Security Pills - Issue 35

Release Date: 20th February 2023 | Issue: 35 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Hi there 👋,Hope you all had a great weekend!There's something that caught my attention this past week: there has been yet another hack affecting a blockchain player —  I know... what a novelty, right? —  But what really stuck with me is that within hours of the hack, the community was able to identify the culprit due to bad opsec, exploit a vulnerability within the contract used to steal the funds, and recover a significant amount of the stolen funds. It's a strange world out there - what a jungle!Anyways, grab yourself a cup of coffee, find a cozy spot, and let's get into today's newsletter! 🚀

Server-side prototype pollution: Black-box detection without the DoS #appsecPortSwigger's Gareth Heyes introduces the server-side prototype pollution attack and how it can be detected in a safe manner. While modifications to the Object prototype can be removed by simple refreshing the browser, these changes can persist for the lifetime of the node process once an attacker has modified the global prototypes through a server-side prototype pollution. The article proves that safe black-box detection of prototype pollution is possible by using subtle differences in server behavior.

Detecting Server-Side Prototype Pollution #appsecIntruder's Daniel Thatcher takes a different approach to detecting server-side prototype pollution. His method relies on a common coding pattern found in many applications, where the removal of a required parameter triggers a change in the application's response, but when the parameter is added to every object in the application it leads to the suppression of any error message. By using this technique, Daniel has discovered a reliable method for detecting and preventing certain edge cases of server-side prototype pollution.

Introducing Proxy Enriched Sequence Diagrams (PESD) #appsec Doyensec's Francesco Lacerenza releases an internal tool to speed-up testing and reporting efforts in complex functional flows. Proxy Enriched Sequence Diagrams (PESD) is Doyensec's internal Burp Suite extension to visualize web traffic in a way that facilitates the analysis and reporting in scenarios with complex functional flows.

Dissecting Ethereum delegated staking from a security perspective #blockchainCoinspect Security publishes their second part on the security considerations for Ethereum Delegated Proof of Stake (DPoS) platforms, where they delve on the multiple security challenges associated with delegated staking caused by the excessive trust expected by staking platforms.

Entering the Huff Ecosystem #blockchain Pascal Merkleplant from Chronicle Labs writes an introduction to the Huff language and ecosystem by developing a non-trivial contract, while diving into writing low-level EVM code and using the new huff-rs compiler.

Has Proof of Stake Ethereum Achieved its Goals? #blockchain Infura's Patrick McCorry revisits the problematic around the use of proof of work and its replacement by proof of stake, and reflects on whether Ethereum has achieved its goals with the transition while maintaining its characteristics of being open, permissionless and trustless.

Saving Millions in 2023 with Specification-Guided Fuzzing #blockchainAccording to annual reports from 2022, a total of $3.9 billions were stolen across 134 specific incidents in the web3 ecosystem. Veridise reflects on the amount of funds stolen and presents OrCa, a specification-guided fuzzer which could have been used to avoid two notable hacks occurred in 2022 (XCarnival ~$3.8 millions and Sheep Farm ~$72,000).

The illustrated guide to S3 pre-signed URLs #cloudsecfourTheorem's Luciano Mammino writes on how to implement reliable and scalable storage workflows while taking into consideration permissions and long-running connections between clients and the server. The article details how to use S3 and leverage S3 pre-signed URLs while keeping best practices in mind throughout different uses cases.

Security Code Review With ChatGPT #machine-learningNCC Group's Chris Anley explores how ChatGPT identifies and explain different vulnerabilities in the Damn Vulnerable Web Application (DVWA) and analyzes the results and recommendations provided to resolve the issues. An interesting approach to understand how Large Language Models (LLMs) have been evolving in recent years.

cURL audit: How a joke led to significant findings #appsec Trail of Bits' Maciej Domanski on how a joke led to significant memory corruption bugs affecting cURL's command-line interface. The article describes how these issues were found affecting the libCURL development library, and potentially, any other software application using libcurl.

Helping secure BNB Chain through responsible disclosure #blockchainJump Crypto's Felix Wilhelm writes on a vulnerability they discovered in the BNB Beacon Chain, and how it could have allowed an attacker to mint an infinite number of arbitrary tokens on the BNB chain, leading to a considerable large loss of funds. The issue was reported to the BNB team, which deployed a patch solving the issue before any malicious exploitation could took place.

Beanstalk Logic Error Bugfix Review #blockchainImmunefi publishes a bugfix review on the critical logic error vulnerability that affected the Beanstalk protocol and could have resulted in a loss of up to $3.1 millions. The Beanstalk diamond proxy used a vulnerable facet library which did not check the allowance for external transfers, thus allowing attackers to receive the funds from a victim's account who had already granted approval to the Beanstalk contract for the transfer of the given token.

Submitting malicious transactions into a crypto wallet on behalf of any dApp #blockchain Quantstamp's Pavel Shabarkin writes on two security vulnerabilities identified within the WalletConnect protocol that could allow the submission of malicious transactions into a crypto wallet on behalf of any dApp.

EmojjiDeploy: Smile! Your Azure Web Service Got RCE'd #cloudsec Liv Matan from Ermetic's research team discovered a one-click remote code execution vulnerability affecting services as Function Apps, App Service and Logic Apps on Azure cloud. The vulnerability could enable attackers to fully take over a victim's application and managed identity token, allowing them to pivot into other Azure services.

1. 🥇Platypus Finance — lost $8.5 millions to a flash loan attack on its new stable coin. The culprit was identified few hours after the hack via their ENS address, and the Playtpus team could recover $2.4 millions USDC from the attacked contract.

2. 🥈Dexible — lost $2 millions to a logic exploit. The vulnerability allowed the attacker to steal funds from any wallet that had an unspent spend approval on the contract.

3. 🥉Multichain — lost 87 ETH (~ $130,000) to a front-running attack affecting the AnyswapV4Router contract.

🎥 Videos

• Devs Do Something Ep.9 @Vex_0x: Huff, Low Level Languages and the EVM —Interview to Vex on why Huff is a great language to learn for building incredibly gas efficient contracts and an educational tool for understanding the EVM at a low level.

• ZK Whiteboard Sessions — Educational series on all things zero knowledge through 17 different modules to help you become a ZK expert.

⌨️ Repositories

• awesome-huff — A curated list of resources for Huff language. A low-level programming language designed for developing highly optimized smart contracts that run on the Ethereum Virtual Machine (EVM).

• pp-finder — Tool in JavaScript that lets you find gadgets for prototype pollution exploitation.

• secret-patterns-db — Open-source database for detecting secrets, API keys, passwords, tokens, and more.

• chatgpt-arxiv-extension — A chrome extension that uses ChatGPT to enhance and summarize papers on arXiv

🎙️ Podcasts

1. Critical Thinking: Ep.7 - PortSwigger Top 10, BugBounty Tips 

📖 Writeups

• Breaking Fluidity for glory and $50K — Or Cyngiser details a vulnerability in the reward mechanism implemented within the Fluidity blockchain incentive layer. This issue could have allowed attackers to permanently lock the rewards of any user.

• Testing and deploying Huff contracts — Pranesh provides a walkthrough on how to quickly get started with testing and deploying a smart-contract written with the Huff programming language.

• Invariant Testing WETH With Foundry — Foundry introduced a new feature: invariant testing. While information on how to get started with this advanced testing technique is not abundant, horsefacts has authored a short guide that demonstrates how to write invariant tests from the ground up for Wrapped Ether, one of the most important contracts on the mainnet.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews