• tl;dr sec
  • Posts
  • [tl;dr sec] #63 - OWASP, Fuzzing, and a New 'AWS Swiss Army Knife' Tool by Netflix

[tl;dr sec] #63 - OWASP, Fuzzing, and a New 'AWS Swiss Army Knife' Tool by Netflix

New OWASP security testing guide and GraphQL cheat sheet, new fuzzing research, and a tool to ease administration of complex AWS environments.

Author

Clint Gibler
December 08, 2020

Hey there,

I hope you’ve been well!

‘Tis the Season to be Fuzzing

This week I came across a bunch of interesting fuzzing work. If you’re responsible for a fair amount of C and/or C++, fuzzing is a Good Idea.

As fate would have it, a friend at ForAllSecure, a company commercializing some neat research by David Brumley and colleagues at CMU, reached out about a Christmas giveaway they’re doing: 18 Gifts for the Fuzzing Pro in Your Life.

Check out 👆 to potentially win a free copy of the books “Fuzzing for Software Security Testing and Quality Assurance” by Ari Takanen, Jared DeMott, and Charlie Miller or “Core Software Security: Security at the Source” by Dr. James Ransome and Anmol Misra.

Workshop Friday!

I’m giving a workshop at the Open Security Summit on Friday about how to eliminate bug classes by blocking anti-patterns and enforcing secure defaults.

We’ll write a few Semgrep rules together, and then I’ll tweet out challenges live to this Twitter thread. The challenges will be designed to highlight various Semgrep features, so that afterwards you can easily write custom rules targeting those bad patterns specific to your company. You know the ones I’m talking about (knowing look).

Check out the workshop 👉 here 👈

The Power of Constraints

Constraints breed creativity.

High art forms, like the haiku and sonnet, place constraints on the number of syllables and meter the artist can use, yielding masterpieces like Shakespeare’s Sonnet 18:

Shall I compare thee to a summer’s day?

Thou art more lovely and more temperate

So long as men can breathe or eyes can see,

So long lives this, and this gives life to thee.

Another high art form, American country music, is similarly restrictive: every song must include a majority of the following: references to the country or back roads, your farm, your truck, your girl, a mandolin riff, etc.

I happened to stumble across this gem, Body Like A Back Road, by Sam Hunt.

Now me and her go way back, like Cadillac seats

Body like a back road, drivin’ with my eyes closed

I know every curve like the back of my hand

The way she fit in them blue jeans, she don’t need no belt

I managed to find the following Bingo card on Pinterest. Almost got it!

Lastly, speaking of constraints, I just wanted to give a quick call back to tl;dr sec 25, in which Devdatta Akhawe and I publicly committed to giving a Shakespeare-themed security at some point. I haven’t forgotten my friend 😉

Sponsor

📢 Secure Code Warrior: Donate for a Demo

Secure Code Warrior maximizes the security potential of every developer through hyper-relevant, real-time learning. Our secure code training platform helps coders and development teams learn how to write secure code from the beginning, meaning they will improve the quality and speed of their code writing and spend less time finding and fixing bugs. The developer-driven security movement is here to stay.

📜 In this newsletter...

🔗 Links:

  • OWASP: Web Security Testing Guide v4.2 released, GraphQL cheat sheet

  • AppSec: Interesting talks from BlackHat EU, an open benchmark of over 200 historical JS/TS CVEs

  • Cloud Security: New tool from Netflix to ease the management of multi-account AWS environments

  • Container Security: Generate RBAC role and binding objects from a Kubernetes audit log

  • Fuzzing: A fuzzing platform for embedded OS kernels, coverage-guided Python fuzzer by Google, fuzzing on GPUs

  • Red Team: New reverse engineering platform forked from radare2, building C2 implants in C++, state of the art in network pivoting

  • Politics / Privacy: Improving DNS privacy with Oblivious DNS over HTTP, FireEye's red team tools stolen, the gig economy is white people discovering servants

  • Misc: Ripgrep on non text files, EmacsConf 2020 videos

OWASP

Web Security Testing Guide v4.2 Released
Many new test additions, test scenarios, and more by core maintainers Rick Mitchell, Elie Saad, Rejah Rehim, and Victoria Drake, as well as other awesome contributors (release notes).

GraphQL Cheat Sheet
Nicely detailed guide covering topics including input validation, DoS prevention, access control, batching attacks, tools and other best practices. H/T @mackowski.

AppSec

Blackhat EU - The Virtual Edition
Daniel Cuthbert highlights a number of talks he’s excited about for BlackHat EU. A few that stuck out to me will be discussing North Korea’s nation state hacking chops, Gareth Heyes of Portswigger XSSing your PDFs, the GitHub Security Lab will be releasing a benchmark dataset of CVEs and the fix commits responsible (super useful and tons of work, props to them), and how to inject inaudible and invisible commands into the microphones of smart speakers, phones, and tablets, using LASERS! 😂 

Introducing the OpenSSF CVE Benchmark
Accurate benchmarking of SAST and DAST tools is very hard, as purposefully vulnerable apps often don’t reflect real code bases, and large, curated datasets of real world vulnerabilities are hard to come by.

Thankfully, Bas van Schaik and Kevin Backhouse of the GitHub Security Lab, in conjunction with the Open Source Security Foundation, have released a benchmark repo on GitHub with over 200 historical JavaScript/TypeScript vulnerabilities (CVEs) with associated metadata. A ton of work went into this, so it’s awesome that they’re sharing it with the community 🙌

Cloud Security

Netflix/consoleme
New tool from the Netflix cloud security team that “strives to be a multi-account AWS swiss-army knife, making AWS easier for your end-users and cloud administrators.”

  • Consolidates the management of multiple accounts into a single web UI.

  • Allows your end-users and admins to get credentials / console access to your different AWS accounts, depending on their authorization level.

  • Provides mechanisms for end-users and admins to both request and manage permissions for IAM roles, S3 buckets, SQS queues, and SNS topics.

  • A self-service wizard is also provided to guide users into requesting the permissions they desire.

Container Security

liggitt/audit2rbac
By Jordan Liggitt: “Takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.”

Fuzzing

airbus-seclab/gustave
By the Airbus Security Lab: A fuzzing platform for embedded OS kernels based on QEMU and AFL. It lets you fuzz OS kernels like simple applications.

Announcing the Atheris Python Fuzzer
Google has released Atheris, a coverage-guided fuzzer for finding bugs in Python code and native extensions. “One of the best uses for Atheris is for differential fuzzers. These are fuzzers that look for differences in behavior of two libraries that are intended to do the same thing.” For example, comparing how two libraries for resolving internationalized domain names behave.

Atheris is useful on pure Python code whenever you have a way of expressing what the “correct” behavior is - or at least expressing what behaviors are definitely not correct. This could be as complex as custom code in the fuzzer that evaluates the correctness of a library’s output, or as simple as a check that no unexpected exceptions are raised.

Let’s build a high-performance fuzzer with GPUs!
By Trail of Bits’ Ryan Eberhardt and Artem Dinaburg: “Can we use GPUs to get 10x performance/dollar when fuzzing embedded software in the cloud? Based on our preliminary work, we think the answer is yes!” See also their discussion on CppCast.

Red Team

Rizin: Free and Open Source Reverse Engineering Platform
Looks like some of the core radare2 maintainers had some differing opinions on the future of the project and decided to create this Rizin fork instead. “Provides a complete binary analysis experience with features like Disassembler, Hexadecimal editor, Emulation, Binary inspection, Debugger, and more.”

Building C2 Implants in C++: A Primer
Nice Gitbook by Shogun Lab covering designing command and control (C2) infrastructure, establishing a listening post, basic implant and tasking, and building a CLI client to interact with the listening post and implant.

State of the art of network pivoting in 2019
Alright, so you have an initial foothold on a target network, but what do you do next? Great post by Alexandre Zanni on many ways to gain further access to an internal network through a compromised machine, including SSH port forwarding, Metasploit, chisel (an HTTP tunnel), SOCKS proxies, and more.

Politics / Privacy

Improving DNS Privacy with Oblivious DoH in 1.1.1.1
“Today we are announcing support for a new proposed DNS standard — co-authored by engineers from Cloudflare, Apple, and Fastly — that separates IP addresses from queries, so that no single entity can see both at the same time.”

U.S. cybersecurity firm FireEye discloses breach, theft of hacking tools
Why do the hard work of building up significant red team capabilities when you can just steal them? 😆 “Red team tools were stolen as part of a highly sophisticated, likely ‘nation-state’ hacking operation. The stolen computer kit targets a myriad of different vulnerabilities in popular software products.” From the FireEye blog: “The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit.” List of countermeasures published to GitHub here.

This century the vaunted American middle class has bottomed out and the place has started to look more like the ‘developing’ world, with a definite underclass. However, lacking generations of feudal tradition and clinging to the myth of being a classless society, Americans couldn’t just bring servants into their homes. So venture capitalists did it for them.

What the technology has done is pool the servants, make them available to more people, make it easier to communicate tasks, and — most importantly — make it possible to not think of them as servants at all. If you strip away the hype and get to the core functionality, the gig economy is just a distributed servant class.

Misc

phiresky/ripgrep-all
Wraps ripgrep, the fastest grep-like tool, but enables it to search pdf, docx, sqlite, jpg, movie subtitles (mkv, mp4), etc.

EmacsConf 2020 Talks
I use a combination of VS Code for writing code and Emacs for note taking and TODOs (org-mode’s core functionality and ecosystem are crazy). Another thing I’ve started playing with is org-roam, which is an open source, org-mode based version of Roam Research, a trendy new note taking tool that aims to make it easy to follow the Zettelkasten Method (see Zettelkasten — How One German Scholar Was So Freakishly Productive). EmacsConf had a few talks on org-roam this year.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint