[tl;dr sec] #170 – Prototype Pollution, Fuzzing, SOC Metrics


Hey there,

I hope you’ve been doing well!

Focusing on the Right Stuff

I was going to write you a lovely intro, but unfortunately I’m behind this week.

So instead I shall briefly leave you with some things that made me smile.

It’s worth watching the video:

And from a classic novelty Twitter account:

[tl;dr sec] #170 - Prototype Pollution, Fuzzing, SOC Metrics

Sponsor

📢 Drata’s Compliance Trends Report 2023

74% of GRC teams aren’t addressing known vulnerabilities for lack of bandwidth. This isn’t surprising when these same teams are spending over four thousand hours annually just to achieve or maintain compliance.

Fortunately, established and enterprise companies are shifting compliance from a burden to a business accelerator through processes that promote scalability and continuous compliance. If you’re interested to learn how and get the latest on the current and future state of compliance, check out our 2023 Compliance Trends Report.

Download Now

📜 In this newsletter…

  • Web Security: Tool to extract secrets and paths, run Semgrep in Burp, turning self-XSS into account takeover in SSO, CSS injection -> SSRF write-up, a smart black-box fuzzer for web apps
  • Prototype Pollution: Portswigger on black-box detection techniques without DoS, detecting via a tool that injects hooks via AST rewriting, find prototype pollution via required parameters, paper that uses CodeQL to find universal gadgets and RCE
  • Fuzzing: cURL audit: How a joke led to significant findings, using Codex for better fuzzing coverage
  • Cloud Security: Create SCPs with Terraform, creating a black glass role for emergency use, create a Console session from IAM creds, overview of AWS’ new policy language Cedar
  • Container Security: Restricting cluster-admin permissions, OWASP Kubernetes Top 10
  • Blue Team: Extracting TTPs and other info from threat intel docs using GPT2, prevent sensitive link leakage when using URLScan, Airbnb’s approach to access management at scale, useful SOC performance metrics
  • Misc: Why do modern pop songs have so many credited writers?, the rewriting of Roald Dahl, the ‘enshittification’ of TikTok

Web Security

Damian89/yataf
By Damian Strobel: A tool written in Go to
extract secrets and paths from files or URLs.

Semgrepper
@gand3lf’s Burp Suite extension that adds Semgrep
rules into passive scan checks is now live on the BApp Store.

SSO Gadgets: Escalate (Self-)XSS to ATO
Lauritz Holtmann provides an overview of the fundamentals of OAuth2 and OIDC, while raising awareness about the potential impact of incorrect SSO configurations. Lauritz explores how SSO gadgets can turn a seemingly benign self-XSS vulnerability into account takeover, and provides real-world examples that demonstrate each gadget, as well as mitigation strategies to counteract them.

Unleashing the power of CSS injection: The access key to an internal API
Alserda’s Sander Wind writes about how he and
other researchers were able to turn a CSS injection identified in an
application’s PDF generator into reading local files and SSRF, and via SSRF
probe internal hosts. The library used to render PDF files defined a property
(reading the docs 🤘) that allowed JavaScript code to be included and executed
when a PDF file was opened.

Firefly: a smart black-box fuzzer for web applications testing
YesWeHack’s Brumens shares Firefly, a new black-box web
application fuzzer inspired by James Kettle’s Backslash-powered scanner. After
first determining an app’s baseline responses, it starts fuzzing with different
payloads and input modifications to determine how the app modifies and
transforms data, which can be used to detect backend functions, normalizations,
and/or bypass security filters used by the system.

Firefly Workflow Diagram

Sponsor

📢 We Hack Purple – Everything You Need to Learn Secure Coding, and More!

Learn how to create secure software, from industry experts! Our fun, live, virtual training teaches developers to code more securely, with checklists, free access to on-demand courses, and a supportive online community, all for one price. Hire us to train your AppSec team, as we build your custom application security program, together! With customized training available, we have something that fits every organization’s software security training needs.

Tell me more!

Prototype Pollution

Server-side prototype pollution: Black-box detection without the DoS
PortSwigger’s Gareth Heyes explores various techniques that can be safely used to identify server-side prototype pollution without compromising the core functionality of the application, and releases a free Burp extension that implements the tests. In addition, Gareth provides some tips for debugging Node applications and techniques to prevent these type of vulnerabilities.

Server side prototype pollution, how to detect and exploit
YesWeHack’s BitK describes prototype pollution, how
to find gadgets, and introduces pp-finder,
a tool that makes it easier to find prototype pollution in JavaScript codebases.

PP Finder works by using the TypeScript parser to generate ASTs for each file,
then modifies the tree to inject hooks that detect if an undefined property is
accessed. You then run the modified code and PP Finder reports potential gadgets
and tells you the relevant piece of code. Rad. Using PP Finder, they found
vulnerabilities in Express, Fastify, VueJS,
JSDom, and Axios.

Detecting Server-Side Prototype Pollution
Intruder’s Daniel Thatcher describes another black-box method to detect server-side prototype pollution:

  1. Find an endpoint that fails if a certain argument isn’t provided.
  2. Then attempt to prototype pollute with that argument name across each other endpoint, checking the original endpoint after each request.
  3. If the original request succeeds without you provided the required argument, then you have successfully found prototype pollution.

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js
Academic paper by Mikhail Shcherbakov, Musard Balliu, and Cristian-Alexandru Staicu.

We build the first multi-staged framework that uses multilabel static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets, notably, by analyzing the Node.js source code. We implement our framework on top of GitHub’s static analysis framework CodeQL to find 11 universal gadgets in core Node.js APIs, leading to code execution. Furthermore, we use our methodology in a study of 15 popular Node.js applications to identify prototype pollutions and gadgets. We manually exploit eight RCE vulnerabilities in three high-profile applications such as NPM CLI, Parse Server, and Rocket.Chat.

Silent Spring Prototype Pollution Paper

Fuzzing

cURL audit: How a joke led to significant findings
Trail of Bits’s Maciej Domanski describes extending AFL++ to better support fuzzing CLI arguments, and how that enabled them to find use-after-free, double-free, and memory leaks in libcurl, which is used by many applications.

Some additional tips I liked: using curl’s man page to seed the fuzzing dictionary, and using iptables to redirect all TCP packets to localhost and then using netcat to listen for connections from cURL.

CODAMOSA: Escaping Coverage Plateaus in Test Generation with Pre-trained Large Language Models
Very cool work by UBC’s Caroline Lemieux. Tool source code.

We augment search-based unit test generation for Python with queries to Codex, asking Codex to create test-cases for functions with low coverage when coverage stalls (N generations with no coverage increases)

Codex is particularly good at generating “special strings” (a.k.a. “magic” strings), a recurring issue in automated testing. But it also brings benefits in being able to guess to right types of arguments when this is missing in Python, and using more complex syntactic structures.

My higher-level thoughts: while the Codex generated tests definitely gave coverage advantages, I don’t think LLMs are the be-all-end-all technique here. Codex is particularly good at “magic strings”, but not so good at the exploration we get from randomness-aided search.

Codamosa Architecture

Cloud Security

aws-samples/aws-scps-with-terraform
Set up a template to easily create and apply AWS Service Control Policies (SCPs) with Terraform.

awslabs/aws-break-glass-role
Create a break glass role for emergency use in order to limit production console
access. Configure automatic alerts and logging of activities in the role to
secure its use in production environments.

Create a Console Session from IAM Credentials
If you’re performing an AWS assessment and you encounter IAM credentials, Nick
Frichette
describes how to spawn an AWS
Console session using a tool like aws-vault.

Cedar: A new policy language
Ian Mckay from One Cloud Please writes about Cedar, a new language created by AWS to define access permissions using policies, similar to the way IAM policies work today. Ian covers why Cedar was created, how to author policies, and some additional language features.

Cedar can be used for non-AWS applications, is written in Rust, and was designed
to be simple to reason about if two policies are exactly equivalent.

Container Security

Restricting cluster-admin Permissions
By Giant Swarm’s Marcus Noble: By default,
Kubernetes cluster operators are assigned to the cluster-admin ClusterRole,
allowing them to perform any action. RBAC only allows for adding permissions, so
if you need to block an action performed by cluster admins, you can leverage an
admission controller like Kyverno.

OWASP Kubernetes Top 10
Sysdig’s Nigel Douglas
groups the OWASP Kubernetes Top 10 into three categories in order of likelihood
(misconfigurations, lack of visibility, and vulnerability management), describes
the risks, mitigations, and shares relevant tools.

Sysdig Owasp Kubernetes Top 10

Blue Team

Extract Actionable Intelligence from Text-based Threat Intel using Sentinel Notebook
Microsoft’s Vani Asana introduces the
MitreMap
Notebook,
a notebook that uses the GPT2 language model to map unstructured descriptive
text of an incident to the relevant MITRE ATT&CK Enterprise techniques, as well
as identify the tools, techniques and procedures (TTPs) used by the actor group
and the Indicators of Compromise (IoCs) in the report.

Mitremap Notebook

How to Categorize and Prevent Risks of Sensitive Links in URLScan
Tinder Security Labs’ Rojan Rijal, Johnny
Nipper
and Tanner
Emek
write about how misconfigurations on
the URLScan service used to identify potentially malicious websites could
sometimes expose internal assets, domains and sensitive information to the
public and be leveraged to gain access into corporate systems.

Airbnb’s Approach to Access Management at Scale
Airbnb’s Paul Bramsen discusses how the implementation of a centralized, self-serve access control platform has helped enable Airbnb’s large team of employees, contractors, and call center workers to perform their jobs efficiently and effectively in almost every region of the world. This has also helped Airbnb maintain trust while complying with legal requirements.

Airbnb Access Management

Performance metrics, part 1: Measuring SOC efficiency
Expel’s Jon Hencinski writes on how
ineffective operations management can lead to SOC burnout and shares his vision
on how to set up a measurement framework that helps SOC leads ensure goals are
being met, creating a metrics strategy, and three metrics they believe are
fundamental to managing a SOC:

  1. When do alerts show up? (alert seasonality)
  2. How long do alerts wait before a robot or an analyst attends to them? (alert latency)
  3. How long does it take to go from alert to fix? (remediation cycle time)

Goals are things you want, strategy is how you’re going to get there and measurements tell you where you are in that journey.

Clear aims + ownership of the problem + data for learning + persistence = success

Misc

Why Do Modern Pop Songs Have So Many Credited Writers?
How modern songwriting evolved into a game of aggressive credit—even for the
people who didn’t technically do the composing.

The rewriting of Roald Dahl

The publishers have given themselves licence to edit the writer as they see fit, chopping, altering and adding where necessary to bring his books in line with contemporary sensibilities. By comparing the latest editions with earlier versions of the texts, The Telegraph has found hundreds of changes to Dahl’s stories.

Language related to weight, mental health, violence, gender and race has been cut and rewritten. Remember the Cloud-Men in James and the Giant Peach? They are now the Cloud-People. The Small Foxes in Fantastic Mr Fox are now female. In Matilda, a mention of Rudyard Kipling has been cut and Jane Austen added.

The ‘Enshittification’ of TikTok
By Cory Doctorow, with examples of Amazon,
Facebook, Google, and TikTok.

Here is how platforms die: First, they are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die.

I call this enshittification, and it is a seemingly inevitable consequence arising from the combination of the ease of changing how a platform allocates value, combined with the nature of a “two-sided market,” where a platform sits between buyers and sellers, hold each hostage to the other, raking off an ever-larger share of the value that passes between them.

Technological self-determination is at odds with the natural imperatives of tech businesses. They make more money when they take away our freedom—our freedom to speak, to leave, to connect.

Apparently Cory has a new book, Chokepoint
Capitalism, on “how big tech and big content
captured creative labor markets, and how we’ll win them back.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏

Thanks for reading!

Cheers,
Clint


@clintgibler





Source link