A Chrome extension by @filedescriptor that abuses Trusted Types to find DOM XSS by logging the stack trace of all sink calls and their changes to the DOM. If this sounds interesting, I highly recommend also checking out Tracy, a browser extension for web app pen testing by my friends Jake Heath and Michael Roberts, which to my knowledge is the best tool to trace user input in and out of web apps.
Exploiting dynamic rendering engines to take control of web apps
Dynamic rendering is a technique some web apps use to serve prerendered web site pages to crawlers (better SEO). r2c’s Vasilii Ermilov describes techniques to exploit common dynamic rendering tools (exfiltrating cloud metadata a la SSRF), how to fingerprint when sites are using dynamic rendering, and more. One of the attack chains described involves a series of nested requests that honestly hurts my brain, but is cool to read.
DeepMind’s protein-folding AI has solved a 50-year-old grand challenge of biology
AlphaFold can predict the shape of proteins to within the width of an atom, which will help scientists design drugs and understand disease. “AlQuraishi thought it would take researchers 10 years to get from AlphaFold’s 2018 results to this year’s. This is close to the physical limit for how accurate you can get, he says.” More from DeepMind’s blog.
Top 5 AI Achievements of 2020
M Umer Mirza describes 5 topics/areas: 1) GPT-3, 2) AI-enabled healthcare and drug discovery, 3) graphics, animation, image and video processing, 4) motion and gestures, and 5) NVIDIA AI’s processing power.
GPT-3 vs. Existing Conversational AI Solutions
An overview of GPT-3, things it can do well (e.g. knowledge retrieval), limitations (inferred knowledge, knowing when it doesn’t know something), examples on why explainability is important in ML, and some pricing info.
A/B Test your Hacker News titles with AI before publishing
Enter two potential titles and it’ll recommend one. By Kimmo Ihanus.
“A simple and minimal Docker container for penetration testers and CTF players. It has the portability of Docker with the addition of X, so you can also run GUI application (like Burp).” Currently includes: Burp Suite,
Ease monitoring, governance, and security by querying your cloud configuration and metadata as SQL.
By NCC Group’s Xavier Garceau-Aranda: Whitebox evaluation of effective S3 object permissions to identify publicly accessible objects as well as objects accessible for
AuthenticatedUsers (by using a secondary profile).
Chris Farris describes 29 of the 279 pre:invent announcements he found interesting, covering AWS Organizations, new security tools, serverless, ElasticSearch, and DynamoDB. Also featuring an excellent banner image 🤣
I’m out of new travel photos, so here is a scene from the back of the Sans Expo in the alternate universe where re:Invent was in-person
IAMFinder: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance
By Jay Chen of Palo Alto Networks:
In a recent blog, “Information Leakage in AWS Resource-Based Policy APIs,” Unit 42 researchers disclosed a class of AWS APIs that can be abused to find existing users and IAM roles in arbitrary accounts. The root cause of the issue is that the AWS backend validates all resource-based policies and raises alerts if a specified principal does not exist. One can abuse this feature to check whether a user or role exists in a targeted account.
Based on these findings, Unit 42 developed IAMFinder, an open source tool that currently implements APIs of four AWS services: S3, KMS, SQS, and IAM. With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment.
Setting up personal G Suite backups on AWS
Scott Piper describes how he automates the backup of his Gmail and Google Drive to AWS. Tools referenced:
- GAM: a CLI tool for Google Workspace (fka G Suite) Administrators to manage domain and user settings quickly and easily
- got-your-back: a CLI tool for backing up your Gmail messages to your local computer, using Gmail’s API over HTTPS.
- Rclone: a CLI program to manage files on cloud storage.
Scan Helm charts for Kubernetes misconfigurations with Checkov
Post by Bridgecrew’s Matt Johnson. Checkov uses
helm template to output the resulting Kubernetes manifests and scans those for insecure patterns (e.g. the CIS Kubernetes Benchmarks).
Politics / Privacy
Welcome to the new Middle Ages
This article argues that the recent rise in economic inequality, decline in social mobility, identity-based culture wars in politics, and more are not necessarily current bad trends, but rather, are historical norms.
Today the richest 40 Americans have more wealth than the poorest 185 million Americans. The leading 100 landowners now own 40 million acres of American land, an area the size of New England.
Politics has returned to its pre-modern role of religion. The Internet has often been compared to the printing press, and when printing was introduced it didn’t lead to a world of contemplative philosophy; books of high-minded inquiry were vastly outsold by tracts about evil witches and heretics.
… the post-printing early modern period was the golden age of religious hatred and torture; the major witch hunts occurred in an age of rising literacy, because what people wanted to read about was a lot of the time complete garbage.
Tool by Utku Şen that enables searching URLs that are exposed via shortener services such as
goo.gl. Uses data from URLTeam, who continuously bruteforce URL shortener services and publish their results. If you pay attention closely, you might get a slight feel for how URLTeam feels about shorteners.
Misusing OSINT to claim election fraud
Imagine waking up one day and finding a security tool you built being horribly misused in court 😅 This is basically what happened to OSINT tool Spiderfoot’s author Steve Micallef. In short, someone scanned Dominion Voting’s domain name and used the results to support claims that the voting systems were accessible over the Internet and being controlled by foreign countries like Iran and China. Steve’s post nicely discusses how to cautiously and accurately use OSINT info and debunks a number of the case claims. In short:
Use the following
git configuration to remap all HTTP(S) URLs to SSH
H/T Bence Nagy.
insteadOf = http://github.com/
insteadOf = https://github.com/
Protect domains that don’t send email
The UK government on how to make sure that domains that do not send email cannot be used for spoofing using SPF, DMARC, and DKIM.
Introducing Amazon Curate (I Wish)
One of the main reasons I started tl;dr sec is that I kept coming across really great work that not enough people had heard of. So I thought this faux AWS product by Daniel Miessler would be pretty awesome, and help address the challenge of surfacing great work done by (currently) relatively unknown creators.
Thanks for reading!