I hope you had a great Memorial Day weekend!
Welcome to issue #2 of tl;dr sec, a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web.
If you've joined tl;dr sec recently, you can see the first issue here, and a summary we wrote here of "SCORE Bot: Shift Left, at Scale!", an AppSec USA 2018 talk describing PayPal's lightweight automated diff scanning tool.
This issue has links and some lessons learned from the screen industry. Expect another security talk summary next time.
@richinseattle came across a nice list of fuzzing papers.
A few neat posts from Gareth Heyes of Portswigger:
GitHub has been releasing a flurry of updates recently, ranging from Sponsors, a way to support developers working on open source projects, maintainer security advisories, a way to privately discuss, fix, and publish info about security vulnerabilities in a repo, support for adding a security policy (Security.md) that tells people how to responsibly disclose issues to you, and GitHub bought Dependabot, which will check for out-of-date dependencies across all GitHub repos. I wonder how Snyk and others in the space feel about this.
Think Outside the Scope: Advanced CORS Exploitation Techniques by @sandh0t describes 2 bug bounty vulnerabilities discovered, both resulting from a web app's CORS policy trusting arbitrary subdomains. The first case is exploited using an XSS in a different subdomain, the second uses some interesting browser quirks, leveraging research from Corben Leo and Davide Danelon.
If you're interested in learning more about CORS security, I highly recommend James Kettle's AppSec USA talk "Exploiting CORS misconfigurations for Bitcoins and bounties". For understanding CORS from a browser and developer perspective, I've found the MDN docs quite useful.
- Corben Leo found that Safari doesn't validate domain names before making requests, allowing you to supply URLs with special characters (even unprintable ones) when the domain has a wildcard DNS record (e.g. https://asdf`+=.withgoogle.com).
- Davide Danelon found that some special characters can be used in other browsers, like Firefox, Chrome, and IE.
- Combining the above: the web app at https://client.amplifi.com/api/user/ returned sensitive info and trusted any subdomain of https://*.ubnt.com. The attacker sets up a domain, https://evil.com with a wildcard DNS record that points all subdomains to www.evil.com. Then, an attacker can create a malicious PoC file that exfiltrates the user's private data when they click on a link (in the right browser) like https://zzzz.ubnt.com=.evil.com/cors-poc while logged in to the vulnerable application.
Interview with Jon Oberheide about the founding story of Duo Security, their ethos, and how he met Dug Song (originally, when trying to hack into Dug's company's network).
"It certainly wasn’t a sexy or exciting area of security. Given our backgrounds, many colleagues expected Dug and I to come up with some fancy new thing. Maybe a new AI/ML-powered IDS. Maybe a new-fangled mobile security solution. It had to be Next-Gen Something, right? In some ways, we had to get over our own egos, and build what we knew what needed. Simple and usable multi-factor authentication."
Adventures in the Screen Industry
Through a random sequence of events, last week I portrayed a minor character (a programming bootcamp instructor) in an indie TV pilot episode. Finally, all of my years studying computer science paid off ;)
As someone who is largely outside the screen industry, like I imagine most of you are, here are some interesting things I found being on set:
- Everyone on screen is wearing makeup. Everyone.
- Filming a 2-3 minute scene can take hours. Every different shot may take rearranging lights, the camera setup, and potentially a large amount of the set.
- When you see a shot of Alice speaking and then a shot of Bob responding, the actual delivery of those lines may have been hours apart. This blows my mind.
Thanks for subscribing, we really appreciate it!
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
@clintgibler | @programanalysis