Tool by Andrew Byford to search GitLab code, commits, wiki pages, issues, MRs, and milestones for AWS keys, GCP or Azure keys and service account files, Google API keys, Slack API tokens & webhooks, private keys (SSH, PGP, …), tokens (bearer tokens, access tokens, client_secret, …), S3 config files, passwords, and more.
Salesforce Lightning - An in-depth look at exploitation vectors for the everyday community
Aaron Costello on exploiting some common misconfigurations in Salesforce Lightning. Includes a fair amount of detail on an overview of the platform, a glossary of useful payloads, and even some bug bounty report templates.
A ton of pre-built vulnerable environments corresponding to CVEs and other popular applications you can spin up with
docker-compose, by @phithon_xg et al. H/T Ishaq Mohammed
Meet JWT heartbreaker, a Burp extension that finds thousands weak secrets automatically
Previously, Wallarm wrote about how they collected 340 JWT secrets that were publicly accessible (wallarm/jwt-secrets on GitHub). They’re now releasing a Burp extension, jwt-heartbreaker, that will passively scan any JWT you encounter for >2,000 JWT secrets that have been exposed.
Evading defences using VueJS script gadgets
Gareth Heyes, Lewis Arden, and @PwnFunction examined VueJS and found a number of script gadgets. These can be useful, for example, for bypassing defences like WAFs and CSP.
Building the Next Evolution of Cloud Networks at Slack
An overview of the design decisions and tech choices made along the way for Slack’s brand-new network architecture redesign project.
Public dataset of Cloudtrail logs from flaws.cloud
Scott Piper has released anonymized CloudTrail logs from flaws.cloud, his hands-on, free AWS security training challenges. The logs are roughly 240MB of largely attack data, covering over a 3.5 year span.
Politics / Privacy
California Voters Asked to Amend Privacy Law
By Fahmida Y. Rashid:
The most intriguing part of Proposition 24 is the creation of a California Privacy Protection Agency to enforce privacy law and issue fines to companies for violating the regulations. Currently, enforcement authority is with the state’s Attorney General’s office, and Attorney General Xavier Becerra has said the office’s limited resources would mean actions taken on only a handful of cases each year. If Proposition 24 passes, a well-funded agency—with an annual budget of $10 million and staffed by 40 people—would have the authority to act against more violaters.
A redaction tool for structured data by Latacora’s @lvh and Patrick Farwick. Useful if you want to anonymize data but keep its overall structure / semantics. Handles IPs, MAC addresses, timestamps, various AWS identifiers, and a few other types of strings.
A free and open source Zapier/IFTTT alternative that enables you to automate your workflows using Github actions, by Owen Young.
The state of artificial intelligence-based FDA-approved medical devices and algorithms: an online database
Paper from Nature, H/T Eric Michaud:
…we provide an insight into the currently available AI/ML-based medical devices and algorithms that have been approved by the US Food & Drugs Administration (FDA). We aimed to raise awareness of the importance of regulatory bodies, clearly stating whether a medical device is AI/ML based or not.
Fig. 1: An infographic about the 29 FDA-approved, AI/ML-based medical technologies
168 AWS Services in 2 minutes
Forrest Brazeal sings the names of 168 AWS services to a piano tune. I can’t believe he remembered all their names 🤣
#truth from Shreya Shankar
Awesome, lengthy write-up of Apple bugs found in a 3 month bug bounty stint by Sam Curry, Brett Buerhaus, @NahamSec, @erbbysam, and Tanner Barnes. They found 55 bugs (11 Critical, 29 High) in various online services, earning $288,500 so far. Some of the bugs included fully compromising both customer and employee applications, retrieving source code for internal Apple projects, and more.
Reflections on Bug Bounty Economics
I find the economics of bug bounty very interesting. Big payouts are often glorified and widely reshared, but how much do people who are really good actually get paid on average?
Let's do some extremely back-of-the-napkin calculations. Since not all of the bugs have been paid out, let's round up to $300,000 to make the math easier, or $100,000 per month.
- They split it evenly: Each person nets $20K / month, $60K for the 3 months. Annual income if they kept this rate: $240,000.
- Let's say two of them are doing bug bounty full time and split 60% of the spoils (30% each), and the other three have day jobs, who split the remaining 40% between them. This would give both of the two full timers $30K / month and $90K for the 3 months. Projected annual income: $360,000.
Caveats There are many unknowns in the above calculations, for example: I don't know how they split the bounties, they may have day jobs, they may have been working on other programs simultaneously, etc. I'd also note that these projected annual incomes do not include health care (if you live in the U.S.), 401K matching, and other benefits you'd get as a full time employee.
One thing I found interesting about the extremely handwavy guesstimates above is that these researchers are quite talented, found many critical bugs, and ended up netting about what you would make as an average senior security engineer at a Bay Area tech company, if the payouts were split evenly. And even if some of them received a higher cut, $360K is within senior security talent pay bands (e.g. see levels.fyi), especially if you're at a FAANG company.
Of course, getting to work your own hours, getting to test a wide variety of different systems, and other aspects of being a bug bounty researcher certainly have their own value, compensation is just one part of a job 😀
If you know of other public stats on professional and/or hobbyist bug bounty researcher income, please let me know! I'd love to learn more.
Some interesting stats and figures from Jay Chen of Palo Alto Networks.
tl;dr: there is often a long delay between vulnerability discovery and CVE publication, public exploits are often published before CVEs are public, and 37% of exploits were published before or in the first week of the patch being released. Yikes, that’s fast. 😅
Of the 45,450 public exploits in Exploit Database, there are 11,079 (~26%) exploits in Exploit Database that have mapped CVE numbers.
Among those 11,079 exploits:
- 14% are zero-day (published before the vendors release the patch), 23% are published within a week after the patch release and 50% are published within a month after the patch release. On average, an exploit is published 37 days after the patch is released. Patch as soon as possible – the risk of a vulnerability being exploited increases quickly after vendors release the patches.
- 80% of public exploits are published before the CVEs are published. On average, an exploit is published 23 days before the CVE is published. Software and hardware may also have vulnerabilities with public exploits that don’t have CVEs. Check security updates from vendors frequently and apply updates as soon as possible.
We also reviewed the entire CVE list since 1999 and found that, on average, a CVE is published 40 days after its CVE-ID is assigned. Of the 177,043 entries we analyzed at the time of this writing, more than 10,000 CVEs have been in “reserved” status for more than two years. It shows that there is a long delay between vulnerability discovery and CVE publication.
We sampled 500 high-severity exploits since 2015 and manually identified their patch dates from the vendor sites. 14% of the exploits we studied were published before the patches, 23% of the exploits were published in the first week and 50% of the exploits were published in the first month. On average, an exploit is published 37 days after the patch is released.
Thanks for reading!