Copy
tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.
(You can also read this issue on our blog here)
 

Hey there,

I hope you’ve been well!


Amurrica

Last week was the 4th of July in the U.S., which if you’re not familiar, is when America becomes even more American for a few days: BBQs and eating red meat, flags, fireworks / blowing things up, and more.

This is bare minimum level participation:


Fun fact: this is also Step 4 in the green card process.


This year I caught up with some friends and former colleagues, and it was wonderful.

I also remembered some things from my childhood that would absolutely not fly in California, where fireworks and gender reveal parties lead to wildfires and millions of dollars of damages.

One 4th of July my family visited one of my dad’s best friends from college. The friend had a laissez-faire attitude to lawn care (most of his front yard was ~3 feet tall wild grass).

That night I was waving around a sparkler, when I looked up, and saw a mini burst of light sail through the air and land in the yard.

“Don’t worry about cleaning up, feel free to throw your sparkler when it’s almost done.”

For the rest of the night, we proceeded to throw lit sparklers and shoot roman candles over and into the tall grass.

It. was. glorious. 🇺🇸 🎆

Sponsor


📢 Scan with Vectrix: G Suite, GitHub, Slack, Zoom...

NEW: On-demand security scans for Slack, now available on Vectrix.io.

Easily scan and monitor Google Workspace, GitHub, Slack, Zoom, and more for configuration issues leaving you at risk. Simply choose your scans, connect your tools, and click ‘run scan’ to receive an instant overview of your active security issues.

Get started for free, no credit card required!

Run an on-demand scan
📜 In this newsletter...
  • Web Security: A ffuf playground, use print() instead of alert() for XSS PoCs, extended Burp App Store, tool to find DOM XSS
  • Cloud Security: AWS SSO serverless phishing API, sign/verify CloudFormation templates, overview of data transfer costs in AWS, repo of useful Service Control Policies, set of AWS security reference architectures
  • Blue Team: CISA's ransomware self-assessment tool, NCSC's device security config packs, tool to scan for systems vulnerable to PrintNightmare
  • Search engines: Easily search RFCs or Linux kernel commits
  • Politics / Privacy: Oblivious RAM implementation, think piece on biohackers and mRNA, NSO Group study
  • Misc: Open remote repos in VS Code without cloning them, unauth XXE in air conditioners, because we can
  • r2c: Series B, GitLab Partnership: Some exciting updates about r2c and Semgrep

Web Security

ffuf.me
By Adam Langley: A live playground to practice and improve your usage of ffuf, a popular web fuzzer written in Go. Exercises include content discovery, param mining, handling rate limiting, and more. (source)
 

alert() is dead, long live print()
Portswigger’s James Kettle and Gareth Heyes describe that alert()-based XSS PoCs in cross-domain iframes will no longer work in new versions of Chrome, and recommend using print() instead.
 

Extended Burp App Store
Search for Burp extensions by text, tags, whether they’re available for community or Pro users, if the extension is open source, and more, by @BurpSuite.guide.
 

Introducing DOM Invader: DOM XSS just got a whole lot easier to find
Portswigger’s Gareth Heyes describes DOM Invader, a new tool for Burp that’s implemented as an extension to the embedded browser, enabling you to easy track a site’s sources (any JavaScript object that allows user-controlled input) and sinks (any function or setter that allows JavaScript/HTML execution). You supply a unique string and then DOM Invader tracks how it’s used. DOM Invader also enables easy manipulation of web messages and spoofing their origin.

The core approach appears to be the same as Tracy, a standalone browser extension for finding XSS by my friends Jake Heath and Michael Roberts, which was released in 2018, and I called out in tl;dr sec 62.


Cloud Security

sebastian-mora/awsssome_phish
By Sebastian Mora: A serverless implementation of the AWS credential phishing via AWS SSO attack described by by Christophe Tafani-Dereeper.
 

avishayil/cf-signer
A tool for signing and verifying the integrity of CloudFormation templates, by CyberArk’s Avishay Bar.
 

Overview of Data Transfer Costs for Common Architectures
AWS’ Birender PalSebastian Gorczynski, and Dennis Schmidt provide a nice overview of the costs of transferring data within AWS, between your workload and other AWS services, and other common setups.
 

AWS Service Control Policy (SCP) Repository
A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI scripts, by @asecure.cloud.

Some great examples like: preventing users from disabling or altering the configuration of CloudTrail, AWS Config, and CloudWatch, preventing any VPC that doesn’t already have Internet access from getting it, and more.
 

AWS Security Reference Architecture: A guide to designing with AWS security services
“A comprehensive set of examples, guides, and design considerations that you can use to deploy the full complement of AWS security services in a multi-account environment that you manage through AWS Organizations.” Repo demonstrating how to implement the AWS Security Reference Architecture using AWS Control Tower, AWS Landing Zone, and CloudFormation.

“Here’s the core architecture diagram from the guide: the AWS SRA in its simplest form.” Simplest form huh? Looks. AWS complexity checks out 🤣

 

Blue Team

CISA releases ransomware self-assessment security audit tool
CISA has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET). RRA is a security audit self-assessment tool for organizations that want to understand better how well they are equipped to defend against and recover from ransomware attacks targeting their information technology (IT), operational technology (OT), or industrial control system (ICS) assets.
 

Device Security Guidance Configuration Packs
By the UK’s NCSC (part of GCHQ): This repos contains policy packs that can be used by system management software to configure device platforms (such as Windows 10 and iOS) in accordance with the NCSC’s recommended settings for the deployment of new devices across your enterprise estate. These configurations are aimed primarily at government and other medium/large organisations. See also the NCSC’s Small Business Guide.
 

byt3bl33d3r/ItWasAllADream
By Marcello Salvati: Scan entire subnets for the PrintNightmare (CVE-2021-34527) RCE (not the LPE) and generate a CSV report with the results. Tests exploitability over MS-PAR and MS-RPRN.


Search Engines

rfc.fyi
Easily and quickly search RFCs by title, keyword, collection (e.g. TLS), stream (e.g. IETF), working group, and more.
 

Search 1 Million Linux Kernel Commit Messages
Search by keywords, filter by year, author / committer name and email domain, number of files changed, insertions and deletions, or more.


Politics / Privacy

Oramfs: Resizable ORAM, Remote Storage Agnostic, Written in Rust
Kudelski Security’s Nils Amiet describes their newly released Oblivious RAM implementation, which prevents an attacker from knowing whether read or write operations are performed and which parts of the filesystem are accessed. “With oramfs users can enjoy total privacy while storing their files on untrusted local or remote storage, such as a public cloud. Our solution is resizable, so there is no need to re-initialize a larger ORAM when space becomes a problem.”
 

What if biohackers injected themselves with mRNA?
Very interesting think piece: “Members of the Witnesses of Bioinformatic Freedom, a biohacking-rights group, demand the right to alter their own biology. An imagined scenario from 2029.”
 

Digital Violence: How the NSO Group Enables State Terror
Some impressive data collection and neat visualizations. About page with an overview of the project.

Forensic Architecture undertook 15 months of extensive open-source research, interviews assisted by Laura Poitras, and developed bespoke software to present this data as an interactive 3D platform, along with video investigations narrated by Edward Snowden to tell the stories of the individuals targeted and the web of corporate affiliations within which NSO is nested.


Misc

VS Code Extension: Remote Repositories
Microsoft’s Brigit Murtaugh and Eric Amodio describe a new VS Code extension that allows you to quickly browse, search, edit, and commit to any remote GitHub repository (and soon, Azure Repos) directly from within VS Code, no clone necessary.
 

CVE-2021-20595: Unauthenticated XXE in Multiple Mitsubishi Electric Air Conditioner Control Systems
Generally I don’t include bug write-ups in tl;dr sec unless I think there’s useful methodology or other valuable takeaways in it. That’s not the case here, but I just never thought I’d see “unauthenticated XXE” in an air conditioner. Damnit world. This is why we can’t have nice things.
 

r2c: Series B, GitLab Partnership

We just announced (TechCrunch) a bunch of exciting things (follow #r2cSeriesB on TikTok for choreographed dances and rapid fire raps spitting security truths). Here’s the tl;dr:

GitLab
As of 14.0, GitLab’s SAST offering has replaced their prior Python, TypeScript, and JavaScript scanning with Semgrep, and plan to migrate most of their SAST tools to Semgrep over time. We wrote some blog posts comparing Semgrep vs Bandit and vs ESLint.

Supposedly GitLab is at least ~30% of the code hosting market, which means, for 30% of projects, if you opt into your platform’s built-in code scanning, you are now running Semgrep. If you want the full Semgrep experience on GitLab, see here.

Traction
Most companies who reach out to us are already using Semgrep internally, including many of the big ones I admire.

Semgrep is also being used on projects by various consultants at top tier consulting firms, including NCC Group, Bishop Fox, Latacora, Doyensec, and Include Security. Trail of Bits also blogged about Discovering goroutine leaks with Semgrep and open sourced their rules.

Contributors
Adding a new language to Semgrep requires some familiarity with parsing and compilers, as well as writing OCaml, a language only its mother (and us) could love.

Still, we’ve had community members push forward support for C#, Rust, and Lua, and Slack has even hired interns to contribute Hacklang support. Whoa!

Spreading the Love
Figma’s Dev Akhawe, EA’s Parsia Hakimian, and many others have been writing about Semgrep, and this BlackHat USA 2021 training by Abhay Bhargav includes a Semgrep deep-dive.

All in all, not too shabby, considering r2c only decided to double down on Semgrep about 1.5 years ago.

I’m excited for what the next 1.5 years will bring 😎



Thanks for reading!

Cheers,
Clint

@clintgibler

 

Forwarded this email? Sign up here 🚀
Copyright © 2021 Practical Program Analysis, LLC, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.