[tl;dr sec] #29 - Testing GraphQL, Bug Bounty Programs, & AWS Service Control Policy Best Practices

Hey there,

I hope you’re doing well!

Help Make tl;dr sec More Useful 🙌

I’ve been thinking about the structure of tl;dr sec and what I focus on.

Quick question: which do you find most useful?

1. A weekly digest of links that gets into a little detail about the content of the article

2. A weekly digest of links that’s shorter, giving perhaps only a sentence about each article

3. Summaries of solid security conference talks

Please click the link that best matches how you feel ☝️

Web Security

InQL Scanner
Doyensec’s Andrea Brancaleoni released InQL, a tool to ease testing of GraphQL. Available as a CLI tool and Burp extension. “The tool leverages GraphQL built-in introspection query to dump queries, mutations, subscriptions, fields, arguments and retrieve default and custom objects. This information is collected and then processed to construct API endpoints documentation in the form of HTML and JSON schema. InQL is also able to generate query templates for all the known types. The scanner has the ability to identify basic query types and replace them with placeholders that will render the query ready to be ingested by a remote API endpoint.”

Attacking Secondary Contexts in Web Applications
Sam Curry’s Kernelcon talk has some great details and examples of how to identify how a web app is doing routing (without source code) and the vulnerabilities that can ensue. Well worth reading if your job is attacking or defending web apps.

Unix-style approach to web application testing
Creating a new Burp Suite extension requires a fair amount of boilerplate. This whitepaper and supporting videos describe Piper, a Burp extension that makes it easy to invoke an external command (e.g. any commandline tool) to process/transform data to and from Burp. This could make the feedback loop of building new features or integrations much easier, and hopefully will save you some UI headaches.

KishanBagaria / padding-oracle-attacker
“CLI tool and library to execute padding oracle attacks easily, with support for concurrent network requests.”

Automatically Generating Content Security Policy
Mini guide on using Csper Builder, a Firefox addon.

/i considered harmful
If you’re doing regexes on domain names (e.g. to avoid SSRF or as part of a CORS policy), try to not to use /i (case insensitive match). Louis Nyffenegger found that regexes in different programming languages handle uppercase/lowercase Unicode differently. An attacker could use this bypass your regex filter.

RFC 8725: JSON Web Token Best Current Practices
An RFC for current JWT security best practices.

Bug Bounty

Six years of the GitHub Security Bug Bounty program

• Their program recently passed $1M total payout, over half paid out in the last year alone.

• They’ve maintained an average response time of 17 hours.

• Cool bugs: OAuth flow bypass using cross-site HEAD requests, GitHub.com remote code execution through command injection (via malicious Mercurial branch name)

• At H1-702 in Vegas last August, they paid out over $155,000 to researchers in one night, with half of the rewards for high or critical severity issues.

• The GitHub Security Lab (aka the artist formerly known as Semmle) has received 20 CodeQL submissions and awarded ~$21,000, with hundreds of vulnerabilities fixed across the OSS ecosystem as a direct result.

How we run our bug bounty program at Segment
This meaty post by Leif Dreizler is probably one of the best “how to run a bug bounty” posts I’ve read (please send me any other recs you have). I don’t have time or space to list the details here, but if you care about bug bounty, you should read it. See also Arkadiy Tetelman’s Data Driven Bug Bounty talk.

Cloud Security

AWS SCP Best Practices
Excellent, detailed post with actionable takeaways by Scott Piper, covering what Service Control Policies (SCP) are, common gotchas, and a number of example policies, including allowing only approved services or regions, denying root user access, requiring the use of IMDSv2, denying the ability to make a VPC accessible from the Internet that isn’t already, and protecting your security baseline.

MKIT - Managed Kubernetes Inspection Tool
“A Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes cluster objects (Azure, AWS, and GCP) and the workloads/resources running inside the cluster.” Uses several Chef Inspec profiles to do it.

Top 10 security items to improve in your AWS account
AWS blog post that provides some details about the top 10 most important cloud security tips that Stephen Schmidt, AWS’ CISO, laid out at AWS re:Invent 2019.

AWS Ground Station
Not really security, but satellites! “A fully managed service that lets you control satellite communications, process data, and scale your operations without having to worry about building or managing your own ground station infrastructure.”

Container Security

Writing Kubernetes network policies with Inspektor Gadget’s Network Policy Advisor
Describes new features of a tool, Inspektor Gadget, that makes it easy to create Kubernetes network policies by having it monitor and analyze network traffic then autogenerate a policy. It uses BPF to provide its “gadgets.” Other features include: tracing IPv4 and IPv6 bind() system calls, tracing files and new processes, and more.

Red Team

hotnops / gtunnel
“A TCP tunneling suite built with golang and gRPC. gTunnel can manage multiple forward and reverse tunnels that are all carried over a single TCP/HTTP2 connection.”

GoSH - Golang reverse/bind shell generator
“Generates a Go binary that launches a shell of the desired type on the targeted host. The shell binary can be compiled for multiple platforms, supports partial polymorphism (unique functions’ names) and can use UDP protocol instead of the default TCP.”

persistence using Leiningen profiles.clj
Quick gist demonstrating post exploitation persistence using Clojure’s dependency management tool.

A Review of the Sektor7 RED TEAM Operator : Malware Development Essentials Course
“It will teach you how to develop your own custom malware for latest Microsoft Windows 10. And by custom malware we mean building a dropper for any payload you want (Metasploit meterpreter, Empire or Cobalt Strike beacons, etc.), injecting your shellcodes into remote processes, creating trojan horses (backdooring existing software) and bypassing Windows Defender AV.”

Blue Team

Rego Playground: New Features
Open Policy Agent (OPA) helps you implement policy as code using a high-level declarative language called Rego. The Rego Playground provides an online interactive environment where users can experiment with and share OPA policies. The playground is now preloaded with a catalogue of examples for common use cases like Kubernetes admission control, API authorization with Envoy and more.

Fixing the Desktop Linux Security Model
The post describes a number of ways in which the Linux security model isn’t as strong as it could be (e.g. kernel hardening, AppArmor policies for user space processes, hardening malloc, verified boot, and more), and what Whonix, a Linux distribution focused on security, privacy, and anonymity, does about it. Includes some neat, low level hardening info and references.

iOS Security Analysis with MobSF
The Netguru team added Swift support to MobSF’s source code analysis capabilities by adding regex/string patterns based on reviewing the OWASP Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guides (MSTG).

Politics / Privacy

Revealed: Saudis suspected of phone spying campaign in US
A whistleblower revealed data indicating that Saudi Arabia has been using SS7 (a global messaging system that allows mobile operators to connect users around the world) to track Saudi citizens in the US.

Direct SQL Access to the Latest COVID-19 Data Sets
Adam Fletcher and Jon Mortensen have been building https://bit.io, a “a zero-config, scalable cloud database with the social and community features of GitHub.” In this LinkedIn post, they describe this data set they published, which joins the John Hopkin’s data set (tracking infections and fatalities) with CovidTracking (testing data), and they’re adding in census data and other useful epidemiology reference data too.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,