Security Pills - Issue 25
Abusing JSON-Based SQL to Bypass WAF, Some Ways To Use ZK-SNARKs for Privacy, Alternatives to Tornado Cash
Release Date: 12th December 2022 | Issue: 25 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there, hope you all had a great weekend!Hope you enjoy today's articles, stay safe!
Articles: Exploring Prompt Injection Attacks, Using OpenAI Chat to Generate Phishing Campaigns, Abusing JSON-Based SQL to Bypass WAF, Accidentally Crashing a Botnet, The Hunt for the Dark Web's Biggest Kingpin, Alternatives to Tornado Cash, Hybrid Fuzzing: Sharpening the Spikes of Echidna, The Optimizer's Guide to Solidity Pt. 4, Some Ways to use ZK-SNARKs for Privacy, Intro to Smart Contract Audit Series: Phishing with tx.origin, Accessing Private Data in Smart Contracts.
Vulnerabilities and Bug Bounties: From Zero to Hero Pt. 2: From SQL Injection to RCE on Intel DCM, RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass, Hijacking GitHub Repositories by Deleting and Restoring Them, Novel Pipeline Vulnerability Discovered: Rust Found Vulnerable, Address Poisoning Attack: A Continuing Threat, xAPIC Vulnerability on Secret Network, Roast Football Suffers Attack: Funds Lost Through Exploited Reward System, Nethermind ModExp Out of Memory Consensus Issue, Know About the Helio Protocol Hack, Rust Realloc and References.
Videos: How to Find a $7 Billion Dollar Exploit, Can AI Create a Mnecraft Hack?, Applied ZK Learning Group, Who Stole the NSA's Top Secret Hacking Tools?
Repositories: smart-contract-auditing-heuristics, Optik.
Tags used in this issue: #ai, #appsec, #blockchain, #smart-contract, #supply-chain.
Exploring Prompt Injection Attacks #aiPrompt Injection is a new vulnerability that is affecting some AI/ML models and, certain types of language models using prompt-based learning. This post discusses what a prompt is in the machine learning context, how prompt injection abuses this characteristic, its impact as well as some recommendations and advice.
Using OpenAI Chat to Generate Phishing Campaigns #aiOpenAI chat has exploded in popularity over the last couple of weeks. Rick Osgood writes on how it could be used to generate elaborated phishing campaigns.
Abusing JSON-Based SQL to Bypass WAF #appsecTeam82 has developed a generic bypass of industry-leading web application firewalls (WAF), which involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse.
Accidentally Crashing a Botnet #blockchainAkamai researchers have continued their research on KmsdBot, a cryptomining botnet. As part of this analysis, a syntax error caused the bot to stop sending commands, effectively killing the botnet.
The Hunt for the Dark Web's Biggest Kingpin Pt.1 The Shadow #blockchainThe rise and fall of AlphaBay, the largest online drug and crime bazaar in history, run by a technological mastermind who seemed untouchable — until his tech was turned against him. A six-part series describing how Alpha02 oversaw millions of dollars in online narcotic sales and how he became public enemy number one for cybercrime detectives.
Solana rBPF Vulnerability Case Study #blockchainWhen compiled smart contracts run in Solana, they are converted into eBPF bytecode, and a separate virtual machine execute them. Among the attack surface that exists in Solana, Jade from Haechi Labs, thought that the rBPF Virtual Machine was the component where 0-day vulnerabilities could exist and started a research. This article collects some of the notes gathered during the research.
Alternatives to Tornado Cash #blockchainOn August 8th, the OFAC sanctioned the popular Tornado Cash decentralized mixer. Processing over $7 billion worth of cryptoassets throughout its operation, Tornado Cash was used by criminal entities to launder over $1.54 billion of illicit cryptoassets. Within a month of the sanctions, Tornado Cash liquidity pools decreased by approximately 60%. This briefing details Elliptic's analysis into six prominent alternative Ethereum-based obfuscation protocols that have been mentioned as potentially the next Tornado Cash.
Hybrid Fuzzing: Sharpening the Spikes of Echidna #blockchainSmart contract fuzzing is an effective bug-finding technique that is largely used at Trail of Bits during audits. Tom Malcolm has been working on Hybrid Echidna during his internship, a “hybrid fuzzer” that couples Echidna, with their symbolic execution framework, improving the process of finding bugs.
The Optimizer's Guide to Solidity Pt.4: Binary Size Tricks #blockchainOmniscia has published the fourth part of their series on delving deep into the internals of the EVM and how they regularly exploit peculiar traits of the EVM to minimize the execution cost of the smart contracts it audits. You can see previous parts here: Pt. I, Pt. II, and Pt. III.
Some Ways to use ZK-SNARKs for Privacy #blockchainZK-SNARKs are a powerful cryptographic tool, and an increasingly important part of the applications that people are building both in the blockchain space and beyond. But they are complicated, both in terms of how they work, and in terms of how you can use them. This post focuses on applications of ZK-SNARKs for preserving privacy.
Intro to Smart Contract Audit Series: Phishing With tx.origin #smart-contractSlowMist thoughts on how tx.origin-based phishing attacks are used in smart contracts.
Accessing Private Data in Smart Contracts #smart-contractArticle from QuillAudits describing how it is possible to access data stored in private variables from outside the blockchain.
From Zero to Hero Part 2: From SQL Injection to RCE on Intel DCM #appsecJulien Ahrens writes on how to get remote code execution on any host running a DCM console by exploiting an authenticated SQL Injection.
RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass #appsecA writeup explaining how two researchers were able to achieve RCE through a server-side template injection using a Spring Expression Language injection on an application running Spring Boot.
Hijacking GitHub Repositories by Deleting and Restoring Them #appsecJoren Vrancken found an obscure security measure while researching GitHub repositories; the popular repository namespace retirement. This security measure was implemented by GitHub to protect popular repositories against repository hijacking. During this research, Joren was able to identify a way to bypass this security mechanism, landing a bounty of $4,000.
Address Poisoning Attack, a Continuing Threat #blockchainThe address poisoning attack on $0 USD transfers is savage in recent weeks. As of December 2, more than 340K addresses have been poisoned on the chain, totaling 99 victim addresses and more than 1.64M USD stolen. In this article, X-explore provides a comprehensive analysis of the attack landscape, traces the attackers on-chain, and provides an in-depth analysis of how the attack is implemented.
Rust, Realloc, and References #blockchainRust is safe... right? Not if your dependencies are unsafe. A deep dive into a subtle Solana SDK bug, Rust internals, and how OtterSec spotted the vulnerability.
Roast Football Suffers Attack, Funds Lost Through Exploited Reward System #smart-contractOn December 05, 2022, Roast Football was a victim of an attack, in which the exploiter repeatedly swapped $RBF and $WBNB tokens by manipulating their reward system to book a profit of approximately 12 $BNB worth $3500.
xAPIC Vulnerability on Secret Network #smart-contractOn October 3rd, SCRT Labs was notified of a vulnerability affecting the privacy of data stored on Secret Network. This disclosure was related to the recently disclosed xAPIC architectural bug, an uninitialized memory read in the CPU itself that impacted certain SGX-enabled CPUs. The researchers demonstrated the ability to access the consensus seed, from which other network seeds were derived.
Nethermind ModExp Out of Memory Consensus Issue #smart-contractOn 14 October 2022, Jason Matthyser, a security researcher at Iosiro, identified a bug within the Nethermind client that could lead to a consensus failure. The issue was reported to the Ethereum Foundation, who fixed the bug before it was released into production, ensuring that no funds were at risk.
Know About the Helio Protocol Hack #smart-contractOn December 02, 2022, the dumping of massive amount of aBNBc tokens on decentralized exchange opened the door for another exploit in which Helio Protocol was attacked and profited the attacker by approximately $15.5 million.
Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable #supply-chainThe Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the underlying software development pipelines for projects using GitHub Actions. This article covers this new technique of artifact poisoning and describes who could be vulnerable, including how the vulnerability was found in the Rust programming language.
🙏 Support us
How to Find a $7 Billion Dollar Exploit — Patrick covers in this video a bug that could potentially have drained $7 billion from the polygon ecosystem.
Can AI Create a Minecraft Hack? — LiveOverflow uses OpenAI's ChatGPT to create a minecraft hack.
Applied ZK Learning Group — Learning resources for someone willing to dive deep into the applied ZK space.
Who Stole the NSA's Top Secret Hacking Tools? — The NSA has a super secret catalog of sci-fi level cyber weapons. Then one day in 2016, someone started auctioning them off on Twitter.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.