A curated list of awesome Open Policy Agent (OPA) related tools, frameworks and articles by Anders Eknert et al.
By Emilio Pinna: Like sqlmap but for Server-Side Template Injection and Code Injection. Tplmap supports over 15 template engines and contains a number of sandbox escape techniques to get access to the underlying operating system.
A framework designed to test authentication for web applications by DigeeX. While web proxies like ZAProxy and Burpsuite allow authenticated tests, they don’t provide features to test the authentication process itself, i.e. manipulating the relevant input fields to identify broken authentication.
Raider treats authentication as a finite state machine. Each authentication step is a different state, with its own inputs and outputs, which can be cookies, headers, CSRF tokens, or other pieces of information. The testing can be arbitrarily flexible, using a Lisp like configuration language.
By Salesforce’s Ashish Patel and Kinnaird McQuade: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
So You Inherited an AWS Account. A 30-day security guide for engineers…
A guide to help you filter through the mess, isolate the changes you need to make, and start to tame your environment by Matt Fuller. He proposes: get stable access, stop using the root user, update billing info, enable CloudTrail logging and monitoring, clean up IAM entities, locate exposed services, lock down your domains, find expiring certificates, untangle the web of services, and monitor and migrate.
S3 backups and other strategies for ensuring data durability through ransomware attacks
By Scott Piper: “This post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for.”
Kubernetes Hardening Guidance
By the NSA and CISA. Discusses Pod security, network separation and hardening, authentication and authorization, log auditing, and more.
A checklist of practices for organizations dealing with account takeover (ATO), by Ryan McGeehan (@Magoo).
Introducing hallucinate: One-stop TLS traffic inspection and manipulation using dynamic instrumentation
SySS’s Moritz Bechler describes hallucinate, a new tool that lets you easily intercept and modify clear-text TLS network traffic by instrumenting the target process (uses Frida or a custom agent for Java). Rather than having to deal with TLS at the network layer, hallucinate uses dynamic instrumentation to perform the traffic inspection or manipulation before data is encrypted and after it is decrypted.
From Stolen Laptop to Inside the Company Network
Dolos Group describes what they were able do with only a Lenovo laptop preconfigured with the standard security stack for a client organization, no additional info. In summary, they took a locked down FDE laptop, sniffed the BitLocker decryption key coming out of the TPM, backdoored a virtualized image, and used its VPN auto-connect feature to attack the internal corporate network.
By TNP IT Security: “An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface. Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor. This allows running tools like nmap without the use of proxychains (simpler and faster).”
A statically-linked SSH server with a reverse connection feature for simple yet powerful remote access. Useful during pen tests, CTFs, or similar.
Let’s beat this thing together! 💪
Covid Act Now
Pull up a ton of stats on any city, county, state, or zip, and see the risk level, infection rate, vaccination rate, and a number of other interesting info.
C.D.C. Internal Report Calls Delta Variant as Contagious as Chickenpox
Current evidence suggests that vaccinated people who catch the Delta variant (“breakthrough infections”) are much less likely to get seriously ill, but can still spread it about as readily as the unvaccinated.
There are roughly 35,000 symptomatic infections per week among 162 million vaccinated Americans, according to data collected by the C.D.C. as of July 24.
You Really Shouldn’t Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries
Interesting to see that the data backs up common wisdom: non memory safe languages should be replaced, and complexity can negatively impact security.
In this work, we conduct the first comprehensive analysis of cryptographic libraries and the vulnerabilities affecting them. We collect data from the National Vulnerability Database, individual project repositories and mailing lists, and other relevant sources for eight widely used cryptographic libraries.
Among our most interesting findings is that only 27.2% of vulnerabilities in cryptographic libraries are cryptographic issues while 37.2% of vulnerabilities are memory safety issues, indicating that systems-level bugs are a greater security concern than the actual cryptographic procedures. In our investigation of the causes of these vulnerabilities, we find evidence of a strong correlation between the complexity of these libraries and their (in)security, empirically demonstrating the potential risks of bloated cryptographic codebases.
Meet Package Hunter: A tool for detecting malicious code in your dependencies
GitLab’s Dennis Appelt describes their newly released Package Hunter tool, which analyze a program’s dependencies for malicious code and other unexpected behavior by installing the dependencies in a sandbox environment and monitoring system calls executed during the installation using Falco. Currently supports testing NodeJS modules and Ruby Gems.
Dependencies, Confusions, and Solutions: What Did Twilio Do to Solve Dependency Confusion
Twilio’s Laxman Eppalagudem describes the steps they took:
- Introduced & enforced naming conventions for all internal packages published and consumed in Twilio
- Blocked proxying of external packages that collide in the specified naming convention
- Mandated all package installs come through internal package manager proxies
- Restrict deployed hosts from accessing the registry
- Delete all old packages that did not follow the introduced naming conventions
Attack AI systems in Machine Learning Evasion Competition
Microsoft and partners are launching MLSEC.IO, an educational Machine Learning Security Evasion Competition (MLSEC) for the AI and security communities to exercise their muscle to attack critical AI systems in a realistic setting. The competition rewards participants who efficiently evade AI-based malware detectors and AI-based phishing detectors.
Introducing Twitter’s first algorithmic bias bounty challenge
Occurring during DEF CON’s AI Village.
Dubai Is Using Laser-Beam-Shooting Drones to Shock Rain Out of the Sky
Sometimes I see an article and think, “The future is now.” Maybe this could helpful California with its now annual fire season.
Thanks for reading!