Security Pills - Issue 34

Fearless CORS, Top 10 web hacking techniques of 2022, Cracking the Odd Case of Randomness in Java

Security Pills
February 13, 2023

Release Date: 13th February 2023 | Issue: 34 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
The compliance automation tool that's making audits fun

Did you know that on average, GRC and IT teams are spending 4,300 hours on compliance tasks per year? Slash the time and resources you're spending achieving and maintaining compliance with G2's highest-rated cloud compliance platform.

Automated evidence collection, 24/7 control monitoring, and an auditor-built collaboration hub are just a few reasons why companies like Lemonade, Notion, and Postman trust Drata as their compliance partner.

Drata's robust risk management solution, pre-mapped controls, and automated compliance for 14+ frameworks will help you centralize your compliance program and reduce endless back and forth with your auditor and team. Book a demo to start streamlining your audits—and even make them fun… according to customer reviews.

Book a demo

Hi there 👋,
Hope you had a great weekend!

Welcome to all our new subscribers, it's great to have you here!

Have you ever tried to keep track of the number of hacks that occur in the blockchain each week? Don't worry, we haven't either. It's nearly impossible! There are so many each week that it's almost overwhelming. But don't worry, I've come up with a fun way to bring you the top hacks, at least in terms of monetary loss. I've created a new section called the "Rekt Leaderboard."
What's it all about? Simply put, each week we'll publish a ranking of the top three hacks that have siphoned the most funds 💸.

Don't worry, we'll still be covering any interesting research or vulnerabilities affecting the blockchain industry, just like we do every week!

So, grab a cup of coffee, find a comfortable seat, and enjoy today's newsletter!"

Articles: Fearless CORS: A design philosophy for CORS middleware libraries, Top 10 web hacking techniques of 2022, Horatius At The Bridge, Modular MEV: Pt.1 - The Introduction, Synapse: A Deep Dive, Symbolic testing with Halmos: Leveraging existing tests for formal verification, Data exfiltration with native AWS S3 features, The technology behind GitHub's new code search.
Vulnerabilities & Bug Bounties: Vulnerability Research Digest - macOS/iOS in 2022, Post-Exploitation: Abusing the KeePass Plugin Cache, A-Salt: Attacking SaltStack, Neo4jection: Secrets Data and Cloud Exploits, Cracking the Odd Case of Randomness in Java, Binance Smart Chain token Bridge Hack.
Rekt Leaderboard: dForce Network, LianGo Protocol, CoW Protocol.
Resources:
- Videos: yAcademy Block IV: Blockchain Threat Intel, Generating ETH from thin air, Degatchi on Reverse Engineering and MEV, Fuzzing Solidiy/Ethereum Smart Contract using Foundry/Forge.
- Repositories: Mr Steal Yo Crypto CTF, rsu-cracker, halmos, storage-slots.
- Podcasts: Critical Thinking Ep.6 Mobile Hacking Attack Vectors.
- Writeups: Using a Flipper Zero to access API source code on IoT devices, Cloudflare bypass: Discover IP addresses of Web servers in AWS, Storage Structs Pattern.
Tags used in this issue: #apple, #appsec, #blockchain, #cloudsec, #engineering

Fearless CORS: A design philosophy for CORS middleware libraries #appsec
Julien Cretel explores why developers struggle with CORS and propose Fearless CORS, a design philosophy and best practices for better CORS middleware libraries based in twelve principles.

Typical example of a successful CORS handshake

Top 10 web hacking techniques of 2022 #appsec
PortSwigger's Jakes Kettle on the 16th edition of their annual community-powered effort to identify the most important and innovative web security research published in 2022. For this year, two key themes stand out - single-sign on and request smuggling with the ' Browser-Powered Desync Attacks' and 'Account hijacking using dirty dancing in sign-in OAuth-flows' research.

Horatius At The Bridge #blockchain
Maven11Capital's rain&coffee provides a comprehensive overview of security and trust assumptions in blockchain bridges while also taking a look at the economics of cross-chain messaging protocols and bridging.

Modular MEV; Pt.1 - The Introduction #blockchain
Maven11Capital's rain&coffee debates the concept of Maximum Extractable Value (MEV), and its rapid evolution as a crucial component in protocol design. An exploration into the potential implications that a 'modular' design approach might have on MEV.

Synapse - A Deep Dive #blockchain
Li.Finance's Mark Murdock authors this article that explores the design, security, and trust assumptions of Synapse, an arbitrary messaging bridge (AMB) enabling users and developers to transfer both simple messages and complex data across chains.

Synapse message-passing architecture

Symbolic testing with Halmos: Leveraging existing tests for formal verification #blockchain
A16z Crypto's Daejun Park delves into the challenges of formal verification and the potential to bridge the gap between unit testing and formal verification, while introducing Halmos, a symbolic bounded model checker for Ethereum smart contracts bytecode.

Data exfiltration with native AWS S3 features #cloudsec
Ben Leembruggen writes about various ways to abuse legitimate S3 features for the purpose of exfiltrating data, and provides recommendations for detecting such abuse.

The technology behind GitHub's new code search #engineering
Github's Timothy Clem provides a high-level overview into building the world's largest public code search index and a small window into the system architecture and technical underpinnings behind GItHub's new code search.

High level overview of the ingest and indexing side of the system

Vulnerability Research Digest - macOS/iOS in 2022 #apple
NCC's Alex Plaskett has put together some of the most interesting presentations from a macOS/iOS kernel security research perspective in 2022.

Post-Exploitation: Abusing the KeePass Plugin Cache #appsec
Quarkslab's Kevin Minacori presents a post-exploitation technique to extract KeePass credentials without process injection. Using the PLGX plugin file format, it is possible to inject code into the KeePass process in a stealthy manner and dump the stored passwords.

A-Salt: Attacking SaltStack #appsec
Skylight Cyber's Alex Hill introduces a set of common misconfigurations that they have encountered in the wild on SaltStack, an IT orchestration platform. Alex also details a novel template injection technique which can achieve remote code execution on a salt-master server. Although this post details some attack vectors, they have prepared a cheatsheet summary for defenders too.

Logical PowerCorp network architecture

Neo4jection: Secrets, Data, and Cloud Exploits #appsec
Varonis' Nitay Bachrach discusses the rise of graph databases, especially Neo4j, and provides a comprehensive, technical, security-oriented demonstration of the different attack and evasion techniques found in those databases. From extracting data from Neo4j to lateral movement in the cloud.

Cracking the Odd Case of Randomness in Java #appsec
Elttam's Joseph Surin details a technique for cracking Apache Common Lang3 'randomAlphanumeric' and more generally, Java's nextInt odd values of bound. A novel approach which improves upon the existing techniques for attacking Java's random number generation.

Binance Smart Chain Token Bridge Hack #blockchain
PT Swarm's Andrey Bachurin explains the technical details behind one of the largest crypto heists affecting the BSC Token Hub bridge. An EVM-compatible blockchain used to create various decentralized applications. The hackers withdrew 2 million BNB from the bridge protocol, a total of $586 millions.

Laundering chain of stolen funds

🙏 Support us

Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition.
You can also share us with your friends and follow us on Twitter.

🥇dForce Network — On February 10th, the DeFi aggregator platform dForce Network suffered from a read-only reentrancy attack in the curve pool causing the attacker to make a profit of approximately $3.65 millions.
🥈LianGo Protocol — On February 7th, an attacker exploited LianGo protocol by compromising the private key of LGT Pool owner leading to a loss of $1.60 millions
🥉CoW Protocol — On February 7th, CoW Swap's settlement contract suffered an exploit wherein a hacker was able to drain approximately $166,000 from the contract.

🎥 Videos

yAcademy Block IV: Peter Kacherginsky - Blockchain Threat Intel — Coinbase's Peter Kacherginsky provides an inside view on the process of analyzing real-world smart contract hacks.
Generating ETH from thin air: Aurora Rainbow Bridge Withdrawal logic bug — Grzegorz Niedziela chats with Michał about the security vulnerability affecting Aurora's Rainbow bridge.
Degatchi on Reverse Engineering and MEV — Devs Do Something interviews DeGatchi exploring his learning process and journey on getting into MEV and building tooling like bytecode and calldata decoders.
Fuzzing Solidity/Ethereum Smart Contract using Foundry/Forge — Fuzzing Labs' Patrick Ventuzelo shows how to run and customize Foundry/Forge to fuzz an Ethereum smart contract in Solidity.

⌨️ Repositories/Tools

Mr Steal Yo Crypto CTF — Toshii has released a series of wargame inspired by real world exploits.
rsu-cracker — Tool to crack RandomStringUtils and Java's default java.util.Random.nextInt(bound) when bound is odd.
halmos — Symbolic bounded model checker for Ethereum smart contracts bytecode.
storage-slots — Easily query EIP-1967 and custom storage slots for contracts on any EVM chain.

🎙️ Podcasts

Critical Thinking Ep.6 Mobile Hacking Attack Vectors — In this episode they sit down mobile hacking legend Joel Margolis and get the scoop on his approach to popping bugs on Android.

📖 Writeups

Using a Flipper Zero to access API source code on IoT devices — Dana Epp describes how to use a Flipper Zero to access the file system of an IoT device (Hak5 Wifi Pineapple), obtaining access to source code and API artifacts.
Cloudflare bypass- Discover IP addresses of Web servers in AWS — Carlos Polop writes about how to uncover the IP address of a CloudFlare application by scanning the AWS IP ranges and using Trickest's workflow automation to get the real IP address at scale.
Storage Structs Pattern — horsefacts details a pattern for preventing layout collisions in upgradeable contracts.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews