[tl;dr sec] #72 - Finding Access Control Bugs, Supply Chain Security, Security Logging in AWS
Tips + a Burp extension for finding access control issues, tools and reflections on supply chain security, an architecture for multi-account security logging in AWS.
I hope you’ve been doing well!
The tl;dr sec Accelerator
Both Sqreen and Bridgecrew (and Datadog!) have been tl;dr sec sponsors.
Hm, maybe I should start taking equity instead of cash for sponsorships 🤔
I don’t look the part yet, but with a Patagonia vest, Allbirds, and constantly asking my friends, “But what’s the TAM for that?” over my Blue Bottle coffee, hopefully I too can join the VC ranks in no time.
📢 Pentests often miss 6 critical SaaS security issues. Here’s why.
Pentests weren't designed to catch many of the most common security issues in a modern SaaS environment. In fact, many of the enterprises we work with initially have critical vulnerabilities despite being up-to-date with pentesting. Learn about the 6 most common vulnerabilities we see and why they are so often overlooked by pentests.
📜 In this newsletter...
AppSec: NPM creator on avoiding substitution attacks, an open source private npm proxy registry, autograde code structure with Semgrep
Web Security: How to find more IDORs, Burp extension to find access control bugs, damn vulnerable GraphQL app
Cloud Security: GCP CISO guide to cloud security transformation, security logging in AWS
Blue Team: On SolarWinds, Supply Chains and Enterprise Networks
Red Team: Post-exploitation platform for Linux targets, tool to auto-exploit local misconfigurations and vulnerabilities for privilege escalation
Politics / Privacy: China's military-civil fusion, insights into TikTok's censorship machine
Misc: Pelotaunt, find epic bug -> tattoo in your honor
Use scopes for internal packages.
.npmrcfile in the root of a project to set the intended registry.
Take care when proxying.
Respond quickly to build failures.
Autograding code structure using CodeGrade and Semgrep
Interesting post by CodeGrade showing how you can use Semgrep as a teacher to evaluate student coding style, for example, to enforce the use (or lack of) a
while loop, ban
if statements if they get 3+ levels deep, etc.
Try create/update/delete operations on objects that are publicly readable but shouldn’t be writable (e.g. HTTP
DELETE, or vice versa.)
Leverage the predictable nature of API route naming and wordlists to find more endpoints using tools like Intruder or ffuf, or CeWL for generating custom wordlists.Offer the server an ID even if it doesn’t ask for it (e.g.
Supply multiple values for the same parameter
Try changing the parameters themselves (e.g.
Try changing the requested file type (e.g. appending
.jsonto the request) or the request’s content type (
If you’re looking to find access control bugs using Burp Suite, I know of no better tool than my bud Justin Moore’s AutoRepeater. It lets you set up some pretty complex custom auto-replace logic that, for example, cause every request to be sent from your admin user, a low privileged user, and several user accounts in different organizations or some other unit of access control. I’ve used it to successfully find a number of access control bugs on pen tests 👍 @ngkogkos has a nice Twitter thread about AutoRepeater.
CISO’s Guide to Cloud Security Transformation
New whitepaper by GCP covering: “prepare your company culture for cloud security, evolve how your company works, evolve key security roles and responsibilities, and design your security operating model.”
Security Logging in Cloud Environments - AWS
Post by Marco Lancini describing how to design a multi-account security-related logging platform in AWS. He discusses various services (CloudTrail, CloudWatch, GuardDuty, Config), access logs, collecting logs, long-term storage and audit trail, and monitoring and alerting.
Relationships Between AWS Logging/Monitoring Services.
Architecture Diagram - Security Logging Platform in AWS
On SolarWinds, Supply Chains and Enterprise Networks
If SolarWinds has got you down and you need a pick me up, this post by Thinkst’s Haroon Meer is not what you’re looking for.
By Caleb Stewart: A post-exploitation platform for Linux targets. Intercepts the raw communication with a remote shell and allows the user to perform automated actions on the remote host including enumeration, persistence installation and even privilege escalation.
Politics / Privacy
China’s Military-Civil Fusion Strategy: What to Expect in the Next Five Years
In practice, there is little difference between “private” companies and the Chinese government. It’s all part of one unified plan to be the most powerful country.
The product you need if you’re more motivated by negative feedback than encouragement.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!