• tl;dr sec
  • Posts
  • [tl;dr sec] #90 - Eradicating Subdomain Takeovers, GitHub's AI Pair Programmer, Testing File Upload Functionality

[tl;dr sec] #90 - Eradicating Subdomain Takeovers, GitHub's AI Pair Programmer, Testing File Upload Functionality

Open source tool to continuously scan for subdomain takeover vulnerabilities, GitHub's Copilot can suggest whole functions within VS Code, resources for assessing and securing file upload functionality.

Author

Clint Gibler
June 30, 2021

Hey there,

I hope you’ve been doing well!

Out of Context

Recently I was talking a walk, minding my own business, when a woman in a car slowed down, rolled down the window, and said, gesturing at me and the area behind me:

You see, this is the world I live in!

And drove off.

In college, I was in an improv comedy troupe, and one thing we liked to do was take snippets of real conversations we overheard on campus and use them to initiate warm-up scenes at the beginning of rehearsal.

The type of conversation fragments that make no sense out of context, that make you laugh and try to imagine the context that would make those words in that order make sense.

It was a joy to bring those words to life, in a context probably very different than the original.

So the next time you overhear a fun snippet of conversation, try storing it in your back pocket and use it later with a friend. I bet you’ll have fun 😃

Sponsor

📢 Do the impossible for free - cloud-native cyber asset security with JupiterOne

Effective cyber asset governance sounds like a dream. Building a security program based on up to date knowledge of your cyber assets is not only possible, it’s easy. JupiterOne integrates with your security and infrastructure stacks to provide graph-based and context-driven cloud-native visibility and security. Deliver compliance, cloud security posture management, security operations, and more on the back of the JupiterOne platform. Log in, integrate and get started for free!

📜 In this newsletter...

  • AppSec: Terraform for Google Workspace, reflections on GitHub's bug bounty program, Google's JSON schema for vulnerability data, tool to apply changes across many GitHub repos simultaneously

  • Web Security: Repo of media exploit files, file upload testing methodology by community members and OWASP

  • Cloud Security: Back up your GitHub account to S3, auto-tagging your infrastructure with code, eliminating subdomain takeovers

  • Container Security: Find unused Kubernetes resources, easily sharing your dev environment with Docker

  • Blue Team: Awesome GRC, open source no-code SOAR platform

  • Politics / Privacy: Governments using apps to get people to collect OSINT, when to pay ransomware

  • Tech Company News: Google's execs see cracks in their success, inside look at Airbnb's 'black box' safety team

  • Misc: Find useful repo forks, saving enough money to buy a house with your parent's money, GitHub's AI pair programmer

AppSec

Announcing the Google Workspace Provider for HashiCorp Terraform Tech Preview
A new Terraform provider allows you to manage users, groups, and domains in your Google Workspace (formerly G Suite).

Seven years of the GitHub Security Bug Bounty program 
GitHub’s Greg Ose shares their favorite bug and a number of 2020 highlights. Emphasis in the quote below is mine.

Internally at GitHub we have helper methods, safe_url_for and safe_redirect_to, to prevent these types of vulnerabilities by filtering out untrusted redirect locations, protocols and other risky arguments. To mitigate the open redirect vulnerability, we refactored the vulnerable code to use these safe variants and prevent the user-control of certain arguments to url_for.

Additionally, we added a check to our continuous static analysis tooling to detect when url_for is added to new code with user-controlled arguments.

By putting these safeguards in place to capture this type of vulnerability, we moved towards eliminating this class of vulnerabilities as a whole across our codebase.

Announcing a unified vulnerability schema for open source
Google’s Oliver Chang and Russ Cox announce a unified JSON schema for vulnerability data, and a web UI for searching the aggregated results: https://osv.dev/list. Access vulnerability data with a single curl, no sign-ups/API keys needed.

Naively, SCA seems to be largely a data problem, so I wonder if Google (or someone else) will build a Snyk competitor on top of all of these useful data sources and primitives 🤔 

Skyscanner/turbolift
A simple tool to help apply changes across many GitHub repositories simultaneously (forking, cloning, committing, and raising PRs en-masse), so that you can focus on the substance of the change). Some tips:

• If you need to make a change to a large number of repositories, we’ve found that it’s generally better to raise PRs to a small subset at first and collect feedback.

• For complicated or potentially contentious changes, think about ways to validate them before raising PRs. This could range from working in a pair, through writing a peer-reviewed script, all the way to preparing a design document for the planned changes.

• Raising draft PRs can be a good way to collect feedback, especially CI test results, with less pressure on reviewers.

Web Security

barrracud4/image-upload-exploits
By @barracud4_: A repository of various media files for known attacks on web applications processing media files (DoS attacks, GhostScript, MemoryLeaks, etc.). Useful for penetration tests and bug bounty.

HackTricks: File Upload
By @carlospolop, @HolyBugx et al. Covers bypassing file extension checks, content-type checks, polyglot files, and more.

OWASP Cheat Sheet Series: File Upload and Unrestricted File Upload
Additional offense-oriented and protection bypass tips, as well as defensive recommendations. H/T Soroush Dalili for the links.

Cloud Security

Automated Github Backups with ECS and S3
How Marco Lancini automatically backs up his GitHub account, like private repos, using ECS (Fargate) and S3 Glacier. Detailed write-up + code release.

Using Yor for ownership mapping using YAML tag groups
By Bridgecrew’s Naor David: “Yor is an open source tool that supports auto-tagging of infrastructure from code to cloud by adding metadata such as repository, commit and path, and the last modifier of the code based on git log data. You can expand those out-of-the-box tags into additional common tags such as Operation team, cost center, and environment.”

How we prevented subdomain takeovers and saved $000s
OVO’s Paul Schwarzenberger describes Domain Protect, a new open source tool they’ve released that leverages AWS Lambdas and SNS to proactively, continuously scan for subdomain takeover vulnerabilities.

And note their thought process behind it, which I strongly agree with: they started a private bug bounty program -> over half of the identified issues were subdomain takeovers -> build tooling to address this entire vulnerability class.

Container Security

yogeshkk/K8sPurger
Find all unused resources in Kubernetes, by Yogesh Kunjir. Secrets, ConfigMaps, Services, ServiceAccounts, Ingress, etc.

With Dev Environments developers can now easily set up repeatable and reproducible development environments by keeping the environment details versioned in their SCM along with their code. Once a developer is working in a Development Environment, they can share their work-in-progress code and dependencies in one click via the Docker Hub.

Blue Team

Arudjreis/awesome-security-GRC
A curated list of resources for security Governance, Risk Management, Compliance and Audit professionals, by Ayoub Fandi, including a nice overview, relevant frameworks and regulations, books, talks/videos, podcasts, and more.

z1pti3/jimi
Jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Over 50 open source integrations that include alerting and monitoring, asset management, software packaging and deployment, security playbooks, SIEM and XDR.

Politics / Privacy

App Taps Unwitting Users Abroad to Gather Open-Source Intelligence
Typical assignments involve snapping photos, filling out surveys or doing other basic data collection or observational reporting such as counting ATMs or reporting on the price of consumer goods like food.

Premise is one of a growing number of companies that straddle the divide between consumer services and government surveillance and rely on the proliferation of mobile phones as a way to turn billions of devices into sensors that gather open-source information useful to government security services around the world.

Negotiating Ransoms: When to Play and When to Fold
Kim Zetter interviews Bill Siegel, CEO and co-founder of Coveware, a company that negotiates ransomware payments for victims.

  • It boils down to: what is the financial impact to the business that could be averted by hastening the recovery? (e.g. “This is costing us X per day in lost business, and paying will shave a week off of recovery time.”)

  • Often it takes several days to determine the quality of your backups, so you proceed in the negotiation, then before paying you’ve determined if you need to.

  • Having proper backups isn’t sufficient. Say you have 50 PB of data in a facility 30 miles away. You start restoring from backup and realize it’s going to take 70 years.

  • Rebuild an entirely new network, don’t use the ransomed systems again. Re-image all servers, re-install all applications, and load data from backups onto these green-network machines.

Tech Company News

A restive class of Google executives worry that the company is showing cracks. They say Google’s work force is increasingly outspoken. Personnel problems are spilling into the public. Decisive leadership and big ideas have given way to risk aversion and incrementalism.

Inside Airbnb’s ‘Black Box’ Safety Team: Company Spends Millions on Payouts
An inside glimpse into all of the bad things that can happen when you’re building a platform that relies on trusting strangers at scale, and what Airbnb has done to keep a positive reputation.

Interestingly, over time Airbnb has hired various ex-CIA / ex-military people to lead their crisis management teams, including Nick Shapiro, the former deputy chief of staff at the Central Intelligence Agency and National Security Council adviser in the Obama White House. Trigger warning, the article references some bad stuff.

The way Airbnb has handled crimes such as the New York attack, which occurred during a bitter regulatory fight, shows how critical the safety team has been to the company’s growth. Airbnb’s business model rests on the idea that strangers can trust one another. If that premise is undermined, it can mean fewer users and more lawsuits, not to mention tighter regulation.

Misc

Useful Forks
Type in a repo’s name and get a list of useful forks; that is, forks that have additional activity beyond the original fork, sorted by number of stars.

How I Saved Enough to Buy a House With My Parents’ Money
Tongue-in-cheek article by McSweeney’s.

🔥 Introducing GitHub Copilot: your AI pair programmer
GitHub Copilot (landing page) will recommend whole lines or entire functions inside VS Code, using OpenAI Codex, a new AI system created by OpenAI. The current technical preview works for Python, JavaScript, TypeScript, Ruby and Go. Very cool work. It’s neat to see what you can do with massive AI resources (OpenAI), compute (Azure), and data (GitHub repos).

Mind the telemetry terms though, which seem to say basically that they’ll see all the snippets you generate or approve, and potentially any file in any VS Code workspace you have open.

Also, @eevee raises an interesting point regarding copyright:

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint