- tl;dr sec
- Posts
- [tl;dr sec] #45 - Bucket Brigade, ReDoS Cheat-sheet, Understanding OAuth
[tl;dr sec] #45 - Bucket Brigade, ReDoS Cheat-sheet, Understanding OAuth
Protecting your public S3 buckets, how to find, prevent, and fix regular expression DoS, and walk step-by-step through the OAuth flow.
Hey there,
I hope been doing well! Maybe even chill and folksy, like the new T Swift album.
Sponsor
📢 Datadog Security Monitoring
Detect security threats in minutes with Datadog Security Monitoring using 75+ OOTB detection rules and detailed observability data: metrics, traces and logs in one, integrated platform. Learn more by signing up for a live demo with one of their security engineers and receive a Datadog T-shirt.
📜 In this newsletter...
🔗 Links:
AppSec: Something special in the static analysis world, abusing privilege escalation in Salesforce, GitHub's security roadmap, zero knowledge proofs primer, regular expression denial-of-service cheatsheet
OAuth: Two tools to walk step-by-step through OAuth flows
Web Security: awesome-web-security repo
Cloud Security: Detecting persistence via STS tokens, Kafka primer, CIS Amazon EKS benchmark, state of open source Terraform security report
Network Security: Scan ports fast with Rust
Red Team: Analyzing custom U-Boot bootloaders, awesome-red-teaming
Reverse Engineering: Ghidra plugin for visualizing binaries, cross-platform code tracer based on Frida and Capstone
Politics / Privacy: Tips on spotting deep faked people
OSINT: rengine: automated reconnaisance framework for gathering info during a web app pen test
Misc: Notes from a talk by Alan Kay, Markdown OSCP exam report template, use the worst tool for the job, PLTalk notes, reverse threat modeling for attribution, convert your photos to anime characters
📚 How to Use the Bucket Brigade to Secure Your Public AWS S3 Buckets
Awesome post by Adam Youngberg on how Databricks secures their public S3 buckets, and they've open sourced their solution.
AppSec
“There’s something truly special happening in the static analysis world”
Neat thread by OWASP ASVS co-author Daniel Cuthbert on how he sees static analysis currently changing, and its future 🚀
Abusing Privilege Escalation in Salesforce
Nitay Bachrach describes how a malicious insider with the Author Apex permission can escalate their privileges to take over an organization’s Salesforce account and all data within it.
GitHub’s Security Roadmap
GitHub is now tracking some of its roadmap via public GitHub issues, which is neat. 👆 filters to just the security-focused ones. H/T Isaac Evans for the link.
Zero Knowledge Proofs: An illustrated primer
Great overview and explanation in plain English (and funny!) by Johns Hopkins University professor Matthew Green.
The Regular Expression Denial of Service (ReDoS) cheat-sheet
Great ReDoS overview by Purdue Professor Jamie Davis, including many links to tools and approaches to prevent and detect ReDoS, with bountiful links to other resources to learn more. See also his tool vuln-regex-detector to scan your projects for vulnerable regexes and google/re2 for a fast regex implementation. Also, the re.DEBUG flag can be useful in identifying dangerous nested patterns, H/T Martín Obiols.
Regexper can be used to visualize regexes, and this regex visualizer, simulator and cross-compiler tool by Robert Elder Software is a neat tool that walks you through each step of the match.
OAuth
Introducing the OAuth 2.0 Flow Simulator
Nifty web app by Philippe De Ryck that allows you to walk through OAuth 2.0 and OpenID Connect flows step-by-step, making backchannel requests visible, and showing frontchannel requests without you needing to dig through your browser’s developer tools.
OAuth 2.0 Playground
Similarly, helps you understand the OAuth authorization flows and shows each step of the process of obtaining an access token. Choose from several potential OAuth flows: authorization code, PKCE, implicit, device code, or OpenID Connect.
Web Security
qazbnm456/awesome-web-security
A massive list of web security resources by Boik.
Cloud Security
New tool detects AWS intrusions where hackers abuse self-replicating tokens
CyberArk and NetSPI have found that some attackers are now sneakily hiding their persistence by using the AWS Security Token Service (STS) to continually create short-lived tokens they can use. Omer Tsarfati has open sourced SkyWrapper, a tool that generates a spreadsheet that lists all the currently active temporary tokens and the access keys that were used to create them.
So I Heard You Want to Learn Kafka
Great overview post by Marco Lancini on what Kafka is and how it works, enabling transport layer encryption, authentication and authorization options, and more.
Introducing The CIS Amazon EKS Benchmark
The CIS Amazon EKS Benchmark consists of four sections on control plane logging configuration, node security configurations, policies and managed services. See also CIS EKS Benchmark Assessment Using kube-bench.
The AWS shared responsibility Model for Amazon EKS using self managed nodes and AWS Fargate.
Introducing the State of Open Source Terraform Security Report
Bridgecrew scanned all 2.6K modules in the public Terraform Registry using their open source tool, checkhov, which currently contains 300 compliance and security checks across AWS, Azure, and Google Cloud.
Network Security
RustScan: Faster Nmap Scanning with Rust
Tool by Brandon Skerritt that can scan all 65K ports in 8s and then easily pipe them into nmap. Also, the README throws some shade 🤣
Red Team
Sinking U-Boots with Depthcharge
Depthcharge by Jon Szymaniak is an extensible Python 3 toolkit designed to aid security researchers when analyzing a customized, product-specific build of the U-Boot bootloader. This blog post details the motivations for Depthcharge’s creation, highlights some key features, and exemplifies its use in a “tethered jailbreak” of a smart speaker that leverages secure boot functionality.
yeyintminthuhtut/Awesome-Red-Teaming
List of red teaming resources by @yeyint_mth covering initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, command and control, device hacking, red team gadgets, ebooks, training, and certs.
Reverse Engineering
Battelle Publishes Open Source Binary Visualization Tool
The newly released CantorDust Ghidra plugin enables the rapid visualization of unknown binary data, reducing the burden on digital forensics and reverse engineering teams.
frida/cryptoshark
“Self-optimizing cross-platform code tracer based on dynamic recompilation, powered by Frida and Capstone. Works at the machine code level, no source code needed. Tags threads based on which APIs they use, showing you in real-time what functions have been called, allowing you to study them by carefully injecting logging and other side-effecty code.”
Politics / Privacy
Can you spot deep fake people?
Fascinating Twitter thread by Raphael Satter of examples of the types of artifacts and tells current GANs have when generating people’s faces.
OSINT
yogeshojha/rengine
An automated reconnaissance framework meant for gathering information a web app pen test, by Yogesh Ojha. reNgine has customizable scan engines, which can be used to scan websites, endpoints, and gather info.
Misc
The best way to predict the future is to invent it.
Magnetic Fields: Find a central metaphor that’s so good that everything aligns to it. Design meetings are no longer necessary, it designs itself. The metaphor should be crisp and fun.
Turn up your nose at good ideas. You must work on great ideas, not good ones.
Better is the enemy of best
Relative judgements have no place in art
Systems programmers are high priests of a low cult
Point of view is worth 80 IQ points
Good ideas don’t often scale
Final advice: Content over form, go for fun.
An OSCP Exam Report Template in MarkdownCompiles to a nice PDF using Pandoc, by @noraj_rawsec.
If you need a tool, buy the cheapest one you can find. If it’s inadequate, or breaks, or you use it a lot, then buy the best one you can afford.
If you follow this strategy, you’ll sometimes waste a little money by buying a cheap tool before buying a good one. But you won’t waste money buying expensive tools that you rarely use. And you won’t waste money by buying a sequence of incrementally better tools until you finally buy a good one.
Refinement Types and Program Synthesis, Featuring Nadia Polikarpova
Last week I wrote a summary of a new Twitch stream (PLTalk) by Jean Yang and Hongyi Hu on making academic-y programming languages research more accessible. This week I was thrilled to see that my friend Quinn Wilton has started a newsletter where she will be summarizing the PLTalk videos.
Reverse Threat Modeling for Pursuing Attribution
Daniel Miessler on determining potential actors behind attacks based on who benefits from outcome.
Convert your photos to anime characters
With an AI GAN image-to-image translator. paper source code
I probably need to choose a pic with a less busy background and maybe less soft focus, but still interesting to see.
Awesome post by Adam Youngberg on how Databricks secures their public S3 buckets, and they’ve open sourced their solution.
The first step is to have a solid asset inventory (which I think is so important, I included it as one of my 3 “fundamentals” in my most recent scaling security talk, along with vulnerability management and continuous scanning)- determine all public S3 buckets. This can be done with Lyft’s Cartography tool or the commercial JupiterOne.
Do we have non-public files in intentionally public buckets?
For this, they repurpose Níels Ingi’s YAR tool, except instead of scanning GitHub repos for secrets, they spin up EC2 instances, synchronize the bucket contents, and scan them with YAR + additional patterns specific to their secrets.
Keeping buckets from becoming unintentionally public
They leverage Cloud Custodian, a real-time cloud security, governance, and management tool that uses AWS Lambda functions and CloudWatch events to detect changes to configuration.
They added a Cloud Custodian policy to automatically enable AWS public access blocks for buckets explosed publicly through any access control lists (ACLs).
If dev teams want an exception, they must follow an internal policy and process for intentionally public buckets that required this functionality to remain disabled.
In short: they use JupiterOne for alerting on publically accessible buckets, and Cloud Custodian for enforcement.
What if non public data gets later added to existing public buckets?
It’s not enough to point-in-time evaluable if the contents of a public bucket are safe, ideally you want real-time alerting if this were to ever change in the future.
Any time bucket objects are created or updated, an S3 event is triggered that goes to an SQS queue. Lambda functions then process these events inspecting, each file for secrets, using pattern matching similar to the YAR method.
If any matches are found, the output is sent to an alert queue, which the security team receives results from in near real-time.
Making this work in the Real World
So far, technically, this approach sounds great.
But there are important things about rolling out changes like this that are crucial to getting buy-in in your company, that the post and repo also address, which is what takes this post from “oh this is cool” to 🔥🔥 (yes, the elusive double fire).
Specifically:
How do you address ownership and dependencies between resources?
And how do you message these changes to the rest of the org?
The repo includes email templates, both for leadership as well as to a more broader audience, about the Cloud Custodian public access block and owner tag enforcement.
Nailing the workflow/process and communicating the changes to the rest of your company are key, so the fact that the post and repo share details about these components is 👌 in my book.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them
🙏
Thanks for reading!
Cheers,
Clint