• tl;dr sec
  • Posts
  • [tl;dr sec] #65 - Lesser Known AWS Attacks, Infra as Code Scanning, Template Injection Workshop

[tl;dr sec] #65 - Lesser Known AWS Attacks, Infra as Code Scanning, Template Injection Workshop

Scott Piper shares how he'd attack AWS, a survey of infra as code scanning tools, free workshop on server-side template injection.

Hey there,

I hope you’ve been doing well!

I had already written a general “I hope you had a relaxing and rejuvenating holiday break” intro, but that seems a bit strange to send when the Capitol has been stormed by terrorists concerned citizens with guns 😅 

Risk8s Business: Risk Analysis of Kubernetes Clusters

In case you missed it last issue, my friend Mark Manning published an excellent Kubernetes security guide.

Collab #2: Lost in The Cloud

Between sipping eggnog and caroling merrily (to my plants), this holiday break I was chatting with a super sharp friend, one thing led to another, and now tl;dr sec’s second guest post is live! 🎉

In celebration of the holidays and it being the second collaboration, tl;dr sec’s inhouse graphic designer (Çlińt) created:

If you’re not familiar with Scott Piper, he’s one of my favorite people to follow for the latest and greatest in AWS security. More info about the post below, but if you can’t wait, you can read it now here.


📢 AppSec Builders Podcast: Paving roads with development frameworks

In this episode of the AppSec Builders Podcast, JB Aviat, CTO of Sqreen, is joined by Ksenia Peguero, Sr Research Lead at Synopsys, for an in depth look at frameworks and the foundational effect they can have on the security of your application. They share concrete tips on choosing the best framework to increase your app security, how to perform a framework migration and how to spot and fix security blind spots in your frameworks.

📜 In this newsletter...

🔗 Links:

  • AppSec: Midwinter Night's Con recordings, why fixing a vulnerability in a big company (like Google) is hard

  • Web Security: Tool to find CORS misconfigs, 2 hour workshop on server-side template injection, demonstrating maximum impact on subdomain takeovers, a mapping of services to how to claim domains with dangling DNS records

  • Cloud Security: AWS' worst public security mistakes in 2020, infra as code scanning tool survey

  • Fuzzing: afl++ is afl + a bunch of features and patches

  • Politics / Privacy: Apple's app privacy labels have arrived

  • Definitely Not Scary Tech Advancements: Robots by Boston Dynamics dancing, DeepMind's latest AI can master game without being told their rules, France approves bionic cyborg soldiers

  • OSINT / Recon: Framework to analyze potential leaks from unstructured datasources, surveys of recon suites and subdomain tools

  • Misc: Don't just let life happen to you, pursue what truly makes you feel alive

📚 Lesser Known Techniques for Attacking AWS Environments

Awesome new post by Scott Piper covering initial access, recon, lateral movement, exfiltration, and defenses against each.


A Midwinter Night’s Con Playlist
There were a number of great talks, see the abstracts here.

Fixing a Google Vulnerability
“I reported a vuln, why won’t they fix it?!” This post by Dylan and Allison Donovan is an interesting behind the scenes look at the process behind getting a vulnerability fixed at a massive tech company (re: their GCP privilege escalation and lateral movement research presented at Black Hat and elsewhere). There are often competing interests even when everyone has the best intentions; for example: product managers tend to prioritize widespread adoption of their feature or product, new features, and not breaking backwards compatibility.

Web Security

Tool by Daniel Cuthbert’s Santander security team to find Cross-Origin Resource Sharing (CORS) misconfigurations.

Template Injection in Action
A 2-hour workshop in server-side template injection (SSTI) by GoSecure with 6 labs: how to identify template engines, and then exploiting template engines in PHP (Twig), Python (Jinja2, Tornado), and Java (Velocity, Freemarker).

Subdomain Takeover: Going for High Impact
Patrik Hudak describes how to demonstrate a maximum impact for subdomain takeovers using stored XSS on the victim domain, account takeover, CSRF, and authentication bypass.

A list of services and how to claim (sub)domains with dangling DNS records, by @EdOverflow.

Cloud Security

AWS’ worst public security mistakes and delays in fixes of 2020
Neat, detailed thread by Scott Piper referencing a ton of bugs external researchers found. Ties a broad range of things together and puts them in perspective in a nice way.

Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues
Nice overview by Christophe Tafani-Dereeper of a number of tools (Checkov, Regula, Terraform-compliance, Terrascan, tfsec) with examples of custom check writing and more.


“afl++ is afl (American Fuzzy Lop) with community patches, QEMU 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!”

Politics / Privacy

Apple’s App ‘Privacy Labels’ Are Here—and They’re a Big Step Forward
Apps in the Mac and iOS App Stores will display mandatory labels of what data they collect and what they do with it. The labels have three categories: Data Used to Track You, Data Linked to You, and Data Not Linked to You, with bullet points for each detailing what the app has going on under the hood. I think this is a step in the right direction, but there are a few challenges: the privacy is self-reported by the app developer (honor system), and apps often include third party analytics libraries that may obtain and use sensitive user info in ways unbeknownst to the development team.

Definitely Not Scary Tech Advancements

Boston Dynamics: Do You Love Me?
These delightful dancing robots will briefly make you forget their inevitable, devastating future. Dancing, fluid movements, balancing on one leg – they are genuinely a marvel of engineering. I thought this would take longer, but after this video, I’d give it 2-5 years tops before robots start being used (more) regularly by the military and displacing massive amounts of warehouse workers. Also, you can watch one parkour. In unrelated news, I’m watching Battlestar Galactica.

DeepMind’s latest AI, MuZero, didn’t need to be told the rules of go, chess, shogi and a suite of Atari games to master them. Instead, it learned them all on its own and is just as capable or better at them than any of DeepMind’s previous algorithms.

While we’re not there yet, MuZero is the closest researchers have come to developing a general-purpose algorithm. The subsidiary says MuZero learning capabilities could one day help it tackle complex problems in fields like robotics where there aren’t straightforward rules.

France Approves Bionic Cyborg Soldiers
I mean, what could go wrong? 😅

OSINT / Recon

“A modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams,” by CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg.

Recon suites & Subdomain tools review
@Six2dez1 presents the pros, cons, and features of over 30 recon and subdomain tools.


Whose Life Are You Living?
Powerful article by Daniel Miessler on not just letting life happen to you, but pursuing what truly makes you feel alive.

Look at what you wanted to be. Look at what you are. How far apart are they? If there’s a big difference there, look at how to close it.

Awesome new post by Scott Piper covering initial access, recon, lateral movement, exfiltration, and defenses against each.

You know it’s good when you get comments on r/netsec like this 😂

If you like the post and want to help share it on LinkedIn or Twitter, that’d be cool.

For red teams and pentesters, and defenders wanting to know attacks to look for and protect against, I've written down the techniques I would use to attack AWS environments.https://t.co/8lehoTzY7X

— Scott Piper (@0xdabbad00) January 5, 2021

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!