New tool to audit Python environments and dependency trees for known vulnerabilities, by Trail of Bits’ William Woodruff and colleagues. It uses the Python Packaging Advisory Database via the PyPI JSON API as a source of vulnerability reports.
A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs, by Andrew Scott. Uses its own vulnerability database (here) which uses data from NIST NVD, the Github Advisory Database, vendor disclosures and blog posts, and most recently, from the PyPA Advisory DB.
Proxy Agent — a tool for mobile penetration testers!
GovTech Singapore’s Kang Hao describes Proxy Agent, a tool to ease the proxy connection setup process between a rooted Android device to a computer that is running Burp Suite.
uBlock, I exfiltrate: exploiting ad blockers with CSS
uBlock Origin uses community-provided filter lists of CSS selectors to dictate which elements to block. Portswigger’s Gareth Heyes describes how he was able to bypass uBlock Origin’s selector restrictions, allowing a malicious CSS selector to extract data from scripts and attributes, and even steal passwords from Microsoft Edge.
He also walks through creating a keylogger in only CSS (code) 🤯
Microsoft and GitHub OAuth Implementation Vulnerabilities Lead to Redirection Attacks
Classic open redirection attacks include the redirection target in the URL itself. Proofpoint’s David Krispin and Nir Swartz describe how in some cases, if expected OAuth parameters are mangled or missing, the identity provider will try to helpfully send error responses to the application’s redirect URL so the app can handle them.
However, this can cause a user to be redirected to an attacker-controlled redirect URL after clicking a legitimate-looking URL belonging to a trusted party (e.g. Microsoft). This malicious redirect URL will not be present in the original link, and therefore pass most phishing and email security solutions.
Cloud service provider security mistakes
Cloud historian Scott Piper has created a GitHub repo to catalogue security mistakes by cloud service providers (AWS, GCP, and Azure); that is, public mistakes on the cloud providers’ side of the shared responsibility model. Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.
Top Announcements of AWS re:Invent 2021
Round-up from the AWS blog.
Concise list of link announcements by Victor Grenu, tagged by if it’s a launch or new service, new features or enhancement, or preview.
re:Invent 2021 Recap
Chris Farris provides overview snippets from interesting announcements + a healthy dose of snark.
AWS Marketplace, otherwise known as the Amazon Bypass-Corporate-Procurement-and-Vendor-Risk-Management-as-a-Service now supports k8s. Because if you don’t do Kubernetes you should be shopping for a casket grandpa.
The top 12 security announcements at AWS re:Invent 2021
By VentureBeat’s Kyle Alspach. Some themes: “bringing more automation to many security processes, new capabilities to enable secure access to data, enhanced network and IoT security, and improved security for containers.” I thought this was a nice overview of a bunch of things 👍
A container image that extracts the underlying container runtime and sends it to a remote server, by Palo Alto Networks’s Yuval Avrahami. Has modes for dynamically and statically linked container runtimes. Poke at the underlying container runtime of your favorite CSP container platform!
A curated list of awesome Kubernetes security resources, by KSOC. Open source projects, general resources, and Twitter accounts.
Politics / Privacy
FBI document shows what data can be obtained from encrypted messaging apps
The Record’s Catalin Cimpanu shares info gleaned from a document obtained by a FOIA request:
A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr.