[tl;dr sec] #65 - Lesser Known AWS Attacks, Infra as Code Scanning, Template Injection Workshop

Hey there,

I hope you’ve been doing well!

I had already written a general “I hope you had a relaxing and rejuvenating holiday break” intro, but that seems a bit strange to send when the Capitol has been stormed by terrorists concerned citizens with guns 😅 

Risk8s Business: Risk Analysis of Kubernetes Clusters

In case you missed it last issue, my friend Mark Manning published an excellent Kubernetes security guide.

Collab #2: Lost in The Cloud

Between sipping eggnog and caroling merrily (to my plants), this holiday break I was chatting with a super sharp friend, one thing led to another, and now tl;dr sec’s second guest post is live! 🎉

In celebration of the holidays and it being the second collaboration, tl;dr sec’s inhouse graphic designer (Çlińt) created:

If you’re not familiar with Scott Piper, he’s one of my favorite people to follow for the latest and greatest in AWS security. More info about the post below, but if you can’t wait, you can read it now here.

AppSec

A Midwinter Night’s Con Playlist
There were a number of great talks, see the abstracts here.

Fixing a Google Vulnerability
“I reported a vuln, why won’t they fix it?!” This post by Dylan and Allison Donovan is an interesting behind the scenes look at the process behind getting a vulnerability fixed at a massive tech company (re: their GCP privilege escalation and lateral movement research presented at Black Hat and elsewhere). There are often competing interests even when everyone has the best intentions; for example: product managers tend to prioritize widespread adoption of their feature or product, new features, and not breaking backwards compatibility.

Web Security

Santandersecurityresearch/corsair_scan
Tool by Daniel Cuthbert’s Santander security team to find Cross-Origin Resource Sharing (CORS) misconfigurations.

Template Injection in Action
A 2-hour workshop in server-side template injection (SSTI) by GoSecure with 6 labs: how to identify template engines, and then exploiting template engines in PHP (Twig), Python (Jinja2, Tornado), and Java (Velocity, Freemarker).

Subdomain Takeover: Going for High Impact
Patrik Hudak describes how to demonstrate a maximum impact for subdomain takeovers using stored XSS on the victim domain, account takeover, CSRF, and authentication bypass.

EdOverflow/can-i-take-over-xyz
A list of services and how to claim (sub)domains with dangling DNS records, by @EdOverflow.

Cloud Security

AWS’ worst public security mistakes and delays in fixes of 2020
Neat, detailed thread by Scott Piper referencing a ton of bugs external researchers found. Ties a broad range of things together and puts them in perspective in a nice way.

Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues
Nice overview by Christophe Tafani-Dereeper of a number of tools (Checkov, Regula, Terraform-compliance, Terrascan, tfsec) with examples of custom check writing and more.

Fuzzing

AFLplusplus/AFLplusplus
“afl++ is afl (American Fuzzy Lop) with community patches, QEMU 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!”

Politics / Privacy

Apple’s App ‘Privacy Labels’ Are Here—and They’re a Big Step Forward
Apps in the Mac and iOS App Stores will display mandatory labels of what data they collect and what they do with it. The labels have three categories: Data Used to Track You, Data Linked to You, and Data Not Linked to You, with bullet points for each detailing what the app has going on under the hood. I think this is a step in the right direction, but there are a few challenges: the privacy is self-reported by the app developer (honor system), and apps often include third party analytics libraries that may obtain and use sensitive user info in ways unbeknownst to the development team.

Definitely Not Scary Tech Advancements

Boston Dynamics: Do You Love Me?
These delightful dancing robots will briefly make you forget their inevitable, devastating future. Dancing, fluid movements, balancing on one leg – they are genuinely a marvel of engineering. I thought this would take longer, but after this video, I’d give it 2-5 years tops before robots start being used (more) regularly by the military and displacing massive amounts of warehouse workers. Also, you can watch one parkour. In unrelated news, I’m watching Battlestar Galactica.

DeepMind’s latest AI can master games without being told their rules

France Approves Bionic Cyborg Soldiers
I mean, what could go wrong? 😅

OSINT / Recon

ail-project/ail-framework
“A modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams,” by CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg.

Recon suites & Subdomain tools review
@Six2dez1 presents the pros, cons, and features of over 30 recon and subdomain tools.

Misc

Whose Life Are You Living?
Powerful article by Daniel Miessler on not just letting life happen to you, but pursuing what truly makes you feel alive.

📚 Lesser Known Techniques for Attacking AWS Environments

Awesome new post by Scott Piper covering initial access, recon, lateral movement, exfiltration, and defenses against each.

You know it’s good when you get comments on r/netsec like this 😂

If you like the post and want to help share it on LinkedIn or Twitter, that’d be cool.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint