value, combined with the nature of a “two-sided market,” where a platform sits between buyers and sellers, hold each hostage to the other, raking off an ever-larger share of the value that passes between them.

Technological self-determination is at odds with the natural imperatives of tech businesses. They make more money when they take away our freedom—our freedom to speak, to leave, to connect.

Apparently Cory has a new book, Chokepoint Capitalism, on “how big tech and big content captured creative labor markets, and how we’ll win them back.”

✉️ Wrapping Up 

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!