Security Pills - Issue 29

Release Date: 9th January 2022 | Issue: 29 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hey everyone, hope you had a great week. 👋,In the first week of the year, Sam Curry and others published their research on different vehicle telematic systems, with vulnerabilities found if almost every single car manufacturer. pwning.eth has reported another critical bug which impacted the Poladkot ecosystem, probing the possibility of minting valid but depegged wrapped tokens. Andrew Hong, from Dune Analytics, has written extensive articles explaining how Ethereum maps to Dune's tables and has shared multiple examples for all the basic SQL you can use. These and more articles, are available on today's newsletter, enjoy.

The GPT-3 Architecture on a Napkin #AIArticle that aims to build an as detailed as possible understanding of the GPT-3 architecture.

Security in the Age of LLMs #AIArticle on how threat modeling and detection will drastically change in the age of AI/LLMs.

Prototype Pollution in Python #appsecResearch that aims to prove the possibility of having a variation of Prototype Pollution in other programming languages, including those that are class-based by showing Class Pollution in Python.

Bypassing Firewalls with of-CORs and typo-squatting #appsecResearch on how to attack internal applications without performing lateral movement or social engineering, just using a misconfiguration on CORs and typo-squatting.

SSRF Vulnerabilities Caused by SNI Proxy Misconfigurations #appsecSNI proxies are load balancers that use the SNI extension field to select backend systems. When misconfigured, SNI proxies can be vulnerable to SSRF attacks that provide access to web application backends.

Top 10 Web Hacking Techniques of 2022 #appsecEvery year, security researchers share their latest findings with the community in a firehose of presentations, white-papers and blog posts. While every post is valuable, some contain something special - innovative ideas and techniques that can be re-applied elsewhere. Portswigger has opened the nominations for the top 10 new web hacking techniques of 2022. Check them out on this article.

How to Start Analyzing Any Web3 Protocol or Product Using SQL #analytics, #blockchainProtocol contract structures and flows all vary wildly, and learning solidity patterns is not necessarily easy. Figuring out what functions/events from what contracts to analyze is tough, and finding example transactions can be time consuming. Andrew has created a Dune dashboard to make every analyst life easier and has authored this article that deep-dive into each section of the dashboard.

Getting Started with Phalcon 2.0 #analytics, #blockchainPhalcon is a powerful transaction explorer designed for DeFi community. It provides comprehensive data on invocation flow, balance changes, and fund flows for transactions. It also supports transaction simulation.This article aims to introduce the various features and functions of Phalcon, using for that a transaction on the Ethereum blockchain.

A Basic Wizard Guide to Dune SQL and Ethereum Data Analytics #analytics, #blockchainIn this article Andrew explains how Ethereum maps to Dune's tables and provides use case examples for all the basic SQL needed to become a data wizard.

Guide to Web3 Data Tools #analytics, #blockchainArticle from Andrew Hong that covers all the top data tools and how they are used from a data analysts perspective.

2022 Blockchain Security and AML Analysis Annual Report #blockchainThis report takes a close look at the major events in the blockchain industry that took place in 2022. It provides an overview of the security status of each area within the industry and delves into common attack techniques. Additionally, it uncovers a few phishing techniques and analyzes the flow of stolen funds in some security incidents. To round things off, the report introduces an advanced method for tracking coin mixer funds through a comprehensive analysis.

Using Foundry to Explore Upgradeable Contracts Pt. 1 #blockchainMaking contracts upgradeable offers a lot of flexibility, but also it adds certain complexities to the code, as you need to circumvent Solidity's type system, which causes the compiler's ability to catch mistakes to be severely limited.This post is the first in a two-part series and will deep-dive into how upgradeable contracts can be implemented and what can go wrong.

Reverse Engineering Yet Another Book Format #reverse-engineeringNemanja Mijailovic on how to reverse engineer the DRM used by Human Kinetics, and obtain a legal copy of the EPUB.

Web Hackers vs The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More #appsecResearch on different automobile manufacturers and security issues identified in their API endpoints used by the vehicle telematics systems.

Circom-Pairing: A Million-Dollar ZK Bug Caught Early #blockchainAnalysis of a critical security issue discovered in the circom-pairing library, which could have allowed attackers to forge signatures. The circom-pairing library is a circom implementation of elliptic curve pairings, which enables Zero-Knowledge (ZK) systems to verify signatures over the BLS12-381 curve.

Frozen Heart Vulnerability #blockchainDetails on the Frozen Heart security vulnerability, caused to an improper implementation of the Fiat-Shamir hash computation algorithm.

A Vulnerability Perspective Analysis of Move Language Security - Proposal Attack  | Contract Upgrade Vulnerability #blockchainAn analysis on the proposal attack that affects smart contracts written in the Move language. The SharkTeam has also written about the contract upgrade vulnerability.

I Scanned Every Package on PyPi and Found 57 live AWS Keys #cloudTom Forb has scanned every package published to PyPi and found 57 valid accesses keys from organizations like Amazon, Intel and the Australian Government, among others.This article outlines the tool built by Tom to automatically scan all new PyPi releases and presents some analysis of the keys found.

Moonbeam, Astar, and Acala Library Truncation Bugfix Review #smart-contractOn June 27th, pwning.eth submitted a critical bug report that impacted the Polkadot ecosystem via Immunefi, demonstrating the possibility of minting valid but depegged wrapped tokens. The estimated potential damage from the vulnerability amounted to approximately $200m across the Moonbeam, Astar Network and Acala projects.

How Was GDS Chain Hacked? - Neptune Mutual | QuillAudits  #smart-contractOn January 03, 2022, the GDS Chain was exploited via a flash loan attack, resulting in a loss of approximately $187,000 and the price of the GDS token dropped from $0.5 to $0.1.

🎥 Videos

• Beware of this Crypto Scam — Junion observed that zero USDT tokens were transferred mysteriously out of his wallet. These zero token transfers are all a part of an elaborate scam that has stolen over 5 million dollars.

• ZK Vulnerability - Frozen Heart — D-Squared focuses on a ZK vulnerability called 'Frozen Heart', which was discovered by Trail of Bits.

• I Hope This Sticks" Analyzing ClipboardEvent Listeners for XSS — Talk given by spaceraccoon during NahamCon2022 EU.

• From NSO Group Hacker to Web3 Security Researcher — An interview with Trust, ex-NSO Group hacker turned web3 bounty hunter and independent security researcher. In just under a year, Trust has rocketed to the top of the code4rena leaderboard, and has made waves on both code4rena and Immunefi.

⌨️ Repositories

• blocksecteam/rustle — Rustle is an automatic static analyzer for NEAR smart contracts in Rust.

• 0xsanny/solsec — A collection of resources to study Solana smart contract security, auditing, and exploits.

• crisgarner/awesome-foundry — A curated list of awesome of the Foundry development framework.

• romainthomas/iCDump — A modern Objective-C class dump based on LIEF and LLVM.

• trufflesecurity/of-CORS — Truffle Security's tool suite for identifying and exploiting CORS misconfigurations on the internal network of bug bounty targets using typo-squatting.

• orf/aws-creds-scanner — This tool scans PyPi, Rubygems and Hexpm packages for AWS keys.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews