- Security Pills
- Posts
- Security Pills - Issue 5
Security Pills - Issue 5
5 Considerations when choosing BB platform, Investigating a hacked Linode Server, Dependency Confusion vulnerabilities
Sebas Guerrero
July 25, 2022
Release Date: 25 Jul 2022 | Issue: 5 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there, π,Hope you had a great weekendAnother week, another newsletter, enjoy it!
β Sebas
Your weekly prescription π
- Articles: How I Met Your Beacon, Cloud is more fun with an SSRF, API Key, a Key to Credential Leakage and Manipulation, Analysis of the Uniswap Phishing Attack, ProjectDiscovery's Best Kept Secrets, Dependency Confusion vulnerabilities, 5 considerations when choosing a bug bounty platform, Defeating JavaScript Obfuscation- Vulnerabilities and Bug Bounties: Auditing WordPress Plugins, Multiple Vulnerabilities in Nuki Smart Locks, Investigating a Hacked Linode Web Server, Most common smart-contracts vulnerabilities, Balance DoS BugFix review, Exploiting a Blind SQL Injection via XSS- Miscellaneous: Recommended cybersecurity books, Good Managers Write Good, Struggling with Procrastination.- Resources: Hot trends for 2022, The Same Origin Policy, Recon and Breaking into Cybersecurity, Silk Road pt2. The amazon of drugs, Security Conversations #85
Articles
How I Met Your Beacon Part 1 (Overview) | Part 2 (Cobalt Strike)Research conducted by MDSec on a number of effective strategies for hunting for beacons through different case studies on both commercial and open source frameworks.
Cloud is more fun with an SSRFSpiderSilk explores SSRF potential test cases that would allow a malicious actor to gain remote code execution on an AWS instance. They have prepared a vulnerable environment to exercise and learn the techniques described in the article.
API Key, a Key to Credential Leakage & ManipulationResearchers found more than 3,100 Django and Laravel web applications that had the Debug Mode enabled. Despite Debug Modes are often used for convenience in development. It also raises a problem as it exposes sensitive information to error messages once they are enabled. This article condenses different techniques to search for potential secrets on vulnerable hosts through the CriminalIP service.
Analysis of the Uniswap Phishing AttackTens of thousands of addresses received malicious tokens pretending to be from Uniswap. Once the victims tried to claim the tokens, they would be redirected to a phishing site asking them to claim their rewards. As result, attackers stole 7,570 ethers and sent 7500 of them to Tornadocash. This article is an investigation performed by SlowMist on how the attack was performed.
Transactions to Tornadocash
ProjectDiscovery's Best Kept SecretsA tour of ProjectDiscovery's less-known public tools, and how to use them by Ben Bidmead (@pry0cc). If you are active in the offensive security industry or bug bounty, it's probable that you are familiar with tools like nuclei, httpx or subfinder. These tools have been built by ProjectDiscovery, however, there are few other less known tools that can help you smooth out your testing methodology and make your life easier. Follow Ben on this article where he explains other PD's tools like proxify, uncover, notify, or mapcidr, among others.
Why is it so hard to study Dependency Injection?Doyensec has conducted a research on Dependency Confusion vulnerabilities, creating an all-around tool (Confuser) to test and exploit potential Dependency Confusion vulnerabilities in the wild. To validate the effectiveness, they looked for issues in top ElectronJS applications on GitHub, and the results will surprise you.
Dependency confusion is an attack against the build process of the application. It occurs as a result of a misconfiguration of the private dependency repositories. Vulnerable configurations allow downloading versions of local packages from a main public repository (e.g., registry.npmjs.com for NPM). When a private package is registered only in a local repository, an attacker can upload a malicious package to the main repository with the same name and higher version number. When a victim updates their packages, malicious code will be downloaded and executed on a build or developer machine.
5 considerations when choosing a bug bounty platform #{tags}Assessing a bug bounty platform can be an overwhelming process that leaves you with the uncertainty on how to make the right choice for your company's cybersecurity needs. Intigriti proposes five main factors to take into consideration when choosing a bug bounty platform:
5 factors for choosing a bug bounty platform
Success Management β Creating and maintaining a bug bounty program with minimal friction.
Triaging Services β Outsourcing the responsibility of vetting every submission received for validity and filter out duplicates. Saving time to your team and help your organization to prioritize bugs severity faster.
Community Engagement β Crowdsource and crowd engagement. Check how the platform engages and attract talent.
Pricing β Each platform has a different pricing model, and it is completely worth getting granular on this before committing to one platform. Watch out for unexpected costs.
Data Security & Platform β Ensure the bug bounty platform complies with GDPR if their business is in the EU and that they help you increase your security posture and not expose you to additional risk.
Defeating Javascript ObfuscationBen Baryo has published his open source Javascript deobfuscator tool called REstringer. The article is an interesting walkthrough on different types of techniques observed by the author when conducting code analysis and he approaches each different scenario.
Hey, if this email was forwarded to you, or if you are coming from any other social media and have enjoyed our content, maybe you can support us by subscribing to our newsletter and forwarding this email.
Vulnerabilities and Bug Bounties
Auditing WordPress PluginsCyllective has been doing over the past three months a WordPress plugin security research which helped them to optimize their process to spot security issues affecting WP plugins. After reviewing near 5,000 plugins they identified a total of 35 vulnerabilities which could have been exploited by unauthenticated attackers.
Multiple Vulnerabilities in Nuki smart locksNCC group identified a total of 11 vulnerabilities affecting the availability, integrity and confidentiality of different Nuki products.
Investigating a Hacked Linode Web ServerInteresting autopsy done by Trunc on a Linode host that was being misused for an outbound Denial of Service attack. Hacked environments are always an interesting puzzle to work through. In this case, having sysstat enabled really helped to identify the process that was causing issues, an Apache instance. From there, the system logs and apache logs helped complete the story.
What are the most common smart contracts vulnerabilities?A thread by Adrian Hetman:
What are the most common smart contracts vulnerabilities?π§
Many of the examples will be well known to people familiar with the web3 security.
What makes this interesting, is how common these vulnerabilities are even after many hacks involving them!π«₯
Let's dive in!π§΅π
β Adrian β©οΈ Hetman πΊβοΈ (@adrianhetman)
3:58 PM β’ Jul 23, 2022
Balancer DoS Bugfix ReviewBack on May, ChainSecurity employee Kenan BeΕ‘iΔ (@k_besic) found a potentially exploitable Denial of Service affecting the Balancer protocol. This vulnerability could be triggered by emptying double entry-point ERC-20 tokens through Balancer's flash loans. Disclosing this vulnerability to Balancer, resulted in a $50,000 USDC bounty for Kenan. The article dives deep into the exploitation process followed.
WordPress Transposh: Exploiting a Blind SQL Injection via XSSA tale of eight different security vulnerabilities affecting the Transposh Translation Filter plugin for Wordpress which resulted in three different chained attacks to achieve privilege escalation from an unauthenticated visitor to administrator. The researcher, Julien Ahrens (MrTuxracer) obtained more than $30,000 in bounties.
Miscellaneous
Over the past 5 years, I have read 30+ cybersecurity books.
99% of them weren't worth it.
Save yourself the time and just read theseπ§΅π
β Daniel Kelley (@danielmakelley)
9:25 PM β’ Jul 22, 2022
In my time observing managers, one observation seems to repeat again and again: good managers write well, and bad managers write poorly. In fact, the best managers Iβve ever seen were not just good writers, they were terrific. And the worst managers Iβve ever had were not just bad writers, they were uncommonly bad.
Iβve started to reflect more on why this might be the case, as well as the implications of this trend.
"If you struggle with procrastination, read this"
Psychology Thread
β Philosophy Pathfinder (@PhilosophyPath)
6:01 AM β’ Jul 24, 2022
π Support us
Enjoy reading the Security Pills newsletter? Consider sponsoring our next edition or buying me a coffee.You can also share us with your friends and follow us on Twitter.
Resources
π₯ Videos
What you need to learn in 2022? Top 3 hot trends β Ben Sadeghipour (Nahamsec) shares his suggestions about what to learn and shares one that is gaining a lot of momentum in 2022.
The Same Origin Policy: Hacker Story β In 1995 Netscape invented JavaScript (LiveScript) and it marked the start of client-side web security issues. In this video we explore this history and learn about the same origin policy (SOP).
@seclilc Talks About Hacking, Recon and Breaking Into Cybersecurity
β¨οΈ Repositories
projectdiscovery/tlsx β A fast and configurable TLS grabber focused on TLS based data collection and analysis.
enkomio/AlanFramework β A post-exploitation framework useful during red-team activities
Fare9/KUNAI-static-analyzer β Tool aimed to provide a binary analysis of different file formats through the use of an intermediate representation.
vletoux/PingCastleCloud β Ping Castle Cloud is a tool designed to assess quickly the AzureAD security level with a methodology based on risk assessment and a maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise.
Pentester's Promiscuous Notebook β Gitbook from snovvcrash with his pentest notes.
ποΈ Podcasts
Security Conversations #85 β Marty Roesch shares stories from the creation of Snort stories in the 1990s, building Sourcefire into an IDS/IPS powerhouse, the disappointment of the U.S. government killing an acquisition, the $2 billion Cisco exit, and more.
Malicious Life - Silk Road pt. 2: The Amazon of drugs β Silk Road's success did more than bring the site more sellers and buyers, it also brought it more attention from law enforcement agencies as well as malicious hackers and other shady characters. Some of these shady characters, it turns out, were part of the task force aiming to shut down Silk Road...
π§ Wrapping up
If you enjoyed this newsletter and think others would too, it would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.
Thanks,Sebas@0xroot | @secpillsnews
If you liked this newsletter from Security Pills Newsletters, why not share it?