• tl;dr sec
  • Posts
  • [tl;dr sec] #72 - Finding Access Control Bugs, Supply Chain Security, Security Logging in AWS

[tl;dr sec] #72 - Finding Access Control Bugs, Supply Chain Security, Security Logging in AWS

Tips + a Burp extension for finding access control issues, tools and reflections on supply chain security, an architecture for multi-account security logging in AWS.

Hey there,

I hope you’ve been doing well!

The tl;dr sec Accelerator

Big congrats to the Sqreen team, who were acquired by Datadog, and Bridgecrew, who were acquired by Palo Alto Networks.

Both Sqreen and Bridgecrew (and Datadog!) have been tl;dr sec sponsors.

Hm, maybe I should start taking equity instead of cash for sponsorships 🤔

I don’t look the part yet, but with a Patagonia vest, Allbirds, and constantly asking my friends, “But what’s the TAM for that?” over my Blue Bottle coffee, hopefully I too can join the VC ranks in no time.

Sponsor

📢 Pentests often miss 6 critical SaaS security issues. Here’s why.

Pentests weren't designed to catch many of the most common security issues in a modern SaaS environment. In fact, many of the enterprises we work with initially have critical vulnerabilities despite being up-to-date with pentesting. Learn about the 6 most common vulnerabilities we see and why they are so often overlooked by pentests.

📜 In this newsletter...

🔗 Links:

  • AppSec: NPM creator on avoiding substitution attacks, an open source private npm proxy registry, autograde code structure with Semgrep

  • Web Security: How to find more IDORs, Burp extension to find access control bugs, damn vulnerable GraphQL app

  • Cloud Security: GCP CISO guide to cloud security transformation, security logging in AWS

  • Blue Team: On SolarWinds, Supply Chains and Enterprise Networks

  • Red Team: Post-exploitation platform for Linux targets, tool to auto-exploit local misconfigurations and vulnerabilities for privilege escalation

  • Politics / Privacy: China's military-civil fusion, insights into TikTok's censorship machine

  • Misc: Pelotaunt, find epic bug -> tattoo in your honor

AppSec

  1. Use scopes for internal packages.

  2. Use a .npmrc file in the root of a project to set the intended registry.

  3. Take care when proxying.

  4. Respond quickly to build failures.

Verdaccio
A lightweight open source private npm proxy registry. H/T Asif Wani from his article on preventing dependency confusion in NPM.

Autograding code structure using CodeGrade and Semgrep
Interesting post by CodeGrade showing how you can use Semgrep as a teacher to evaluate student coding style, for example, to enforce the use (or lack of) a for or while loop, ban if statements if they get 3+ levels deep, etc.

Web Security

Finding more IDORs – Tips and Tricks
Nice overview by Max Corbridge on the types of things to try to find insecure direct object references (IDORs):

  • Try create/update/delete operations on objects that are publicly readable but shouldn’t be writable (e.g. HTTP GET to POST/PUT/DELETE, or vice versa.)

  • Leverage the predictable nature of API route naming and wordlists to find more endpoints using tools like Intruder or ffuf, or CeWL for generating custom wordlists.Offer the server an ID even if it doesn’t ask for it (e.g. /api/messages -> /api/messages?user_id=ANOTHER_USER_ID)

  • Supply multiple values for the same parameter

  • Try changing the parameters themselves (e.g. conversation_id to user_id)

  • Try changing the requested file type (e.g. appending .json to the request) or the request’s content type (application/json, text/xml, …)

nccgroup/AutoRepeater
If you’re looking to find access control bugs using Burp Suite, I know of no better tool than my bud Justin Moore’s AutoRepeater. It lets you set up some pretty complex custom auto-replace logic that, for example, cause every request to be sent from your admin user, a low privileged user, and several user accounts in different organizations or some other unit of access control. I’ve used it to successfully find a number of access control bugs on pen tests 👍 @ngkogkos has a nice Twitter thread about AutoRepeater.

dolevf/Damn-Vulnerable-GraphQL-Application
By Dolev Farhi. Covers a number of vulnerabilities, including: denial-of-service, info disclosure, code execution, injection, authorization bypass, and more.

Cloud Security

CISO’s Guide to Cloud Security Transformation
New whitepaper by GCP covering: “prepare your company culture for cloud security, evolve how your company works, evolve key security roles and responsibilities, and design your security operating model.”

Security Logging in Cloud Environments - AWS
Post by Marco Lancini describing how to design a multi-account security-related logging platform in AWS. He discusses various services (CloudTrail, CloudWatch, GuardDuty, Config), access logs, collecting logs, long-term storage and audit trail, and monitoring and alerting.

Relationships Between AWS Logging/Monitoring Services.


Architecture Diagram - Security Logging Platform in AWS

Blue Team

On SolarWinds, Supply Chains and Enterprise Networks
If SolarWinds has got you down and you need a pick me up, this post by Thinkst’s Haroon Meer is not what you’re looking for.

Ransomware didn’t spring up overnight. Networks hit by ransomware were typically vulnerable for years and ran along blissfully unaware of it till attackers evolved a method to take advantage of it. Most enterprises have been completely vulnerable to their vendors’ horrible insecurity too, the SolarWinds incident just published a blueprint for how to abuse it.

Red Team

calebstewart/pwncat
By Caleb Stewart: A post-exploitation platform for Linux targets. Intercepts the raw communication with a remote shell and allows the user to perform automated actions on the remote host including enumeration, persistence installation and even privilege escalation.

liamg/traitor
By Liam Galvin: Packages up a bunch of methods to exploit local misconfigurations and vulnerabilities (including most of GTFOBins) in order to pop a root shell.

Politics / Privacy

China’s Military-Civil Fusion Strategy: What to Expect in the Next Five Years
In practice, there is little difference between “private” companies and the Chinese government. It’s all part of one unified plan to be the most powerful country.

What Chinese user-generated content platforms most fear is failing to delete politically sensitive content that later puts the company under heavy government scrutiny. It’s a life-and-death matter. Occasionally, ByteDance’s content moderation system would go down for a few minutes. It was nerve-wracking because we didn’t know what kind of political disaster could occur in that window. As a young unicorn, ByteDance does not have strong government relationships like other tech giants do, so it’s walking a tightrope every second.

The team I was part of, content moderation policymakers, plus the army of about 20,000 content moderators, have helped shield ByteDance from major political repercussions and achieve commercial success. ByteDance’s powerful algorithms not only can make precise predictions and recommend content to users — one of the things it’s best known for in the rest of the world — but can also assist content moderators with swift censorship.

…in China, one primary function of these technologies is to censor speech and erase collective memories of major events, however infrequently this function gets used.

Misc

SNL: Pelotaunt
The product you need if you’re more motivated by negative feedback than encouragement.

Next level bug bounty incentives
Are you a top notch bug bounty researcher, flush with cash, looking for a more meaningful reward? Well have I got the opportunity for you (H/T Graham Cluley).

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint