tl;dr sec
Posts
[tl;dr sec] #77 - Hidden OAuth attack vectors, Networking Fundamentals, Career Advice

[tl;dr sec] #77 - Hidden OAuth attack vectors, Networking Fundamentals, Career Advice

Three new OAuth2 and OpenID Connect vulnerabilities, great intro/overview of networking concepts, security manager interviews & advancing your career in security.

Clint Gibler
March 31, 2021

Hey there,

I hope you’ve been doing well!

#2021_Problems

A tech billionaire sharing crypto memes on Twitter. Oh the world we live in. From a tweet by Elon Musk:

Dream Team

I get why Netflix writes about it in their culture doc, it’s super cool and invigorating getting to work with a top notch team.

This week my company had an internal lunch and learn, and together developers and the security team alike worked on solving an intro reverse engineering challenge using Ghidra, lead by someone (Isaac Evans) who contributed to building Ghidra! 🤯

Sponsor

📢 All-in-one cloud security with Bridgecrew

Bridgecrew delivers comprehensive security from commit to cloud. Powered by policy-as-code, our platform gives you instant visibility into your cloud security posture and equips you with automated remediation. By embedding security earlier in the development lifecycle, we enable teams to proactively secure their infrastructure without slowing them down.

📜 In this newsletter...

Web Security: GraphQL resources, new OAuth attack vectors, HTTP/2 request smuggling against major cloud providers, protecting users via running browsers in the cloud
Cloud Security: Continuously validate and monitor IAM best practices via SQL, AWS machine-to-machine authn recommendations, differences in how IAM treats Groups and Users
Network Security: Networking fundamentals: from Zero to HTTP
Career Advice: Interview prep for security managers, how to advance your career
Politics / Privacy: Public audit of NYT's anonymous submission platform, Google shuts down Western democracy doing an active counterterrorism operation
Misc: Thoughts on selling to security leaders, Chrome extension to hide Twitter's Trends, consumer authentication strength maturity model
Quote: Esther Perel on criticism and relationships

Web Security

Want to learn about GraphQL hacking?
A Twitter thread by @drunkrhin0 with useful talks, resources, and tools.

Hidden OAuth attack vectors
Very cool work by Portswigger’s Michael Stepankin: “In this post we’re going to present three brand new OAuth2 and OpenID Connect vulnerabilities: “Dynamic Client Registration: SSRF by design”, “redirect_uri Session Poisoning”, and “WebFinger User Enumeration”. We’ll go over the key concepts, demonstrate these attacks on two open-source OAuth servers (ForgeRock OpenAM and MITREid Connect), and provide some tips on how you can detect these vulnerabilities yourself.”

H2C Smuggling in the Wild
AssetNote’s Sean Yeoh tested CloudFlare, Azure, GCP, and a number of other cloud providers for H2C smuggling, which uses an obscure feature of HTTP/2 to allow an attacker to bypass authorization controls on reverse proxies. H2C smuggling was previously described by Bishop Fox’s Jake Miller.

Browser Isolation for teams of all sizes
Cloudflare has released a new product, Browser Isolation, that runs potentially malicious website code in a remote cloud browser and then streams the results to you, protecting users from drive-by-download malware, browser 0days, etc. I haven’t tried this personally so I can’t comment, but it has a number of properties I like in a security solution:

Transparent to the end user: it “just works” without educating the user, forcing them to change their processes, or relying on them to remember not to click on sketchy links.
Kills classes of bugs/attacks by construction.

Cloud Security

Continuous AWS IAM Security Best Practices
Yevgeny Pats describes how to validate and monitor official AWS IAM best practices using SQL.

Approaches for authenticating external applications in a machine-to-machine scenario
AWS’ Patrick Sard describes the pros and cons of a number of approaches, including AWS Signature v4, OpenID Connect, SAML 2.0, and Kerberos.

AWS Authorization Bypass - Security Risk You Should Be Aware Of
Lightspin’s Or Azarzar describes how an explicit “Deny” in an IAM Group only affects Group actions, not User actions, which can lead to subtle bugs. They also released red-shadow a tool that scans IAM configurations for shadow admins based on misconfigured deny policies not affecting users in groups. Also, IAM- go home, you’re drunk 👇

Network Security

Networking Fundamentals: From Zero to HTTP
These slides (and video) by Detectify’s Tom Hudson are a great overview and intro to networking fundamentals: MAC addresses, ARP, hubs, switches, subnets, CIDR, routing, TCP/IP, DNS, load balancers, NAT, etc.

Career Advice

Interview Prep for Cybersecurity Managers
Reddit post by Mike Privette of topics you should prepare to speak on.

How far you can go in a management career will always be bounded by your ability to convince all the people involved that you know the best way to navigate to a successful outcome.

How Do I Advance My Career in the Cybersecurity Field?
Also by Mike Privette.

First figure out for yourself what “advancement” means (i.e., more money, better title, more autonomy, more challenging problems to solve, etc.).
1. Early in your career, you end up getting all of those things as you move from Jr analyst/engineer/operator into more senior-level roles, but you need to consider the path you want to take a few jobs/roles out.
Look at your skills and current role, look at what you want (future roles/jobs), then figure out how to close those gaps.
1. Make your intentions known - people can’t help you if they don’t know what you’re aiming for.
Build an audience in AND outside of your sphere of control and influence.

You want people outside of the cybersecurity group at your company to know of you and what you can bring to the table and help them do.

Politics / Privacy

Second independent audit of SecureDrop Workstation completed
The SecureDrop Workstation is an open source platform by the NYT, based on Qubes OS, which allows journalists to safely retrieve, decrypt, open and export anonymous submissions. Some solid, thorough work by Trail of Bits. I liked the appendix on attack surface analysis, and woo, Appendix D is a Semgrep query to find potentially dangerous TarFile.extractall usage.

Google’s unusual move to shut down an active counterterrorism operation being conducted by a Western democracy
An interesting example of when the right thing to do isn’t crystal clear (in my opinion). Project Zero disclosed a campaign using 11 0days for iOS, Android, and Windows over a 9 month period.

Great, let’s patch and make everyone safer 👍
That operation was a Western democracy conducting a counterterrorism operation. They’ll need to regain this level of access, and a successfull terrorist attack could kill many innocent people 👎
If one player knows about these 0days, another, authoritarian regime may also and use it to target dissidents 😰

Misc

Thoughts on Selling to Security Leaders
Tips by Netflix’s VP of Information Security, Jason Chan.

DevMoath/hide-twitter-trends
By @Dev_Moath: Chrome extension to hide “Trending now,” “Who to follow,” and “Topics to follow” tabs on Twitter. My happiness just 10X’d.

The Consumer Authentication Strength Maturity Model v5
By Daniel Miessler.

Quote

Couples Under Lockdown: Bavaria, Germany
Podcast episode by Esther Perel:

Behind every criticism there is a wish. So say what you want, don’t say what the other person does wrong.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint