[tl;dr sec] #63 - OWASP, Fuzzing, and a New 'AWS Swiss Army Knife' Tool by Netflix
New OWASP security testing guide and GraphQL cheat sheet, new fuzzing research, and a tool to ease administration of complex AWS environments.
I hope you’ve been well!
‘Tis the Season to be Fuzzing
This week I came across a bunch of interesting fuzzing work. If you’re responsible for a fair amount of C and/or C++, fuzzing is a Good Idea.
As fate would have it, a friend at ForAllSecure, a company commercializing some neat research by David Brumley and colleagues at CMU, reached out about a Christmas giveaway they’re doing: 18 Gifts for the Fuzzing Pro in Your Life.
Check out 👆 to potentially win a free copy of the books “Fuzzing for Software Security Testing and Quality Assurance” by Ari Takanen, Jared DeMott, and Charlie Miller or “Core Software Security: Security at the Source” by Dr. James Ransome and Anmol Misra.
I’m giving a workshop at the Open Security Summit on Friday about how to eliminate bug classes by blocking anti-patterns and enforcing secure defaults.
We’ll write a few Semgrep rules together, and then I’ll tweet out challenges live to this Twitter thread. The challenges will be designed to highlight various Semgrep features, so that afterwards you can easily write custom rules targeting those bad patterns specific to your company. You know the ones I’m talking about (knowing look).
Check out the workshop 👉 here 👈
The Power of Constraints
Constraints breed creativity.
High art forms, like the haiku and sonnet, place constraints on the number of syllables and meter the artist can use, yielding masterpieces like Shakespeare’s Sonnet 18:
Another high art form, American country music, is similarly restrictive: every song must include a majority of the following: references to the country or back roads, your farm, your truck, your girl, a mandolin riff, etc.
I happened to stumble across this gem, Body Like A Back Road, by Sam Hunt.
I managed to find the following Bingo card on Pinterest. Almost got it!
Lastly, speaking of constraints, I just wanted to give a quick call back to tl;dr sec 25, in which Devdatta Akhawe and I publicly committed to giving a Shakespeare-themed security at some point. I haven’t forgotten my friend 😉
📢 Secure Code Warrior: Donate for a Demo
Secure Code Warrior maximizes the security potential of every developer through hyper-relevant, real-time learning. Our secure code training platform helps coders and development teams learn how to write secure code from the beginning, meaning they will improve the quality and speed of their code writing and spend less time finding and fixing bugs. The developer-driven security movement is here to stay.
📜 In this newsletter...
OWASP: Web Security Testing Guide v4.2 released, GraphQL cheat sheet
AppSec: Interesting talks from BlackHat EU, an open benchmark of over 200 historical JS/TS CVEs
Cloud Security: New tool from Netflix to ease the management of multi-account AWS environments
Container Security: Generate RBAC role and binding objects from a Kubernetes audit log
Fuzzing: A fuzzing platform for embedded OS kernels, coverage-guided Python fuzzer by Google, fuzzing on GPUs
Red Team: New reverse engineering platform forked from radare2, building C2 implants in C++, state of the art in network pivoting
Politics / Privacy: Improving DNS privacy with Oblivious DNS over HTTP, FireEye's red team tools stolen, the gig economy is white people discovering servants
Misc: Ripgrep on non text files, EmacsConf 2020 videos
Web Security Testing Guide v4.2 Released
Many new test additions, test scenarios, and more by core maintainers Rick Mitchell, Elie Saad, Rejah Rehim, and Victoria Drake, as well as other awesome contributors (release notes).
Blackhat EU - The Virtual Edition
Daniel Cuthbert highlights a number of talks he’s excited about for BlackHat EU. A few that stuck out to me will be discussing North Korea’s nation state hacking chops, Gareth Heyes of Portswigger XSSing your PDFs, the GitHub Security Lab will be releasing a benchmark dataset of CVEs and the fix commits responsible (super useful and tons of work, props to them), and how to inject inaudible and invisible commands into the microphones of smart speakers, phones, and tablets, using LASERS! 😂
Introducing the OpenSSF CVE Benchmark
Accurate benchmarking of SAST and DAST tools is very hard, as purposefully vulnerable apps often don’t reflect real code bases, and large, curated datasets of real world vulnerabilities are hard to come by.
New tool from the Netflix cloud security team that “strives to be a multi-account AWS swiss-army knife, making AWS easier for your end-users and cloud administrators.”
Consolidates the management of multiple accounts into a single web UI.
Allows your end-users and admins to get credentials / console access to your different AWS accounts, depending on their authorization level.
Provides mechanisms for end-users and admins to both request and manage permissions for IAM roles, S3 buckets, SQS queues, and SNS topics.
A self-service wizard is also provided to guide users into requesting the permissions they desire.
Announcing the Atheris Python Fuzzer
Google has released Atheris, a coverage-guided fuzzer for finding bugs in Python code and native extensions. “One of the best uses for Atheris is for differential fuzzers. These are fuzzers that look for differences in behavior of two libraries that are intended to do the same thing.” For example, comparing how two libraries for resolving internationalized domain names behave.
Let’s build a high-performance fuzzer with GPUs!
By Trail of Bits’ Ryan Eberhardt and Artem Dinaburg: “Can we use GPUs to get 10x performance/dollar when fuzzing embedded software in the cloud? Based on our preliminary work, we think the answer is yes!” See also their discussion on CppCast.
Rizin: Free and Open Source Reverse Engineering Platform
Looks like some of the core radare2 maintainers had some differing opinions on the future of the project and decided to create this Rizin fork instead. “Provides a complete binary analysis experience with features like Disassembler, Hexadecimal editor, Emulation, Binary inspection, Debugger, and more.”
Building C2 Implants in C++: A Primer
Nice Gitbook by Shogun Lab covering designing command and control (C2) infrastructure, establishing a listening post, basic implant and tasking, and building a CLI client to interact with the listening post and implant.
State of the art of network pivoting in 2019
Alright, so you have an initial foothold on a target network, but what do you do next? Great post by Alexandre Zanni on many ways to gain further access to an internal network through a compromised machine, including SSH port forwarding, Metasploit, chisel (an HTTP tunnel), SOCKS proxies, and more.
Politics / Privacy
Improving DNS Privacy with Oblivious DoH in 22.214.171.124
“Today we are announcing support for a new proposed DNS standard — co-authored by engineers from Cloudflare, Apple, and Fastly — that separates IP addresses from queries, so that no single entity can see both at the same time.”
U.S. cybersecurity firm FireEye discloses breach, theft of hacking tools
Why do the hard work of building up significant red team capabilities when you can just steal them? 😆 “Red team tools were stolen as part of a highly sophisticated, likely ‘nation-state’ hacking operation. The stolen computer kit targets a myriad of different vulnerabilities in popular software products.” From the FireEye blog: “The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit.” List of countermeasures published to GitHub here.
EmacsConf 2020 Talks
I use a combination of VS Code for writing code and Emacs for note taking and TODOs (org-mode’s core functionality and ecosystem are crazy). Another thing I’ve started playing with is org-roam, which is an open source, org-mode based version of Roam Research, a trendy new note taking tool that aims to make it easy to follow the Zettelkasten Method (see Zettelkasten — How One German Scholar Was So Freakishly Productive). EmacsConf had a few talks on org-roam this year.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!