• tl;dr sec
  • Posts
  • [tl;dr sec] #194 - CNAPPGoat, KubeFuzz, tl;dr sec swag

[tl;dr sec] #194 - CNAPPGoat, KubeFuzz, tl;dr sec swag

Multi-cloud open source tool to deploy vulnerable-by-design cloud resources, fuzzing Kubernetes Admission Controllers, where you can get tl;dr sec swag at Hacker Summer Camp

Hey there,

I hope you’ve been doing well!

Hacker Summer Camp

This is the first time I’m attending the Vegas conferences since the pandemic, and I’ve been having a blast reconnecting with friends and meeting new people.

I’ve also been chipping away at this issue in the mornings and evenings, like right now, at 11:37pm Wednesday when my friends are at a pool party 😅 

To save time in the mornings, I bought some Cheerios and milk from a nearby CVS. But I didn’t have a bowl, so I improvised by getting some containers from Popeyes I’ve been eating out of.

I didn’t choose the glam life, it chose me.

Reminds me of when I was also eating Cheerios in my hotel room in Hawai’i at LocoMocoSec 😆 

🎁 tl;dr sec Swag

I’ve been handing out tons of tl;dr sec t-shirts and stickers.

If you want some, find me, or I’ve stashed some 👇️ 

AppSec Village - Friday

Talk: DevSecOps Worst Practices - 12:30pm - 1:15pm
By my long-time friend and new-time colleague Tanya Janca 🙌 


At the Miscreants booth.

This could be you!


📣 Rampant cloud activity?

Cloud risk can grow faster than your AWS bill (true story).

That’s why Wiz partnered with Wiley to create the AWS Security for Dummies ebook. This free PDF contains 46 pages of expert tips to harden your AWS environment, including:

  • How to get the basics right to help scale security when your footprint (inevitably) grows

  • How to secure specific resources based on your usage (VMs, S3, Cloudtrails, and more)

  • Which critical weaknesses to prioritize so you aren’t caught off guard

Grab your free digital copy now and boost your AWS security posture.

📜 In this newsletter…

  • Web Security: Attack surface detector, tool to check for NGINX path traversal vulnerabilities, exploiting POST-based XSS

  • AppSec: “Hot takes” with Caleb Sima

  • Cloud Security: Security implications of signing URLs in GCP, "Attacks As A Service" framework built on Google Workflows, CNAPPGoat

  • Container Security: Talk: Testing and Fuzzing the Kubernetes Admission Configuration, a tool to fuzz k8s admission controllers

  • Red Team: Ghidra plugin for mapping out code coverage data

  • Politics / Privacy: China influence campaigns in the U.S.

  • Machine Learning + Security: AI vulnerability database, AI incident database, mitigating stored prompt injection

  • Machine Learning: Searchable list of AI tools, nice GUIs to write/manage prompts, tool to add guardrails to LLM conversational systems, Adversarial Policies Beat Superhuman Go AIs

  • Misc: CLI JSON viewer, layoffs at NCC Group, Do Burnout and Addiction Have the Same Root Cause?, The Past is Not True

Web Security

By hahwul and ksg97031: An attack surface detector that automatically extracts endpoints and web resources from source code. Seamlessly integrates with proxy tools like ZAP, Burp Suite, and Caido.

By celesian: A multi-threaded Golang tool that checks for NGINX alias traversal vulnerabilities using heuristics and brute-force techniques.

Chaining Vulnerabilities to Exploit POST Based Reflected XSS
Normally POST-based reflected XSS is tough to exploit, but TrustedSec's Drew Kirkpatrick shares how it can be done by chaining other vulnerabilities, such as method tampering, CSRF, and spoofed JSON with CSRF. Drew walks through each and releases postBasedXSS, a vulnerable lab where you can practice.


📣 Just-in-time access for your cloud infrastructure with ConductorOne

Managing access to cloud infrastructure can be a headache.

ConductorOne’s Cloud PAM solution gives teams just-in-time (JIT) access to cloud resources, drastically reducing standing access and permissions. No more tickets. No more waiting.

Learn how you can take control of accounts and permissions throughout your environment and achieve least privilege access for AWS, GCP, AzureAD, Snowflake and more.


"Hot Takes" with CISOs & CyberSecurity Leaders - Caleb Sima
New series by Cloud Security Podcast’s Ashish Rajan in which he interviews CISOs while eating spicy food.

Cybersecurity is just a symptom of a root cause.

The root cause is— in engineering and infrastructure, what are your best practices?

If you have really good engineering and infrastructure hygiene, it resolves 80% of a lot of your cybersecurity symptoms problems.

So the one thing I’d change is that cybersecurity should no longer be a team that layers on top but instead I think engineering needs to eat cybersecurity.

Caleb Sima

Cloud Security

Signing URLs in GCP: Convenience vs. Security
Leviathan's Vladyslav Horodivskyi delves into the distinctions between signing URLs using a service account key and employing the signBlob IAM method. The latter approach can potentially lead to privilege escalation within your GCP environment if the service account becomes compromised (e.g. due to SSRF, RCE, or local file read). Vladyslav has also created a Terraform script that sets up a vulnerable environment for testing purposes.

By Kat Traxler: DeRF (Detection Replay Framework) is an "Attacks As A Service" framework built on Google Workflows that allows the emulation of offensive techniques and the creation of replicable detection samples in a cloud-based environment.

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Ermetic's Lior Zatlavi introduces CNAPPgoat, an open-source project that can modularly provision vulnerable-by-design components across AWS, Azure, and GCP. It can spin up atomic vulnerable scenarios, encompassing identity and entitlement management, exposure of workloads to vulnerabilities, and misconfiguration of cloud infrastructure components.

Container Security

Testing and Fuzzing the Kubernetes Admission Configuration
Avolens' Benjamin Koltermann and Maximilian Rademacher's Troopers 2023 talk discussing admission controller best practices, real world examples, and the challenges of testing admission controllers in practice. They also introduce kubefuzz, described below.

By Benjamin Koltermann and Maximilian Rademacher: A generative and mutative fuzzer for Kubernetes admission controller chains that can be used to uncover unexpected behavior in complex admission controller setups.

Red Team

Tool Release: Cartographer
NCC's Austin Peavy introduces Cartographer, a Ghidra plugin for mapping out code coverage data. It simplifies the complexities of reverse engineering by allowing researchers to visually observe which parts of a program were executed, obtain details about each function’s execution, compare different runs of the same program, and more.

Politics / Privacy

Pro-China influence campaign allegedly financed staged protests in Washington
Mandiant believes a new Chinese influence campaign used newswire services, staged protests, and billboard ads to spread pro-Beijing propaganda in the U.S. 

The Chinese marketing firm also supposedly ran 72 fake news sites worldwide, posing as independent news outlets while actually spreading content “strategically aligned with the political interests of China.” This is a meaningful escalation in China’s influence efforts.

Machine Learning + Security

AI Vulnerability Database
An open-source knowledge base of failure modes for AI models, datasets, and systems. Two focuses: a Taxonomy of the different avenues through which an AI system can fail, and a Database of evaluation examples that contain structured information on individual instances of these failure (sub)categories.

AI Incident Database
A database (currently >1,000 incidents) dedicated to indexing the collective history of harms or near harms realized in the real world by the deployment of artificial intelligence systems. Like similar databases in aviation and computer security, it aims to help us learn from experience so we can prevent or mitigate bad outcomes.

Mitigating Stored Prompt Injection Attacks Against LLM Applications
NVIDIA's Joseph Lucas discusses how info you pull in from external sources (e.g. vector databases) to include in prompts to provide relevant contextual information to answer a user's request can be a source of prompt injection, and potential options for mitigating this risk, like adding sanitizing or transforming steps.

Machine Learning


  • Future Tools - A searchable, filterable list of almost 2,000 AI tools, by Matt Wolfe.

  • ChainForge - An open-source visual programming environment for prompt engineering, LLM evaluation and experimentation. Evaluate the robustness of prompts and text generation models with little to no coding required.

  • PromptKnit - Another nice UI around building and managing prompts.

An open-source toolkit for easily adding programmable guardrails to LLM-based conversational systems.

Adversarial Policies Beat Superhuman Go AIs
Clear implications for applying AI to security.

We attack the state-of-the-art Go-playing AI system KataGo by training adversarial policies against it, achieving a >97% win rate against KataGo running at superhuman settings. Our adversaries do not win by playing Go well. Instead, they trick KataGo into making serious blunders. Our attack transfers zero-shot to other superhuman Go-playing AIs, and is comprehensible to the extent that human experts can implement it without algorithmic assistance to consistently beat superhuman AIs. The core vulnerability uncovered by our attack persists even in KataGo agents adversarially trained to defend against our attack. Our results demonstrate that even superhuman AI systems may harbor surprising failure modes.



  • jless - A CLI JSON viewer designed for reading, exploring, and searching through JSON data.

  • Beyoncé’s tour has 14 culinary professionals, including an English pastry chef, a vegan chef, and 3 personal chefs just for her and her inner circle. #tldrsectour2024

  • Moar Layoffs at NCC Group - Sad, NCC was a really formative place for me, and I got to work with some incredible people, many of whom are still friends today.

Do Burnout and Addiction Have the Same Root Cause?
Daniel Miessler posits that a strong and positive purpose in life may immunize you against both.

Aim a laser pointer at the moon, then move your hand the tiniest bit, and it’ll move a thousand miles at the other end. The tiniest misunderstanding long ago, amplified through time, leads to piles of misunderstandings in the present.

We think of the past like it’s a physical fact - like it’s real. But the past is what we call our memory and stories about it. Imperfect memories, and stories built on one interpretation of incomplete information. That’s “the past”.

You can change your history. The actual factual events are such a small part of it. Everything else is perspective, open for re-interpretation. The past is never done.

Derek Sivers

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!