Security Pills - Issue 40

Release Date: 27th March 2023 | Issue: 40 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

こんにちは 👋🌸,Hope you all had a great weekend!I had some spare time this week to go through a few articles that I had in my backlog. I hope you find them as interesting as I did. This has been a wild week for DeFi protocols and blockchains. There have been plenty of rug pulls and exit scams. Euler's finance exploiter has returned some of the stolen funds (It still amazes me how Web3 has turned into this Wild West thing, with hackers stealing funds and negotiating a bounty.) Also, Do Kwon (Terra-Luna Coins Founder) has been arrested in Montenegro.One cannot even go on holidays for a week... sic 😅As always, if you haven't already, make yourself a cup of coffee (Japan's coffee is awesome! ☕️), find a cozy spot, and let's get into this week's newsletter! 🚀

🛠 Appsec

Harvesting logs for fun and profitApplication logs serve two important purposes. On one hand, they provide observability into what is happening and what has happened, which is essential for debugging and monitoring. On the other hand, they can potentially expose sensitive information, so it is important to be careful about what information is logged. In this article, Gerald Benischke explains which pieces of information should be avoided, such as personally identifiable information (PII) and account credentials, and how to handle logging at scale using an ELK stack.

Node.js multithreading with worker threads: pros and consThis article by James Walker explores the pitfalls of worker threads in JavaScript and how they differ from multithreading in other programming languages. The article also introduces five libraries that make it easier to use the worker_threads module.

Debugging WebRTC, IPFS & Ethereum with HTTP ToolkitTim Perry has added support for WebRTC, IPFS RPC, and Ethereum RPC to HTTP Toolkit, which allows for interception, inspection, and modification of network interactions at a low level. In this article, Tim provides a detailed explanation of how to use HTTP Toolkit to debug these protocols and gives a glimpse into how these features were implemented.

A hacker's guide to SSL certificatesProjectDiscovery delves into SSL and TLS protocols, explaining how to use certificates for reconnaissance, common misconfigurations that may affect them, and how to use tools like TLSx to find vulnerabilities during a penetration test.

Mitigating SSRF in 2023Laurence Tennant from Include Security reviews various methods of triggering server-side request forgery (SSRF) and discusses the most effective mitigation techniques. Drawing on his experience with security penetration testing, he explores techniques such as request proxying and zero-trust security architectures that require authentication for internal HTTP services as mechanisms to prevent SSRF attacks.

⛓ Blockchain

The role of MEV in DEX arbitrageFinoa explains how Miner Extractable Value (MEV) works, what MEV attacks are, and how they differ from legitimate MEV arbitrage.

Top 10 Hacking Techniques of 2022OpenZeppelin, has collaborated with a community of Web3 security experts to document the top security research from 2022. This effort aims to promote best practices and effective security measures across the industry, and the resulting document is a valuable resource for anyone interested in Web3 security.

zk-SNARK Concepts Explained Like You're 15Jackson Kelley provides a friendly introduction to different concepts related to zk-SNARKs, a type of zero-knowledge proof used in blockchain technology. The article covers topics such as interactive proofs, the Flat-Shamir transformation, and the Schwartz-Zippel lemma, making it a useful resource for anyone who is unfamiliar with these concepts.

Exploring Unconfirmed Transactions for Effective Bitcoin Address ClusteringThis research paper explores the effectiveness of combining unconfirmed and confirmed transactions for clustering Bitcoin addresses. The paper provides insights into the clustering algorithm used by Bitcoin explorers and proposes a new algorithm that is more effective at clustering addresses.

Encrypted MempoolsJon Charbonneau writes some thoughts on encrypted mempools and how helpful they are in addressing MEV and censorship. The basic idea is to allow users submit encrypted transactions and block producers commit to these transactions without decrypting them.

Five Myths about Formally Verifying Smart ContractsMooly Sagiv writes on formal verification and how it can be used as a standard practices in smart contracts to improve the ecosystem's security. As formal verification is not commonly used in many software applications, there are misconceptions around it. Mooly attempts to provide a better understanding of this emerging technology, its challenges and limitations by going through five different myths:

1. Proofs vs bugs

2. The most complex problem in formal verification is its computational cost

3. Formal verification has to be done once when the code is stable

4. Formal verification has to be performed precisely, modeling the exact machine semantics

5. Formal verification produces bulletproof code

Ethereum Virtual Machine Language Designjtriley examines the state of the art in EVM domain-specific language (DSL) design, covering Solidity, Vyper, Fe, Huff, Yul and ETK while using the most recent compiler versions

Understanding Block Timestamp ManipulationNeptuneMutual continues with their series on smart contract vulnerabilities with this new article on block Timestamp manipulation and how it can be used to perform an attack on a DeFi project.

You can also check their two previous articles on Solidity Integer Overflow and Underflow, and Front Running Attack.

🗳 Kubernetes

Kubernetes Security Part 1 - Security ContextsIn his exploration of Kubernetes security, Shishir Subedi examines multiple strategies to safeguard both the Kubernetes cluster and its associated applications. Shishir accomplishes this by creating a vulnerable application to exhibit how an attacker could exploit it and then utilizes several Kubernetes features to protect the application or mitigate the impact of these vulnerabilities.

Kubernetes Security Part II - Network PoliciesSecond part of the Kubernetes security series written by Shishir Subedi. In this article, Shishir continues using the same Flask vulnerable application and explores network policies and how they can effectively reduce the attack surface of AWS EKS clusters.

A complete kubernetes config review methdoologyStefan Tita has created a comprehensive guide that covers all the essential components to consider when conducting a Kubernetes security assessment. The guide offers a detailed examination of topics like image and container scrutiny, configuration analysis, and permissions/RBAC, among others, while providing insights into industry best practices and crucial considerations that should be taken into account while performing a security review of Kubernetes.

Fun with SSRF - Turning the Kubernetes API Server into a port scannerRory McCune writes on how is possible to leverage an existing functionality on Kubernetes to perform scans from the perspective of the API server using validating admission webhooks.

🛠 Appsec

SSRF Cross Protocol Redirect BypassDoyensec's Szymon Drosdzol delves into an SSRF vulnerability discovered in the request library of NodeJS, a deprecated dependency with over 18 million weekly downloads. In this article, Szymon demonstrates how an attacker can bypass any anti-SSRF mechanisms injected into this library by redirecting the request to another protocol. He has also released a Semgrep rule to make it easier to find this issue.

PHP Filter Chains: File read from error based oracleSynacktiv's Remi Matasse details different chain tricks that could be used to leak a file's content via an error-based oracle. Remi also discusses different vulnerable patterns and limits that can be used. Including a tool to automate the exploitation of this vulnerability.

⛓Blockchain

Pseudonym Input Vulnerability in Circom's Verification ContractSlowmist has written a technical walkthrough on a double-spending vulnerability identified in a ZKP verification contract on Semaphore.

BitGo Wallet Zero Proof VulnerabilityThe Fireblocks cryptography research team has identified a vulnerability in the BitGo implementation of the Ethereum (ECDSA) self-managed wallet. The vulnerability could be exploited by an attacker to steal the secret share held by the counterparty (either BitGo or the client) in the TSS protocol. Exploiting the vulnerability would allow an attacker to bypass all security measures, gain access to the wallet, and steal all the funds within it. BitGo has since patched the vulnerability.

Security vulnerabilities in popular Web3 Transaction Simulation solutionsZenGo's Vazi and Tal Be'ery have published details of a vulnerability they discovered, dubbed 'Red Pill,' that affects transaction simulation solutions, wallets, and extensions from various Web3 vendors. If exploited, the vulnerability allows attackers to manipulate transactions and deceive users into sending funds to the attacker's address instead of the intended recipient. The researchers have notified the affected vendors and provided guidance on mitigations.

Hack Analysis: BonqDAOgmhacker.eth has published a detailed technical walkthrough of the hack that targeted the BonqDAO protocol in February, resulting in the loss of around $120 million worth of funds due to a price oracle manipulation attack. The incident highlights the importance of not relying solely on spot prices to calculate debt, interests, or other financial values. Instead, time-weighted average values or decentralized price feeds should be used.

Deposit Front-run Vulnerability MitigationA front-run vulnerability in the EthStakingStrategy contract was identified and reported to the Tranchess team via Immunefi. An authorized node operator which could be able to transfer out a limited amount of the strategy funds awaiting deposit. At the time the finding was reported, a total of 448 ETH were at risk. The article provides technical details on the vulnerability and what mitigations have been implemented to avoid its exploration

1. 🥇ASKACR Token — On March 21, 2023, the ASKACR Token on BNB Chain was exploited, resulting in a total loss of 85 BNB, worth approximately $28,400.

2. 🥈Indexed Finance — A flashloan attack on ORCL5 token contract resulting in a loss of ~$9900.

3. 🥉FastSwap — A flashloan attack on Fast Swap Dex (FAST) resulting in a loss of ~$8,000.

🎥 Videos

• Devtooligan on Huff, Audits & Following Curiosity  — A deep dive into Huff and how to get better at smart contract security, among other topics with Devtooligan.

• Security Education and Assessment Lab with Rajeev 

• Optimal Front Running Attacks & How to Stop Them — Max Resnick unveils the secrets behind front running attacks and how to mitigate them.

• Damn Vulnerable DeFi Creator & ETH Security Researcher Tincho — Patrick Collins interviews Tincho, which will go through his audit process on ENS.

⌨️ Repositories/Tools

• Paradigm Data Portal  — Open source cryptocurrency datasets for researchers and tool builders.

• 0xdeadbeef0x/APG — Auditor Profile Generator, a tool to gather all your findings from different Web3 audit platforms in one place.

• blacklanternsecurity/badsecrets — A pure python library for identifying the use of known or very weak cryptographic secrets across a variety of platform.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews