[tl;dr sec] #91 - DOM Invader, Ransomware self-assessment tool, AWS Security Reference Architecture

Hey there,

I hope you’ve been well!

Amurrica

Last week was the 4th of July in the U.S., which if you’re not familiar, is when America becomes even more American for a few days: BBQs and eating red meat, flags, fireworks / blowing things up, and more.

This is bare minimum level participation:

This year I caught up with some friends and former colleagues, and it was wonderful.

I also remembered some things from my childhood that would absolutely not fly in California, where fireworks and gender reveal parties lead to wildfires and millions of dollars of damages.

One 4th of July my family visited one of my dad’s best friends from college. The friend had a laissez-faire attitude to lawn care (most of his front yard was ~3 feet tall wild grass).

That night I was waving around a sparkler, when I looked up, and saw a mini burst of light sail through the air and land in the yard.

For the rest of the night, we proceeded to throw lit sparklers and shoot roman candles over and into the tall grass.

It. was. glorious. 🇺🇸 🎆

Web Security

ffuf.me
By Adam Langley: A live playground to practice and improve your usage of ffuf, a popular web fuzzer written in Go. Exercises include content discovery, param mining, handling rate limiting, and more. (source)

alert() is dead, long live print()
Portswigger’s James Kettle and Gareth Heyes describe that alert()-based XSS PoCs in cross-domain iframes will no longer work in new versions of Chrome, and recommend using print() instead.

Extended Burp App Store
Search for Burp extensions by text, tags, whether they’re available for community or Pro users, if the extension is open source, and more, by @BurpSuite.guide.

Introducing DOM Invader: DOM XSS just got a whole lot easier to find
Portswigger’s Gareth Heyes describes DOM Invader, a new tool for Burp that’s implemented as an extension to the embedded browser, enabling you to easy track a site’s sources (any JavaScript object that allows user-controlled input) and sinks (any function or setter that allows JavaScript/HTML execution). You supply a unique string and then DOM Invader tracks how it’s used. DOM Invader also enables easy manipulation of web messages and spoofing their origin.

The core approach appears to be the same as Tracy, a standalone browser extension for finding XSS by my friends Jake Heath and Michael Roberts, which was released in 2018, and I called out in tl;dr sec 62.

Cloud Security

sebastian-mora/awsssome_phish
By Sebastian Mora: A serverless implementation of the AWS credential phishing via AWS SSO attack described by by Christophe Tafani-Dereeper.

avishayil/cf-signer
A tool for signing and verifying the integrity of CloudFormation templates, by CyberArk’s Avishay Bar.

Overview of Data Transfer Costs for Common Architectures
AWS’ Birender Pal, Sebastian Gorczynski, and Dennis Schmidt provide a nice overview of the costs of transferring data within AWS, between your workload and other AWS services, and other common setups.

AWS Service Control Policy (SCP) Repository
A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI scripts, by @asecure.cloud.

Some great examples like: preventing users from disabling or altering the configuration of CloudTrail, AWS Config, and CloudWatch, preventing any VPC that doesn’t already have Internet access from getting it, and more.

AWS Security Reference Architecture: A guide to designing with AWS security services
“A comprehensive set of examples, guides, and design considerations that you can use to deploy the full complement of AWS security services in a multi-account environment that you manage through AWS Organizations.” Repo demonstrating how to implement the AWS Security Reference Architecture using AWS Control Tower, AWS Landing Zone, and CloudFormation.

“Here’s the core architecture diagram from the guide: the AWS SRA in its simplest form.” Simplest form huh? Looks. AWS complexity checks out 🤣

Blue Team

CISA releases ransomware self-assessment security audit tool
CISA has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET). RRA is a security audit self-assessment tool for organizations that want to understand better how well they are equipped to defend against and recover from ransomware attacks targeting their information technology (IT), operational technology (OT), or industrial control system (ICS) assets.

Device Security Guidance Configuration Packs
By the UK’s NCSC (part of GCHQ): This repos contains policy packs that can be used by system management software to configure device platforms (such as Windows 10 and iOS) in accordance with the NCSC’s recommended settings for the deployment of new devices across your enterprise estate. These configurations are aimed primarily at government and other medium/large organisations. See also the NCSC’s Small Business Guide.

byt3bl33d3r/ItWasAllADream
By Marcello Salvati: Scan entire subnets for the PrintNightmare (CVE-2021-34527) RCE (not the LPE) and generate a CSV report with the results. Tests exploitability over MS-PAR and MS-RPRN.

Search Engines

rfc.fyi
Easily and quickly search RFCs by title, keyword, collection (e.g. TLS), stream (e.g. IETF), working group, and more.

Search 1 Million Linux Kernel Commit Messages
Search by keywords, filter by year, author / committer name and email domain, number of files changed, insertions and deletions, or more.

Politics / Privacy

Oramfs: Resizable ORAM, Remote Storage Agnostic, Written in Rust
Kudelski Security’s Nils Amiet describes their newly released Oblivious RAM implementation, which prevents an attacker from knowing whether read or write operations are performed and which parts of the filesystem are accessed. “With oramfs users can enjoy total privacy while storing their files on untrusted local or remote storage, such as a public cloud. Our solution is resizable, so there is no need to re-initialize a larger ORAM when space becomes a problem.”

What if biohackers injected themselves with mRNA?
Very interesting think piece: “Members of the Witnesses of Bioinformatic Freedom, a biohacking-rights group, demand the right to alter their own biology. An imagined scenario from 2029.”

Digital Violence: How the NSO Group Enables State Terror
Some impressive data collection and neat visualizations. About page with an overview of the project.

Misc

VS Code Extension: Remote Repositories
Microsoft’s Brigit Murtaugh and Eric Amodio describe a new VS Code extension that allows you to quickly browse, search, edit, and commit to any remote GitHub repository (and soon, Azure Repos) directly from within VS Code, no clone necessary.

CVE-2021-20595: Unauthenticated XXE in Multiple Mitsubishi Electric Air Conditioner Control Systems
Generally I don’t include bug write-ups in tl;dr sec unless I think there’s useful methodology or other valuable takeaways in it. That’s not the case here, but I just never thought I’d see “unauthenticated XXE” in an air conditioner. Damnit world. This is why we can’t have nice things.

r2c: Series B, GitLab Partnership

We just announced (TechCrunch) a bunch of exciting things (follow #r2cSeriesB on TikTok for choreographed dances and rapid fire raps spitting security truths). Here’s the tl;dr:

GitLab
As of 14.0, GitLab’s SAST offering has replaced their prior Python, TypeScript, and JavaScript scanning with Semgrep, and plan to migrate most of their SAST tools to Semgrep over time. We wrote some blog posts comparing Semgrep vs Bandit and vs ESLint.

Supposedly GitLab is at least ~30% of the code hosting market, which means, for 30% of projects, if you opt into your platform’s built-in code scanning, you are now running Semgrep. If you want the full Semgrep experience on GitLab, see here.

Traction
Most companies who reach out to us are already using Semgrep internally, including many of the big ones I admire.

Semgrep is also being used on projects by various consultants at top tier consulting firms, including NCC Group, Bishop Fox, Latacora, Doyensec, and Include Security. Trail of Bits also blogged about Discovering goroutine leaks with Semgrep and open sourced their rules.

Contributors
Adding a new language to Semgrep requires some familiarity with parsing and compilers, as well as writing OCaml, a language only its mother (and us) could love.

Still, we’ve had community members push forward support for C#, Rust, and Lua, and Slack has even hired interns to contribute Hacklang support. Whoa!

Spreading the Love
Figma’s Dev Akhawe, EA’s Parsia Hakimian, and many others have been writing about Semgrep, and this BlackHat USA 2021 training by Abhay Bhargav includes a Semgrep deep-dive.

All in all, not too shabby, considering r2c only decided to double down on Semgrep about 1.5 years ago.

I’m excited for what the next 1.5 years will bring 😎

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint