[tl;dr sec] #97 - Attacking HTTP/2, Securing GitHub Projects, Hacking G Suite

tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.

(You can also read this issue on our blog

here

)

Hey there,

I hope you’ve been doing well!

  Virtual Museums 

One thing I’ve been missing the past year or so is museums.

The good ones inspire, and answer, as well as bring up, so many questions. Like:

• History: What was it really like to live in a very different time and place?

• Perspective: How did we get to where we are now, and what can we learn?

• Justice: And why did my 4th grade painting get a B- when people are paying to see this piece that is objectively worse?

Of course, many well known museums allow virtual tours and have a ton of info online.

But I wanted to share some lesser known museums you might find interesting:

Museum of Bad Art“The pieces in the MOBA collection range from the work of talented artists that have gone awry to works fo exuberant, although crude, execution by artists barely in control of the brush. What they all have in common is a special quality that sets them apart in one way or another from the merely incompetent.”

The Museum of Broken RelationshipsA global crowd-sourced project with permanent museum outputs in Zagreb and LA. People can share their stories or give items from past relationships. Great for date nights.

Sponsor

  📢 Evolving Risks, Insecure Defaults, Watering Hole Threats – Oh, My! 

Adoption of cloud native technologies are on the rise, changing the threat landscape faced by organizations. Accurics’ research identifies common trends, like Identity and Access Management moving into Infrastructure as Code, rapid adoption of CSP-managed services in dev and pre-prod, and insecure default configurations for many resource types.

📜 In this newsletter...

• AppSec: A new Golang static analysis tool, why patching is hard, GitHub App to enforce GitHub repo best practices, ensuring postMessage origin validation

• Web Security: Tool to generate Gopher SSRF payloads, enumerate your org's web attack surface, breaking HTTP/2

• Cloud Security: Identify abandoned projects in GCP, serverless approach to measuring security controls in Azure, deploying AWS serverless apps in a least privilege way, free AWS Top 10 security training modules

• Container Security: Intro to Kyverno, an open source policy engine for Kubernetes

• Blue Team: Tool for non technical users to easily capture network traffic to detect stalkerware/spyware

• Red Team: Red team notes, deep dive into hacking G Suite and using Apps Script

• Hardware: Multi-tool for building, analyzing, and hacking USB devices

• Politics / Privacy: Tool to find hash collisions in Apple's NeuralHash, Vice article with more context, things are bad in Afghanistan, MacKenzie Scott's charity efforts are causing splashes

• Misc: A burned-out Bay Area home lists at a price that makes you sad inside, a looper + a talking cat yield bliss

AppSec

Introducing GoKart, a Smarter Go Security ScannerPraetorian has released GoKart, a Golang static analyzer that aims to be more precise than tools like gosec by leveraging source-to-sink tracing and single static assignment (SSA). 

Great thread by my bud Travis, which he’s given me permission to backup here for easy future reference. 

Introducing the Allstar GitHub AppThe Open Source Security Foundation has released Allstar, a GitHub app that provides automated continuous enforcement of security best practices for GitHub projects. With Allstar, owners can check for security policy adherence, set desired enforcement actions, and continuously enact those enforcements when triggered by a setting or file change in the organization or project repository.

Current built-in policy checks include: branch protection best practices, a SECURITY.md file is present, enforcing users with admin privileges are members of the owning organization, and warning on binary artifacts. 

Ensuring postMessage Origin Validation with SemgrepShopify’s Bernardo de Araujo describes the process of writing a new Semgrep rule to ensure that the origin is checked by posMessage handlers. Nice walkthrough, includes using a new and advanced-ish feature, metavariable-pattern, and he submitted the rule to the public Registry for all to benefit from 🙌

  Web Security 

tarunkant/GopherusTool by Tarunkant Gupta that generates Gopher payloads for exploiting SSRF and gaining RCE on various servers. Currently has payloads for MySQL, PostgreSQL, FastCGHI, Memcached, Redis, Zabbix, and SMTP. 

RossGeerlings/webstorA script to quickly enumerate websites across your organization’s networks and query for known web technologies and versions, such as those with known vulnerabilities. Aims to address the problem mid to large sized organizations have with decentralized administration, where it can be almost impossible to track all of the web technologies deployed by various administrators distributed across different units and networks. Uses DNS zone transfers, masscan, Python requests, and Wappalyzer. 

HTTP/2: The Sequel is Always WorsePortswigger’s James Kettle is back with more epic research, presented at Black Hat and DEF CON.

  Cloud Security 

Introducing Unattended Project Recommender: discover, reclaim, or deprecate abandoned projects under your organizationGoogle’s Dima Melnyk and Bakh Inamov share a new features of Active Assist that uses machine learning to identify projects that are likely abandoned based on API and networking activity, billing, usage of cloud services, and other signals. 

Azure/Cloud-KatanaBy Microsoft’s Roberto Rodriguez: “This tool is an event-driven, serverless compute application built on the top of Azure Functions that expedites the research process and assessment of security controls.” 

How to create IAM roles for deploying your AWS Serverless appBy Paul Swail: A detailed guide to creating least privilege IAM roles for serverless apps, with a focus on deploy-time actions, including handling deploying across multiple AWS accounts.

Kontra AWS Top 10“Free interactive training modules that teach developers how to identify and mitigate security vulnerabilities in their AWS-hosted cloud applications.” Container SecurityExploring Kyverno: IntroductionThink OPA is too complex? Chip Zoller describes Kyverno, “an open-source policy engine built specifically for Kubernetes to not only validate and ensure requests conform to your internal best practices and policies, but to modify those requests if needed and even create new objects based on a variety of conditions.”Blue TeamKasperskyLab/TinyCheckTool by Kaspersky Labs that allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point. It can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs), for example, to detect stalkerware or other spyware.Red TeamThe Red Team Vade MecumShort, actionable, red team notes on privilege escalation, enumeration, execution, initial access, lateral movement, code injection, defense evasion, persistence, and more. Hacking G Suite: The Power of Dark Apps Script MagicDEF CON talk by Snapchat’s Matthew Bryant that covers phishing, persistence, lateral movement, accessing data, bypassing protective measures like U2F, OAuth app allowlisting, and locked-down enterprise Chromebooks, and more.He also released PaperChaser, a Google Drive/Docs/Sheets/Slides Enumeration Spider.HardwareLUNAA multi-tool for building, analyzing, and hacking USB devices, by Great Scott Gadgets. Supports performing MitM attacks on USB communications and other features for USB reverse engineering and security research.Politics / Privacyanishathalye/neural-hash-colliderA tool by MIT grad student Anish Athalye to find target hash collisions for Apple’s NeuralHash perceptual hash function. Released *checks watch* less than a month after Apple announced CSAM. Apple Defends Its Anti-Child Abuse Imagery Tech After Claims of ‘Hash Collisions’More context from Vice. An Afghan woman in Kabul: ‘Now I have to burn everything I achieved’Early on Sunday morning I was heading to university for a class when a group of women came running out from the women’s dormitory. I asked what had happened and one of them told me the police were evacuating them because the Taliban had arrived in Kabul, and they will beat women who do not have a burqa. MacKenzie Scott’s Money Bombs Are Single Handedly Reshaping AmericaInteresting overview of the organizations that have received grants.With almost $8.6 billion in gifts announced in just 12 months, Scott has vaulted to the tippy top of philanthropic giving, outspending the behemoth Gates and Ford Foundations’ annual grants — combined.MiscBurned-out Bay Area home lists for $850,000, and offers are rolling inThis week, on “prices in the Bay Area are stupid”, a burned-out family home in Walnut creek is pending sale after multiple offers flooded in only 6 days after hitting the market. Eight offers came in, with more on the way, and a sale is expected “significantly over list price.”The Kiffness X Alugalug Cat 2.0Sometimes you just need to hear someone dropping beats on a “talking” cat.

Thanks for reading!

Cheers,

Clint