• tl;dr sec
  • Posts
  • [tl;dr sec] #95 - Preventing SSRF in AWS, Testing AuthN Flows, Hardening Your Supply Chain

[tl;dr sec] #95 - Preventing SSRF in AWS, Testing AuthN Flows, Hardening Your Supply Chain

Tool to enforce IMDSv2, test authentication flows by modeling them as a finite state machine, detecting malicious dependencies and solving dependency confusion.

Hey there,

I hope you’ve been doing well!

InfoSec 😍 Musicals

It’s not often I get to do this, so I’m going to savor it.

If you’ve been reading tl;dr sec long, you know that I’m one of the (at least!) five people in security who also love musicals.

Do I have tattoos of my favorite lyrics? Not yet, my mom doesn’t approve of tattoos, and she reads this newsletter. One day.

But I loved Tricia’s parody of Dr. Horrible’s “On the Rise” duet, juxtaposing someone starting in security and then a year later.

See also tl;dr sec 86 for Rachel Tobac’s infosec sea shanty.

If you know of any other security + musical or song content, please let me know!

Exeunt stage right, jazz hands a-flourishin’


📢 Integrating Faraday into the software development process.

Usually, software companies see security as an afterthought, which can be generally added when the product is completely operative. What if you could automate your security process. And be able to reach Time-To-Market securely instead of fixing live? No matter which technology you use.

Well, we are going to explain with simple steps how to integrate our Faraday Platform in your software development process. Whether you use Github, Jenkins, Travis or Gitlab.

Plus be the first one to experience our newest version releasing in a few days.

📜 In this newsletter...

  • AppSec: Awesome OPA

  • Web Security: sqlmap but for server-side template injection and code injection, testing authentication flows

  • Cloud Security: Prevent SSRF in AWS via enforcing IMDSv2, how to secure an inherited AWS account, S3 backups and other strategies to survive ransomware attacks

  • Container Security: Kubernetes hardening advice from NSA and CISA

  • Blue Team: Account takeover checklist

  • Red Team: TLS traffic inspection via dynamic instrumentation, what you can do with a stolen full disk encrypted laptop, tunneling/pivoting tool that uses TUN, statically linked SSH server with a reverse connection feature

  • COVID-19: Tool to search for the latest info by geo, more info on the Delta variant

  • Crypto: Study of vulnerabilities in cryptographic libraries

  • Supply Chain: Find malicious dependencies with Falco, how Twilio addressed dependency confusion

  • Machine Learning: Microsoft competition to test evasion of AI-based malware and phishing detectors, Twitter's algorithmic bias bounty

  • Misc: Dubai is using laser-beam-shooting drones to shock rain out of the sky


A curated list of awesome Open Policy Agent (OPA) related tools, frameworks and articles by Anders Eknert et al.

Web Security

By Emilio Pinna: Like sqlmap but for Server-Side Template Injection and Code Injection. Tplmap supports over 15 template engines and contains a number of sandbox escape techniques to get access to the underlying operating system.

A framework designed to test authentication for web applications by DigeeX. While web proxies like ZAProxy and Burpsuite allow authenticated tests, they don’t provide features to test the authentication process itself, i.e. manipulating the relevant input fields to identify broken authentication.

Raider treats authentication as a finite state machine. Each authentication step is a different state, with its own inputs and outputs, which can be cookies, headers, CSRF tokens, or other pieces of information. The testing can be arbitrarily flexible, using a Lisp like configuration language.

Cloud Security

By Salesforce’s Ashish Patel and Kinnaird McQuade: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).

So You Inherited an AWS Account. A 30-day security guide for engineers…
A guide to help you filter through the mess, isolate the changes you need to make, and start to tame your environment by Matt Fuller. He proposes: get stable access, stop using the root user, update billing info, enable CloudTrail logging and monitoring, clean up IAM entities, locate exposed services, lock down your domains, find expiring certificates, untangle the web of services, and monitor and migrate.

S3 backups and other strategies for ensuring data durability through ransomware attacks
By Scott Piper: “This post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for.”

Container Security

Kubernetes Hardening Guidance
By the NSA and CISA. Discusses Pod security, network separation and hardening, authentication and authorization, log auditing, and more.

Blue Team

A checklist of practices for organizations dealing with account takeover (ATO), by Ryan McGeehan (@Magoo).

Red Team

Introducing hallucinate: One-stop TLS traffic inspection and manipulation using dynamic instrumentation
SySS’s Moritz Bechler describes hallucinate, a new tool that lets you easily intercept and modify clear-text TLS network traffic by instrumenting the target process (uses Frida or a custom agent for Java). Rather than having to deal with TLS at the network layer, hallucinate uses dynamic instrumentation to perform the traffic inspection or manipulation before data is encrypted and after it is decrypted.

From Stolen Laptop to Inside the Company Network
Dolos Group describes what they were able do with only a Lenovo laptop preconfigured with the standard security stack for a client organization, no additional info. In summary, they took a locked down FDE laptop, sniffed the BitLocker decryption key coming out of the TPM, backdoored a virtualized image, and used its VPN auto-connect feature to attack the internal corporate network.

By TNP IT Security: “An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface. Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor. This allows running tools like nmap without the use of proxychains (simpler and faster).”

A statically-linked SSH server with a reverse connection feature for simple yet powerful remote access. Useful during pen tests, CTFs, or similar.


Let’s beat this thing together! 💪

Covid Act Now
Pull up a ton of stats on any city, county, state, or zip, and see the risk level, infection rate, vaccination rate, and a number of other interesting info.

C.D.C. Internal Report Calls Delta Variant as Contagious as Chickenpox
Current evidence suggests that vaccinated people who catch the Delta variant (“breakthrough infections”) are much less likely to get seriously ill, but can still spread it about as readily as the unvaccinated.

There are roughly 35,000 symptomatic infections per week among 162 million vaccinated Americans, according to data collected by the C.D.C. as of July 24.


You Really Shouldn’t Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries
Interesting to see that the data backs up common wisdom: non memory safe languages should be replaced, and complexity can negatively impact security.

In this work, we conduct the first comprehensive analysis of cryptographic libraries and the vulnerabilities affecting them. We collect data from the National Vulnerability Database, individual project repositories and mailing lists, and other relevant sources for eight widely used cryptographic libraries.

Among our most interesting findings is that only 27.2% of vulnerabilities in cryptographic libraries are cryptographic issues while 37.2% of vulnerabilities are memory safety issues, indicating that systems-level bugs are a greater security concern than the actual cryptographic procedures. In our investigation of the causes of these vulnerabilities, we find evidence of a strong correlation between the complexity of these libraries and their (in)security, empirically demonstrating the potential risks of bloated cryptographic codebases.

Supply Chain

Meet Package Hunter: A tool for detecting malicious code in your dependencies
GitLab’s Dennis Appelt describes their newly released Package Hunter tool, which analyze a program’s dependencies for malicious code and other unexpected behavior by installing the dependencies in a sandbox environment and monitoring system calls executed during the installation using Falco. Currently supports testing NodeJS modules and Ruby Gems.

  • Introduced & enforced naming conventions for all internal packages published and consumed in Twilio

  • Blocked proxying of external packages that collide in the specified naming convention

  • Mandated all package installs come through internal package manager proxies

  • Restrict deployed hosts from accessing the registry

  • Delete all old packages that did not follow the introduced naming conventions

Machine Learning

Attack AI systems in Machine Learning Evasion Competition
Microsoft and partners are launching MLSEC.IO, an educational Machine Learning Security Evasion Competition (MLSEC) for the AI and security communities to exercise their muscle to attack critical AI systems in a realistic setting. The competition rewards participants who efficiently evade AI-based malware detectors and AI-based phishing detectors.


Dubai Is Using Laser-Beam-Shooting Drones to Shock Rain Out of the Sky
Sometimes I see an article and think, “The future is now.” Maybe this could helpful California with its now annual fire season.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!