[tl;dr sec] #62 - Leaking IAM Users and Roles, AI, and Exploiting Dynamic Renderers

Hey there,

I hope you’ve been doing well! I missed you, dear reader.

A Tryptophan-induced Reflection

Last week I did some reflecting. I have a lot to be thankful for, but I want to mention one thing in particular.

I wanted to share my writing online for a long time, but to be honest, I was scared to do it– don’t other people know more? Isn’t the Internet a Nasty and Mean Place?

But people have been really nice about tl;dr sec! 😱 I’ve been blown away by people’s kind words about how they find it useful, look forward to it, how it made them laugh in a meeting and get in trouble with their boss, and more.

This encouragement has frankly been key to me continuing, when it’s yet again 11:09pm on a Wednesday and I’m wrapping up another issue.

I wanted to share this anecdote because if you’re reading this and have been wanting to share your work- you should!

I know that you have knowledge that other people would love to read.

Write it down. Share it.

We’ll be glad you did.

Speaking Stuff

OWASP Israel - Tues, Dec 8th
I’ll be joining some cool speakers chatting about Kubernetes and XXE.

Empire Hacking - Tues, Dec 8th
After refocusing myself by meditating in a redwood forest, I’ll join Empire Hacking, an awesome meet-up by Trail of Bits.

As they’re also program analysis nerds, they’ve asked me to include more details on Semgrep internals and design decisions, so if you’re curious about how Semgrep works at a deeper level, this one will be good to check out.

Open Security Summit - Fri, Dec 11th
I’ll be giving a Semgrep workshop, where I’ll try something I’ve never done before! I’m going to live tweet Semgrep challenges (match this code, don’t match that code) and let people tweet back their solutions.

Should be fun! Or it may blow up in my face, we’ll see 😅 Keep an eye on @clintgibler if you want to join, hope to see you there!

Web Security

filedescriptor/untrusted-types
A Chrome extension by @filedescriptor that abuses Trusted Types to find DOM XSS by logging the stack trace of all sink calls and their changes to the DOM. If this sounds interesting, I highly recommend also checking out Tracy, a browser extension for web app pen testing by my friends Jake Heath and Michael Roberts, which to my knowledge is the best tool to trace user input in and out of web apps.

Exploiting dynamic rendering engines to take control of web apps
Dynamic rendering is a technique some web apps use to serve prerendered web site pages to crawlers (better SEO). r2c’s Vasilii Ermilov describes techniques to exploit common dynamic rendering tools (exfiltrating cloud metadata a la SSRF), how to fingerprint when sites are using dynamic rendering, and more. One of the attack chains described involves a series of nested requests that honestly hurts my brain, but is cool to read.

AI

DeepMind’s protein-folding AI has solved a 50-year-old grand challenge of biology
AlphaFold can predict the shape of proteins to within the width of an atom, which will help scientists design drugs and understand disease. “AlQuraishi thought it would take researchers 10 years to get from AlphaFold’s 2018 results to this year’s. This is close to the physical limit for how accurate you can get, he says.” More from DeepMind’s blog.

Top 5 AI Achievements of 2020
M Umer Mirza describes 5 topics/areas: 1) GPT-3, 2) AI-enabled healthcare and drug discovery, 3) graphics, animation, image and video processing, 4) motion and gestures, and 5) NVIDIA AI’s processing power.

GPT-3 vs. Existing Conversational AI Solutions
An overview of GPT-3, things it can do well (e.g. knowledge retrieval), limitations (inferred knowledge, knowing when it doesn’t know something), examples on why explainability is important in ML, and some pricing info.

A/B Test your Hacker News titles with AI before publishing
Enter two potential titles and it’ll recommend one. By Kimmo Ihanus.

Red Team

higatowa/bento
“A simple and minimal Docker container for penetration testers and CTF players. It has the portability of Docker with the addition of X, so you can also run GUI application (like Burp).” Currently includes: Burp Suite, gobuster, seclist, odat, impacket, sqlmap, sqlplus, mysql-client, openvpn, bytecode-viewer, Ghidra.

Cloud Security

cloudquery/cloudqueryEase monitoring, governance, and security by querying your cloud configuration and metadata as SQL.

nccgroup/s3_objects_checkBy NCC Group’s Xavier Garceau-Aranda: Whitebox evaluation of effective S3 object permissions to identify publicly accessible objects as well as objects accessible for AuthenticatedUsers (by using a secondary profile).

pre:Invent 2020Chris Farris describes 29 of the 279 pre:invent announcements he found interesting, covering AWS Organizations, new security tools, serverless, ElasticSearch, and DynamoDB. Also featuring an excellent banner image 🤣

IAMFinder: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance
By Jay Chen of Palo Alto Networks:

Based on these findings, Unit 42 developed IAMFinder, an open source tool that currently implements APIs of four AWS services: S3, KMS, SQS, and IAM. With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment.

Setting up personal G Suite backups on AWS
Scott Piper describes how he automates the backup of his Gmail and Google Drive to AWS. Tools referenced:

• GAM: a CLI tool for Google Workspace (fka G Suite) Administrators to manage domain and user settings quickly and easily

• got-your-back: a CLI tool for backing up your Gmail messages to your local computer, using Gmail’s API over HTTPS.

• Rclone: a CLI program to manage files on cloud storage.

Container Security

Scan Helm charts for Kubernetes misconfigurations with CheckovPost by Bridgecrew’s Matt Johnson. Checkov uses helm template to output the resulting Kubernetes manifests and scans those for insecure patterns (e.g. the CIS Kubernetes Benchmarks).

Politics / Privacy

Welcome to the new Middle Ages
This article argues that the recent rise in economic inequality, decline in social mobility, identity-based culture wars in politics, and more are not necessarily current bad trends, but rather, are historical norms.

OSINT

utkusen/urlhunter
Tool by Utku Şen that enables searching URLs that are exposed via shortener services such as bit.ly and goo.gl. Uses data from URLTeam, who continuously bruteforce URL shortener services and publish their results. If you pay attention closely, you might get a slight feel for how URLTeam feels about shorteners.

Misusing OSINT to claim election fraud
Imagine waking up one day and finding a security tool you built being horribly misused in court 😅 This is basically what happened to OSINT tool Spiderfoot’s author Steve Micallef. In short, someone scanned Dominion Voting’s domain name and used the results to support claims that the voting systems were accessible over the Internet and being controlled by foreign countries like Iran and China. Steve’s post nicely discusses how to cautiously and accurately use OSINT info and debunks a number of the case claims. In short:

Misc

Use the following git configuration to remap all HTTP(S) URLs to SSH
H/T Bence Nagy.

Protect domains that don’t send email
The UK government on how to make sure that domains that do not send email cannot be used for spoofing using SPF, DMARC, and DKIM.

Introducing Amazon Curate (I Wish)
One of the main reasons I started tl;dr sec is that I kept coming across really great work that not enough people had heard of. So I thought this faux AWS product by Daniel Miessler would be pretty awesome, and help address the challenge of surfacing great work done by (currently) relatively unknown creators.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler @tldrsec