Hi there,

In honor of this being a pre-Thanksgiving edition of tl;dr sec, I thought it appropriate to commemorate the origin of this holiday. Which is why this edition includes a blanket covered with smallpox a special helping of good security content, so you can enjoy and then nap for a few hours.

But truly, I want to thank you for taking the time to read tl;dr sec. I know you’re busy, and that time is precious, and I’m honored that you spend time reading the content I put together. I don’t take that trust lightly - I work hard to make tl;dr sec have quality content.

I hope you have a great Thanksgiving, and are able to spend some time relaxing with friends and loved ones 😊

I’m speaking at RSA 2020!

I’ll be giving a talk on DevSecOps, where I’ll give a massive survey of the trends I’ve seen and insights I’ve learned based on dozens of talks, blog posts, and in-person conversations with people at companies doing cool stuff.

Let me know if your team or company is doing something neat I should include!

Upcoming Events

Bay Area Fuzzing Meetup #2 on December 12th at Facebook. The first one was great - high quality talks and conversations afterwards.

📜 In this newsletter...

🔗 Links:
  • Tools: an open source postman, JS library for rendering Markdown/LaTeX, a neat source code visualizer/navigator
  • Web security: reCAPTCHA solutions can be reused (quickly), Kibana RCE prototype pollution walkthrough
  • Professional development: Daniel Miessler on blogging, Tanya Janca on talks, presentations, and social media
  • 2 Fast 2 Discoverious: Bugcrowd and Jeremiah Grossman's company Bitdiscovery partner on asset inventory, Bishop Fox is in the game too
  • Politics: Data leak shows how China 'brainwashes' Uiighurs, Swedish PM dishes a burn, with a side of delicious, delicious meatballs
  • Fuzzing: Coverage-guided fuzzers for Java, JS, and Python, paper on building faster fuzzers + tool release, a web fuzzer
  • Destroying x86_64 instruction decoders: Trail of Bits describes how to find discrepancies in x86_64 decoders using differential fuzzing

📚 New Summary: Pose a Threat: How Perceptual Analysis Helps Bug Hunters:

In this AppSec Cali 2019 talk, Rob Ragan and Oscar Salazar of Bishop Fox describe how to make external network penetration tests more effective by auto-screenshotting exposed websites and then clustering them based on visual similarity.

They scanned every web app on AWS Elastic Beanstalk and found many credentials, API keys and source code.

At a high level, their approach is:

  1. OSINT (OWASP AMASS) is used to find target domains and subdomains.
  2. Threat intel, wordlists, and other sources are used to find interesting paths to check.
  3. AWS Lambdas are spun up that use headless Chrome to screenshot these paths.
  4. Shrunk screenshots are stored in S3, response bodies and headers are stored in Elasticsearch. Screenshots are grouped by similarity using fuzzy hashing.
  5. Humans review sorted screenshots for leaked sensitive data or promising targets to attack.

Tools

postwoman - API request builder - A free, fast, and beautiful alternative to Postman.

TeXMe - a lightweight JavaScript utility to create self-rendering Markdown + LaTeX documents.

Sourcetrail is a cross-platform source code explorer designed to help you grok unfamiliar source code quickly. It does lightweight static analysis on C, C++, Java, and Python source code to extract class and method definitions, member fields, class hierarchies, and more.

Sourcetrail User Interface

Web Security

Cracking reCAPTCHA, Turbo Intruder style
James Kettle of Portswigger found that you can use reCAPTCHA solutions several times if you go fast enough. The issue was reported to Google 8 months ago but Google didn’t think it was exploitable in the wild.

  • Impact: Attackers can register more spam accounts for each solved CAPTCHA, increasing their spam rate.
  • Fix: If you’re using reCAPTCHA, you’ll need to manually secure it by locking/synchronising on the g-recaptcha-response token.

Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609)
Nice illustrative walkthrough. Prototype pollution occurs when in JavaScript an attacker can overwrite properties of Object.prototype, which other objects inherit from, and that capability is used to cause unintended behavior, for example, making every object’s isAdmin property default to true.

Professional Development

One thing I enjoy reading is how people who are experienced at something do that thing.

So You Want to Start a Blog by Daniel Miessler

Tanya Janca’s tips on giving technical talks and presentations and social media.

2 Fast 2 Discoverious (Moar Asset Inventory)

Two weeks ago, in tl;dr sec #13, I mentioned Bugcrowd’s new “Attack Surface Management” product, in which you pay some of their bug bounty researchers to do asset discovery for you. One concern I had for it is that the approach seemed challenging to guarantee consistent, high coverage.

So it was interesting to see a few days ago this teaser tweet by Jeremiah Grossman that Bugcrowd is partnering with his asset discovery company, Bitdiscovery. Jeremiah also just tweeted some stats from analyzing the Internet-connected assets belonging to the top ten U.S. banks.

2 Fast 2 Discoverious
I know what you’re thinking, and the answer is yes, I like putting my degree in Graphic Design to good use.

It’ll be interesting to see where this partnership goes.

Also, the talk summary below from Bishop Fox describes some of the infrastructure they’ve built up around assessing a company’s external attack surface, an up-and-coming service offering they’ve been funding with their $25 million Series A from ForgePoint Capital in early 2019.

Politics

Data leak reveals how China ‘brainwashes’ Uighurs in prison camps
Surprise! People didn’t “voluntarily” decide to attend a high security re-education camp.

Swedish PM hits back at China over literature prize threat
China threatened to impose “counter-measures” on Sweden if a dissident Chinese writer, who is currently imprisoned in China, receives a literature award. Swedish PM: “We have no intention of yielding to these sorts of threats. Ever. We have freedom of expression in Sweden and that is what applies here. Full stop.”

Fuzzing

ffuf - Fast web fuzzer written in Go

javafuzz - coverage guided fuzz testing for Java. The company (fuzzit.dev) has released similar libraries for JavaScript and Python.

Building Fast Fuzzers - Paper on how to build faster grammar-based fuzzers.

fzero_fuzzer - “A target-architecture-agnostic grammar-based fuzzer (inspired by the above paper). With no input size constraints, multi-thread support, and all Rust code for no corruption bugs. 5x faster than the worlds fastest grammar-based fuzzer” by Brandon Falk 🔥

Destroying x86_64 instruction decoders with differential fuzzing

Instruction decoding is implicitly treated as a solved problem. Analysis platforms give analysts a false sense of confidence by encouraging them to treat disassembled output as ground truth, without regarding potential errors in the decoder or adversarial instruction sequences in the input.

In this post, Trail of Bits describes and releases mishegos, a tool that uses differential fuzzing to find bugs in x86 decoders (Capstone, libbfd/libopcodes, udis86, XED, and Zydis).

Differential fuzzing (or “differential testing”) is basically a fancy way of saying, “Given 2 or more implementations that are supposed to do the same thing, give them all the same input, and see where the outputs differ.”

Figure 6: Mishegos’s architecture.
Figure 6: Mishegos’s architecture.

As a technique, differential fuzzing is really clever. Let’s think about it a bit more.

  • In standard fuzzing, looking for memory safety-type issues in programs written in C or C++, we can find bugs by throwing random garbage at the programs and observe if they crash, access invalid memory, or exhibit other bad behavior.
  • I call these bugs “context agnostic,” because we don’t need to know anything about the program; if we observe certain classes of behavior, we know there’s a bug, regardless of the program’s purpose or business domain.
  • However, how can we find bugs in complex business logic? For example, parsing a complicated file format, implementing a network protocol, etc.
  • In these cases, how would we know when the program we’re testing incorrectly handles the input? We would need an oracle that implements the business logic we’re testing 100% correctly, which we can then compare the tested program’s output against.
  • However, if we had a perfectly implemented oracle, we’d probably just use that, and not need to build the application we’re testing.
  • Differential fuzzing allows us to test complicated business logic without an oracle by comparing the outputs of multiple programs that are supposed to implement the same functionality, and investigating where the results are different.

    We don’t have to know a priori the correct output for every input or even which program is right when the outputs differ, we just know to investigate when the programs don’t behave identically.

📚 New Summary: Pose a Threat: How Perceptual Analysis Helps Bug Hunters

Pose a Threat title slide

This talk contains some neat thoughts on the applications of this approach for pen testers as well as companies, and a nice overview of historical methods of doing content discovery as well as some of its challenges.

Read the full summary here.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler @programanalysis