• tl;dr sec
  • Posts
  • [tl;dr sec] #57 - Bug Bounty Lessons Learned, Content Value Hierarchy, CloudSecDocs

[tl;dr sec] #57 - Bug Bounty Lessons Learned, Content Value Hierarchy, CloudSecDocs

1 year of a private bug bounty program, how to create high value content, and a great resource for cloud-native technologies.

Author

Clint Gibler
October 20, 2020

Hey there,

I hope you’ve been doing well!

Utah Visit

Due to the Bay Area’s recent predisposition to literally be on fire, I took a short road trip to Utah. There I encountered:

  • Many Trump 2020 signs

  • Incredibly nice people

  • Awe-inspiring national parks

  • The best billboard ad I’ve ever seen

Midway through the trip I was on the highway, probably belting some showtune, when I came across a billboard that would measurably raise my overall life happiness.

On the surface, it was nondescript: just two plain colors, a standard font, and a picture of a well-decorated house interior. But I did not expect the text, which I swear to you, was the following:

From the windowwwws

to the walls

We’ll decorate your halls!

I did not expect to see a reference to a risqué rap song, deep in Mormon country 🤣

Now the billboard did not include this, but if they asked me, I’d recommend including the following to complete the chorus:

Aw sheets sheets Mormon brother

Aw sheets sheets, amen!

I’ve spent a non trivial amount of time trying to search for an image of this billboard, but for the life of me, I can’t find it.

Rock on, ye Utahan marketing genius 🤘🙏

📨 Voting

I hear all the cool kids are doing it.

If you haven’t already, you can find out more about voting and how to do it at vote.gov and www.usa.gov/how-to-vote.

Sponsor

📢 Secure Code Warrior

Secure Code Warrior helps developers think and act with a security mindset. Our secure code training platform helps coders and development teams build and verify their software security skills, gain real-time advice, and monitor skills development. Our gamified approach to learning makes it fun and engaging for your teams and stops ‘bad’ code from entering your Software Development Life Cycle pipeline in the first place - saving you serious dollars by reducing vulnerabilities and improving your overall software security. Get a free Yeti Tumbler when you book a demo of our platform!

📜 In this newsletter...

🔗 Links:

  • Web Security: A client-side prototype pollution scanner, training material on developing Burp extensions

  • Cloud Security: Collection of cloud-native resources, enumerating AWS API permissions without CloudTrail logs

  • Blue Team: 25 CVEs Chinese state actors are using, why tracking processes on Linux is hard, a collection of tools for analyzing/tracing Linux programs

  • Red Team: Python RDP MitM tool and library, compromising thick client applications that store creds in Vault, file stream oriented programming CTF walkthrough, script to help exfiltrating data via DNS

  • Politics / Privacy: New features for Signal Groups, U.S. files antitrust vs Google, senior intelligence officials believe Hunter Biden story is Russian disinfo

  • OSINT: Extensible framework for building your own web app scanner

  • Misc: The content value hierarchy, watch this page dynamically edit/style itself

📚 One Year With a Private Bug Bounty Program at FINN.no

Emil Vaagland shares some stats and concrete details.

Web Security

msrkp/PPScan
A client-side prototype pollution scanner by @s1r1u5_. Prototype pollution is basically when an attacker can influence unintended fields/values in JavaScript objects, in a sort of mass assignment-esque fashion through the __proto__ property. See Olivier Arteau’s whitepaper for more details, and this DailySwig post for a nice overview and some more recent work.

doyensec/burpdeveltraining
Doysensec has released the slides and code for their training: “Developing Burp Suite Extensions – From Manual Testing to Security Automation.”

Cloud Security

CloudSecDocs
Marco Lancini has collected and organized some great info and links about cloud-native technologies into one excellent resource.

Enumerate AWS API Permissions Without Logging to CloudTrail
Nick Frichette found a bug in the AWS API that allows you to enumerate certain permissions for a role without logging to CloudTrail. This allows pen testers and red teamers to stealthily enumerate what permissions the role or user they’ve compromised has access. This bug affects 645 different API actions across 40 different AWS services.

Blue Team

25 Ways Chinese State-Sponsored Actors Want to Exploit Your Systems
This NSA advisory lists 25 CVEs that are currently being used by Chinese state actors.

The Difficulties of Tracking Running Processes on Linux
Natan Yellin describes a number of potential approaches and their relative trade-offs.

brendangregg/perf-tools
“Performance analysis tools based on Linux perf_events (aka perf) and ftrace” by Brendan Gregg. Includes tools like execsnoop to trace process exec() with CLI argument details, opensnoop to trace open() syscalls showing filenames, and more. Useful for grokking what a program does. H/T William Bowling who referenced the tool in his blog post: GitHub Pages - Multiple RCEs via insecure Kramdown configuration - $25,000 Bounty.

Red Team

GoSecure/pyrdp
A Python3 Remote Desktop Protocol (RDP) man-in-the-middle tool and library. Can watch connections live or after the fact. Blog post describing new features.

Segmentation Vault: Cloning Thick Client Access
Post by David Middlehurst: “In this blog we discuss a practical method for red teams to compromise thick client applications when they store credential material in “Vault”, using Microsoft OneDrive as an example. To enable access to OneDrive to be cloned we also present two tools that were subsequently developed that can be used in a C2 framework such as Cobalt Strike using execute-assembly.”

vp777/DNS-data-exfiltration
A Bash script that automates the exfiltration of data over DNS for when you have a blind command execution on a server where all outbound connections except DNS are blocked.

Politics / Privacy

New Features Coming to Signal Groups
“Today we’re releasing a new version of Signal groups that gives you a richer private group experience with group admins, granular permissions, @mentions and more.” Like nearly all of my security friends, Signal is my secure messaging app of choice, so it’s super exciting to see these improvements 🤘 

United States v. Google
A deeper analysis by Stratechery, with interesting thoughts on Aggregation Theory, Google’s likely defense, and more. Ben Thompson’s Aggregation Theory article is fascinating, so I pulled some snippets here for easy reference.

Instead of trying to argue that Google should not make search results better, the Justice Department is arguing that Google, given its inherent advantages as a monopoly, should have to win on the merits of its product, not the inevitably larger size of its revenue share agreements. In other words, Google can enjoy the natural fruits of being an Aggregator, it just can’t use artificial means — in this case contracts — to extend that inherent advantage.

Hunter Biden story is Russian disinfo, dozens of former intel officials say
“More than 50 former senior intelligence officials have signed on to a letter outlining their belief that the recent disclosure of emails allegedly belonging to Joe Biden’s son ‘has all the classic earmarks of a Russian information operation.’” Exciting times 😅

OSINT

jaeles-project/jaeles
“A powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner” by Ai Ho. You specify the fingerprint of what you’re looking for in YAML, see the jaeles-signatures repo for examples. Seems fairly similar to Project Discovery’s nuclei.

Misc

The Content Value Hierarchy (CVH)
Neat post by my friend Daniel Miessler on the various levels of content creation and their value, and how to protect your podcast or newsletter from being cut when people hit content overload. The article calls out tl;dr sec, which is pretty cool 😎

strml.net
By Samuel Reed: I’m not sure how to describe this, but it’s awesome. You load the web page and it dynamically starts editing/styling itself while describing what it’s doing. Pretty neat to watch.

One Year With a Private Bug Bounty Program at FINN.no

I appreciated that this post by Emil Vaagland had a number of concrete stats and details.

  • In its first year, FINN.no’s private HackerOne program has resulted in 221 reports, 129 of which received $55K divided among 31 researchers.

  • One of the most critical findings in their program resulted from a one-line configuration change, not new complex code.

    • Therefore: it’s not just massive new features or complex code that needs testing.

  • Shopify publishes monthly stats from their public bug bounty program on Twitter (example).

  • FINN’s rates: up to $150 for Lows, $300 for Mediums, $1,000 for Highs, $3,000 for Criticals.

    • The rate bump between Medium+ is to incentivize higher impact reports and to compete with large programs for researcher talent.

  • They pay bounties on triage after an impact assessment, not once the bug is fixed.

  • Median triage time is about 45 minutes, and over 80% are triaged within one hour. This speed motivates hackers to continue testing FINN’s assets.

FINN, Visma, and Shopify’s data seems to confirm what is colloquially known: private programs tend to get higher signal submissions - more valid bugs, fewer non issues.


Comparing the signal (Resolved/Duplicate) to the noise (Not applicable / Informative) of 2 public programs (Shopify and Visma public) to 2 private programs (FINN and Visma private)

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint