[tl;dr sec] #68 - Securing Lambda, Recon Tool Primer, Blind SSRF Chains

Hey there,

I hope you’ve been doing well!

A bunch of people signed up this week, so I just wanted to say hi 👋

Welcome, I’m glad you’re here! You’re among friends.

Srsly Risky Biz

You’ve probably already heard of the widely popular Risky Biz podcast, but did you know there’s also a Risky Biz newsletter written by Brett Winterford?! 🤯

I like how it often takes a topic or theme and then nicely collects a broad swathe of relevant supporting links into one place for easy review, and then ties it together with Brett’s analysis and some jokes and wordplay. Example: Ransom payouts spell trouble for insurers.

If you enjoy long form content about security and privacy-related current events, check it out!

Over 5,000 Subscribers, Giving Back

Recently tl;dr sec surpassed 5,000 subscribers, which is crazy! 🚀

I’ve been reflecting on how lucky I feel to get to do something I love (read too much security content) and share it.

I’m in such a fortunate position, so I want to give back.

I know there are a lot of people in the U.S. right now who are food insecure, so I posted on LinkedIn and Twitter that I’ll donate $1 to Feeding America’s Coronavirus Response fund for every like, re-tweet, or share over the next week.

If you’d like to contribute as well, you can do so here.

Here’s to a better 2021!

AppSec

A ‘Novel’ Way to Bypass Executable Signature Checks with Electron
Parsia Hakimian gives an overview of analyzing the attack surface of app update mechanisms on Windows, including 6 relevant bugs. He then demonstrates how to bypass signature checks using signed Electron binaries and backdoored app.asars.

SANS Virtual Summits FREE in 2021
Nice, usually SANS stuff is $$$.

Custom Static Analysis Rules Showdown: Brakeman vs. Semgrep
So you’re doing a code review and you find some code base-specific pattern that likely indicates a bug (e.g. authn/authz). You’d like to search for this code pattern across thousands of files, but because this pattern is unique to this code base, no SAST tool is going to have a rule for it out of the box. This is the perfect opportunity for writing a custom rule.

Include Security’s Jason Kielpinski walks through his experiences writing custom rules in both Brakeman and Semgrep.

Web Security

Client Side Encryption Bypass Part-1
This article by Sameer Bhatt gives a nice example of why you can never trust client side code (e.g. JavaScript). If you’re testing an app that’s trying to obscure its parameters and server responses:

1. First find where the logic is implemented.

   1. You can do this via the Developer tools and Ctrl+f-ing for potentially relevant function names, or inspecting DOM elements and looking for onClick or other registered callbacks.

2. Then set breakpoints, step through the code, and modify it as necessary; after all, it’s running in your browser 😉

Sameer also includes a Docker image practice lab.

A Glossary of Blind SSRF Chains
Blind SSRF is when you can cause a server to make a request to an arbitrary URL but you can’t see the result. Assetnote co-founder Shubham Shah presents a cheatsheet of high impact blind SSRF targets including Elasticsearch, Weblogic, Hashicorp Consul, Structs, Confluence, Jira, Jenkins, Docker, and many more. Other tips include “SSRF canaries,” using DNS and AltDNS to find internal hosts, and side channel leaks. (GitHub repo)

Cloud Security

Security Overview of AWS Lambda
20 page PDF by Amazon on how Lambda manages security: process sandboxes, microkernel, hypervisors, how to monitor and audit Lambda functions, and more. H/T Mark Manning for sharing.

Google Cloud IAM Custom Role and Permissions Debugging Tricks
Darkbit’s Brad Geesaman describes the process of creating a custom GCP IAM role to follow least privilege, including using the IAM Policy Troubleshooter.

wolfeidau/website-openid-proxy
By Mark Wolfe: “This service provides OpenID authenticated access to a static website hosted in an S3 bucket,” using AWS API Gateway HTTP APIs, powered by AWS Lambda.

Container Security

Bad Pods: Kubernetes Pod Privilege Escalation
What are the risks associated with overly permissive pod creation in Kubernetes? Bishop Fox’s Seth Art describes eight insecure pod configurations and the corresponding methods to perform privilege escalation:

• Allowing everything;

• Privileged and hostPid;

• Privileged, hostPath, HostPid, hostNetwork, or hostIPC only

• Nothing allowed

See this repo for a collection of manifests that map to these configs.

Politics / Privacy

New campaign targeting security researchers
Google’s Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations, likely a government-backed entity based in North Korea. They set up fake social media accounts and security research blogs to build trust, and then compromise targets via sharing a backdoored Visual Studio Project or just from visiting the threat actor’s blog (on a fully patched and up-to-date Windows 10 + Chrome browser). Yikes!

OSINT / Recon

cloud-sniper/dagobah
An open source tool to automate the internal threat intelligence generation, inventory collection and compliance check from different AWS resources.

A @TomNomNom Recon Tools Primer
Great overview by Daniel Miessler of useful tools by Tom Hudson that follow the Unix philosophy of doing one thing well. See my summary of Daniel’s Mechanizing the Methodology talk for more details on the power of this approach.

• gf - Easily grep for security-sensitive things

• httprobe - Given a list of domains, finds the ones listening on web ports

• unfurl - Easily break down URLs into discrete pieces (e.g. domain, path, URL paraters, etc.) for further processing

• meg - Quickly checks a list of interesting paths across a set of domains

• anew - Adds the contents of an input stream to the output, but only if it’s new

• waybackurls - Finds archived URLs for a domain

Misc

Fauci steps up to the podium
In slow motion, with some hyped up entrance music. I couldn’t help but laugh.

Fraud Is No Fun Without Friends
H/T Jon Oberheide for sending me this link. Apparently the SEC has received 31% more tips alleging white-collar malfeasance this year, potentially due to remote work removing the office culture glue that might normalize bending the rules.

Separately, the article also makes the interesting argument that SEC rules that mandate more disclosure could have a positive impact on areas ranging from global warming and corporate diversity to political donations. I don’t have enough context to know if this is possible or a good idea, but it’s interesting.

Twitter

I did not expect to see an InfoSec sea shanty from my friend Rachel Tobac, but I did, and it made my day 🤣

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint