[tl;dr sec] #59 - NAT Slipstreaming, Widespread Injection in GitHub Actions, Greppable Secrets

Hi there,

I hope you’ve been doing well! If you’re also based out of the U.S., I bet you’ve had a nice, relaxing week 😅

If you didn’t see it last week, I was quoted in an article on Portswigger’s The Daily Swig, which was pretty cool! I’ve enjoyed reading The Daily Swig for awhile, so it was pretty neat (/strange) to see my name there.

Utah Billboard, Part Deux

In tl;dr sec #57 I mentioned that I saw what might very well be the best billboard in existence during my trip to Utah. Unfortunately, I wasn’t able to take a photo, and I wasn’t able to find one online after (literally) over an hour of searching.

I think you know where this is heading.

In what is probably the best thing that’s happened to me from starting this newsletter to date, tl;dr sec reader Daniel McGowan happens to live nearby this billboard and took a photo!

Daniel- you are a gentleman, scholar, and all-around hero 🙏

Enjoy.

AppSec

Fine-tune access to external actions
GitHub users now have greater control over the external GitHub actions they allow. You can limit to GitHub-authored actions, actions by GitHub-verified authors, or by creating an explicit allow list of specific actions.

Github: Widespread injection vulnerabilities in Actions
By Project Zero’s Felix Wilhelm: re: set-env- “The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed. I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class.”

enaqx/awesome-pentest
Pretty massive list of books, resources, and tools by Nick Raienko about topics including malware analysis, exfiltration, exploit development, hash cracking, network reconnaissance/replay/editing, WiFi attacks, proxies, network and web vulnerability scanners, and more.

Switching “sides” in security
Joern Schneeweisz describes his perspective on moving from many years as an external security consultant to inhouse security at GitLab. Some useful perspective if you’re a pen tester and have considered joining an internal AppSec team.

My Friends Be Writin’

Alice and Bob Learn Application Security
My friend Tanya Janca’s first book is now shipping! 🚀 That’s super exciting, big congrats to her! Tanya has done security training at conferences and for companies around the world. If you want to learn application security or want a nice intro to security in a modern SDLC, might be worth taking a look.

Effective C: An Introduction to Professional C Programming
At NCC Group, I took a C Secure Code Review training from Robert Seacord. If you’re not familiar, he’s written a few books about it. I learned two key lessons from his training: 1) Robert knows more arcana and incantations than any wizard of yore, and 2) I will never be able to write secure C. If you regularly read or write C, you might want to check this No Starch book out.

Web Security

wagiro/BurpBounty
Burp Suite extension by Edu Garcia that lets you easily add new passive and active scanner checks via a GUI inside Burp. Ekoparty 2020 slides.

NAT Slipstreaming
As always, some neat research by Samy Kamkar: “NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.”

I believe Samy gave an earlier version of this research as a ShellCon 2019 keynote (video). I recommend watching it if you have some time because it’s a nice example of a talk that’s both deeply technical and funny.

Cloud Security

AWS Config Conformance Pack Repository
By @asecure.cloud: A collection of “packs” composed of AWS Config rules and remediation actions that can be easily deployed as a single entity in an AWS account and a region, including compliance standards (NIST 800-53, HIPAA, FedRAMP), and operational best practices (serverless, AI and ML, asset management, and more).

The state of Attribute Based Access Control (ABAC) on AWS
By Scott Piper: “Two years ago (2018), AWS announced new conditions keys aws:PrincipalTag and aws:RequestTag, and started to push the concept of Attribute Based Access Control (ABAC). This post will describe what this is, the difficulties with implementing this strategy, and what AWS needs to do for customers to be successful with this concept.”

Politics / Privacy

A Researcher’s Guide to Some Legal Risks of Security Research
31 page PDF by Sunoo Park and Kendra Albert of Harvard Law School: “This guide is intended for non-lawyers interested in getting a general idea of when U.S. law can create legal risk for security researchers.” Mentions the CFAA, copyright law, DMCA, and more.

Misc

nidhaloff/igel
By Nidhal Baccouri: “A delightful machine learning tool that allows you to train/fit, test and use models without writing code.” Uses pandas in the background for data manipulation/preprocessing and sklearn for ML (regression, classification, and clustering). Specify what you’re looking to do via JSON or YAML.

Weird AI Yankovic: Generating Parody Lyrics
“Lyrics parody swaps one set of words that accompany a melody with a new set of words, preserving the number of syllables per line and the rhyme scheme. Lyrics parody generation is a challenge for controllable text generation. We show how a specialized sampling procedure, combined with backward text generation with XLNet can produce parody lyrics that reliably meet the syllable and rhyme scheme constraints. We introduce the Weird AI Yankovic system and provide a case study evaluation. We conclude with societal implications of neural lyric parody generation.”

See also this Overfitting a capella music video about machine learning that parodies Michael Jackson’s Thriller.

BTS, K-Pop Stans Are Fighting QAnon and MAGA on Social Media
This week, on “article titles I never expected to see” 👆 2020, oh what a year. Basically, K-pop fans have been flooding hashtags like #WhiteLivesMatter and #QAnon, so users searching for those “instead found a rolling stream of video clips featuring Korean boy bands, their pelvises gyrating below their smoldering eyes and perfect pastel hair.”

📚 Further enhance security by easily automating your API token protection

Dynatrace’s Barbara Schachner describes how they’ve changed the structure of their API tokens, which now have three components, separated by a “.”:

1. A unique prefix (dt0c01): indicating it’s a Dynatrace API token.

2. A public portion: 24 characters that can be safely displayed in the UI and used for logging purposes.

3. A secret portion: 64 secret characters that should be treated like a password (not shown in the UI, redacted from logs, etc.).

There are a couple of things I really like about this:

• The API tokens are intentionally very structured (obvious prefix, exact length), so that they can effectively be caught in a high signal way via tools like pre-commit, git-secrets, or in CI. Dynatrace is also integrating with GitHub’s secret scanning service.

• The public portion provides a bit nicer troubleshooting UX, as it can be show in their web UI or in customer logs without worrying about potentially leaking a token to an attacker.

• And of course you need a secret part.

If your company creates API tokens for customers, I highly recommend leveraging this approach: make your token trivial to regex for (consistent length, obvious prefix). Your customers will thank you.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint