tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.
(You can also read this issue on our blog here.)

Hey there,

I hope you’ve been doing well!

🎉 Sponsor Slots Filled Through 2020!

Whoa! tl;dr sec is sponsored all the way through the rest of 2020, and even a bit into 2021!

I’m incredibly honored and humbled by this. A big thank you to all of the sponsors, and even bigger thank you to you, dear reader 🙏

Hearing from people that they find tl;dr sec useful or that they’ve put some of the tools and ideas to good use makes all the work worth it, and puts a spring in my step. Or maybe that’s me limping. Either way, it feels good 😀

The Social Dilemma

Like everyone and their cousin (who works in tech), I watched The Social Dilemma (trailer).

In a nutshell, it’s a set of interviews with a bunch of OG senior tech people from popular social media platforms (Facebook, Youtube, Twitter, Instagram, etc.) who created many of the now common UX tricks to maximize engagement and user growth, woven in with an overarching narrative and reflections.

I thought the movie did a surprisingly good job at explaining technical topics to a non technical audience, and somehow making interviews with a bunch of nerds engaging 🤓

(paraphrased) On one side of the screen there’s you, a human whose brain largely hasn’t changed in thousands of years. On the other side, there’s an advanced AI composed of thousands of servers constantly learning and improving their model of you, by watching your every scroll, click, and behavior. Who do you think is going to win in that fight?

It’s been interesting to see so many representations of the tech industry in media: The Social Network, Silicon Valley, Steve Jobs movies, Theranos, etc.

I hope that one day I can burn enough bridges and make enough powerful enemies that my life also gets made into a trendy movie (Netflix, you know how to reach me 📞).


📢 Jobs @ Praetorian

If you are modest about your extraordinary brilliance, Praetorian is hiring. Their team is comprised of some of the world’s brightest cybersecurity minds, who humbly put customers first and have fortitude towards making the world a safer and more secure place. A default-to-open, take-the-initiative work culture has earned them Inc’s Best Places to Work, and they've been on Inc's Fastest Growing Companies for 7 years running. Praetorian is hiring for a range of positions from security engineers to director level.
📜 In this newsletter...

🔗 Links:
  • AppSec: Finding C-type bugs in memory safe languages, find bugs by looking for dangerous words in source code, code scanning on GitHub
  • Web Security: HTTP desync attacks in the wild and how to defend against them, sending arbitrary MDM commands via HTTP request smuggling, tool to test for HTTP request smuggling/desync vulnerabilities, Cloudflare's write-up on a massive DDoS attempt, JWT security anti-patterns and best practices, updated RFC on OAuth 2.0 security
  • Cloud Security: Write-up of some complex authentication bugs in Vault
  • Blue Team: Autodeploy a Windows Domain RDP honeypot, Salesforce policy deviation checker, fingerprinting exploit developers by their work, detection as code
  • Hardware: List of hardware and IoT security tools
  • Red Team: An overview of the various Metasploit components
  • Politics / Privacy: Academic study of the manipulative tactics used in campaign emails requesting donations
  • Misc: "Smart" bluetooth male chastity belt is totally secure, Grocery Store Argument: The Musical


Now you C me, now you don’t: An introduction to the hidden attack surface of interpreted languages
Just because you’re using an interpreted language, doesn’t mean you’re safe from memory safety issues. Bas Alberts describes the attack surface of targeting interpreters, and gives 3 case studies: Perl format strings, deserialization in PHP, and Python’s socket.recvfrom_into.

How to Find Vulnerabilities in Code: Bad Words
Will Butler describes an underrated technique for finding serious security vulnerabilities in code: words that “sound dangerous.” Myself and others found this surprisingly effective as security consultants. Examples include: rawevalpermissioninsecure, and more.

GitHub: Code scanning is now available!
CodeQL / Semmle is now in general availability on GitHub. In another blog post, GitHub also announced a number of third-party static analysis and developer security training GitHub Actions and Apps available on the GitHub Marketplace. It’ll be interesting to see how GitHub handles third-party SAST tools, given that they compete with CodeQL, and if they’ll have to pay an Apple App Store-esque extortion market fee.

Web Security

HTTP Desync Attacks in the Wild and How to Defend Against Them
Imperva describes several types of HTTP desync attacks they’ve observed in practice and several defenses they’ve implemented to protect against it.

The Powerful HTTP Request Smuggling
Detailed write-up on how Ricardo Iramar dos Santos was able to exploit HTTP Request Smuggling in some Mobile Device Management (MDM) servers and send any MDM command to any device enrolled on them for a private bug bounty program.

An HTTP Request Smuggling / Desync testing tool written in Python 3 by Evan Custodio.

The DDoS That Almost Broke the Internet

Rather than attacking our (Cloudflare) customers directly, they started going after the network providers CloudFlare uses for bandwidth.

Anycast means that if the attacker attacked the last step in the traceroute then their attack would be spread across CloudFlare’s worldwide network, so instead they attacked the second to last step which concentrated the attack on one single point. This wouldn’t cause a network-wide outage, but it could potentially cause regional problems.

JWT (in)security
Great overview of common JWT issues and how to use JWTs safely, by Michał Sajdak.

OAuth 2.0 Security Best Current Practice
Updated working document from the Internet Engineering Task Force (IETF) describing security best practices for OAuth 2.0. “It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.”

Cloud Security

Enter the Vault: Authentication Issues in HashiCorp Vault
Two serious bugs in Vault’s aws and gcp authentication methods, by Project Zero’s Felix Wilhelm.

In my experience, tricky vulnerabilities like this often exist where developers have to interact with external systems and services. A strong developer might be able to reason about all security boundaries, requirements and pitfalls of their own software, but it becomes very difficult once a complex external service comes into play. Modern cloud IAM solutions are powerful and often more secure than comparable on-premise solutions, but they come with their own security pitfalls and a high implementation complexity. As more and more companies move to the big cloud providers, familiarity with these technology stacks will become a key skill for security engineers and researchers and it is safe to assume that there will be a lot of similar issues in the next few years.

Blue Team

By @an0n_r0: Deploy a small, intentionally insecure, vulnerable Windows Domain as an RDP Honeypot fully automatically.

Salesforce policy deviation checker by NCC Group’s Jerome Smith. The tool reveals which Profiles have become desynchronised from Organization level policies, and reviews each one’s password policies and session settings to highlight any deviations from those set at the Organization level.

Graphology of an Exploit - Hunting for exploits by looking for the author’s fingerprints
Fascinating blog post by Check Point’s Itay Cohen and Eyal Itkin in which they differentiate between the people writing malware and those developing the exploits malware uses, and fingerprint two exploit developers. The post analyzes the exploit authors’ clientele, how they improve technically over time, and more.

The set of exploit-related artifacts that they looked for

Can We Have “Detection as Code”?
Anton Chuvakin makes the case for making detection logic automated, systematic, repeatable, predictable, and shareable.

  • Detection content versioning: understand what specific rule or model triggered an alert, even in the past.
  • Proper “QA” for detection content: test for broken alerts (e.g. those that never fire, false positives/negatives) and gaps in detection overall.
  • Content (code) reuse and modularity of detection content: rules, signatures, analytics, algorithms, etc.
  • Cross-vendor content: e.g. Sigma, YARA, YARA-L
  • Cross-tool detection content: e.g. looking for a hash in EDR data and also in NDR; and in logs as well.
  • Metrics and improvement: Get better over time
  • Goal: build a full CI/CD pipeline for detections to continuously build, refine, deploy and run detection logic in various product(s).


IoT-PTv/List-of-Tools: List of the tools and usage
A list of various hardware and IoT security tools: firmware reverse engineering, dynamic analysis, bluetooth, radio assessment, etc.

Red Team

Metasploit — A Walkthrough Of The Powerful Exploitation Framework
Nice overview by Manish Shivanandhan of the various components in Metasploit.

Politics / Privacy

Academic study by Arvind Narayaran et al

At Princeton CITP, we were concerned by media reports that political candidates use psychological tricks in their emails to get supporters to donate. So we collected 250,000 emails from 3,000 senders from the 2020 U.S. election cycle. Here’s what we found.


Smart male chastity lock cock-up
A smart Bluetooth male chastity lock - what could go wrong? In a twist that should surprise precisely no one, the API had flaws allowing anyone to remotely lock all devices and prevent users from releasing themselves (removal then requires an angle grinder or similar), and the API also leaks precise user location data, personal info, and private chats. Also, TIL exists, a project dedicated to testing the security and privacy of… adult IoT devices.

Grocery Store Argument: The Musical
Twitter thread: A guy records himself dramatically singing in a grocery store, and then a bunch of other users add themselves to his base video with various harmonizing parts. Pretty impressive and fun.

Thanks for reading!




Forwarded this email? Sign up here 🚀
Copyright © 2020 Practical Program Analysis, LLC, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.