Web Security Testing Guide v4.2 Released
Many new test additions, test scenarios, and more by core maintainers Rick Mitchell, Elie Saad, Rejah Rehim, and Victoria Drake, as well as other awesome contributors (release notes).
GraphQL Cheat Sheet
Nicely detailed guide covering topics including input validation, DoS prevention, access control, batching attacks, tools and other best practices. H/T @mackowski.
Blackhat EU - The Virtual Edition
Daniel Cuthbert highlights a number of talks he’s excited about for BlackHat EU. A few that stuck out to me will be discussing North Korea’s nation state hacking chops, Gareth Heyes of Portswigger XSSing your PDFs, the GitHub Security Lab will be releasing a benchmark dataset of CVEs and the fix commits responsible (super useful and tons of work, props to them), and how to inject inaudible and invisible commands into the microphones of smart speakers, phones, and tablets, using LASERS! 😂
Introducing the OpenSSF CVE Benchmark
Accurate benchmarking of SAST and DAST tools is very hard, as purposefully vulnerable apps often don’t reflect real code bases, and large, curated datasets of real world vulnerabilities are hard to come by.
New tool from the Netflix cloud security team that “strives to be a multi-account AWS swiss-army knife, making AWS easier for your end-users and cloud administrators.”
- Consolidates the management of multiple accounts into a single web UI.
- Allows your end-users and admins to get credentials / console access to your different AWS accounts, depending on their authorization level.
- Provides mechanisms for end-users and admins to both request and manage permissions for IAM roles, S3 buckets, SQS queues, and SNS topics.
- A self-service wizard is also provided to guide users into requesting the permissions they desire.
By Jordan Liggitt: “Takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.”
By the Airbus Security Lab: A fuzzing platform for embedded OS kernels based on QEMU and AFL. It lets you fuzz OS kernels like simple applications.
Announcing the Atheris Python Fuzzer
Google has released Atheris, a coverage-guided fuzzer for finding bugs in Python code and native extensions. “One of the best uses for Atheris is for differential fuzzers. These are fuzzers that look for differences in behavior of two libraries that are intended to do the same thing.” For example, comparing how two libraries for resolving internationalized domain names behave.
Atheris is useful on pure Python code whenever you have a way of expressing what the “correct” behavior is - or at least expressing what behaviors are definitely not correct. This could be as complex as custom code in the fuzzer that evaluates the correctness of a library’s output, or as simple as a check that no unexpected exceptions are raised.
Let’s build a high-performance fuzzer with GPUs!
By Trail of Bits’ Ryan Eberhardt and Artem Dinaburg: “Can we use GPUs to get 10x performance/dollar when fuzzing embedded software in the cloud? Based on our preliminary work, we think the answer is yes!” See also their discussion on CppCast.
Rizin: Free and Open Source Reverse Engineering Platform
Looks like some of the core radare2 maintainers had some differing opinions on the future of the project and decided to create this Rizin fork instead. “Provides a complete binary analysis experience with features like Disassembler, Hexadecimal editor, Emulation, Binary inspection, Debugger, and more.”
Building C2 Implants in C++: A Primer
Nice Gitbook by Shogun Lab covering designing command and control (C2) infrastructure, establishing a listening post, basic implant and tasking, and building a CLI client to interact with the listening post and implant.
State of the art of network pivoting in 2019
Alright, so you have an initial foothold on a target network, but what do you do next? Great post by Alexandre Zanni on many ways to gain further access to an internal network through a compromised machine, including SSH port forwarding, Metasploit, chisel (an HTTP tunnel), SOCKS proxies, and more.
Politics / Privacy
Improving DNS Privacy with Oblivious DoH in 22.214.171.124
“Today we are announcing support for a new proposed DNS standard — co-authored by engineers from Cloudflare, Apple, and Fastly — that separates IP addresses from queries, so that no single entity can see both at the same time.”
U.S. cybersecurity firm FireEye discloses breach, theft of hacking tools
Why do the hard work of building up significant red team capabilities when you can just steal them? 😆 “Red team tools were stolen as part of a highly sophisticated, likely ‘nation-state’ hacking operation. The stolen computer kit targets a myriad of different vulnerabilities in popular software products.” From the FireEye blog: “The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit.” List of countermeasures published to GitHub here.
The Gig Economy Is White People Discovering Servants
This century the vaunted American middle class has bottomed out and the place has started to look more like the ‘developing’ world, with a definite underclass. However, lacking generations of feudal tradition and clinging to the myth of being a classless society, Americans couldn’t just bring servants into their homes. So venture capitalists did it for them.
What the technology has done is pool the servants, make them available to more people, make it easier to communicate tasks, and — most importantly — make it possible to not think of them as servants at all. If you strip away the hype and get to the core functionality, the gig economy is just a distributed servant class.
Wraps ripgrep, the fastest
grep-like tool, but enables it to search pdf, docx, sqlite, jpg, movie subtitles (mkv, mp4), etc.
EmacsConf 2020 Talks
I use a combination of VS Code for writing code and Emacs for note taking and TODOs (org-mode’s core functionality and ecosystem are crazy). Another thing I’ve started playing with is org-roam, which is an open source,
org-mode based version of Roam Research, a trendy new note taking tool that aims to make it easy to follow the Zettelkasten Method (see Zettelkasten — How One German Scholar Was So Freakishly Productive). EmacsConf had a few talks on
org-roam this year.
Thanks for reading!