πŸ’Š Security Pills - Issue 56

πŸ” Uncovering Critical Vulnerabilities in Jenkins | 🐞 Debugging your GitHub Actions | πŸ”‘ Mastering Privilege Management for Developers

Author

Sebas Guerrero
February 12, 2024

Release Date: 18th February 2025 | Issue: 56 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

 πŸ› οΈ Application Security

πŸ“‘ How to create a Secure, Random Password with JavaScript | πŸ‘€ Hanno BΓΆck 
Hanno explores various methods for creating secure, random passwords using JavaScript, highlighting the importance of utilizing a secure randomness source, steering clear of floating-point numbers, and mitigating modulo bias. A valuable refresher on key concepts in secure password generation.

πŸ› οΈ deluder | πŸ‘€ Michal VΓ‘lka
A tool for intercepting traffic of proxy unaware applications. It is based on Frida and uses dynamic instrumentation to intercept communications in common networking libraries such as OpenSSL, GnuTLS, SChannel, WinSock and Linux Sockets.

πŸ› οΈ pphack | πŸ‘€ Edoardo Ottavianelli
A client-side prototype pollution scanner.

πŸ› οΈ Jira-Lens | πŸ‘€ Mayank Pandey
A vulnerability scanner for JIRA, featuring more than 25 checks, including CVEs and disclosures, for the targeted JIRA instance.

πŸ›‘οΈ Blue Team

πŸ“‘ Countering DDoS attacks with the power of cloud |πŸ‘€ James DeLeskie 
An exploration on the rise and evolution of DDoS attacks, and how hyper scale clouds can effectively mitigate these threats.

 β˜οΈ Cloud Security

πŸ“‘ Conditional Love for AWS Metadata Enumeration | πŸ‘€ Daniel Grzelak 
An interesting research on enumerating AWS metadata, such as resource tags and account IDs, from public resources. Expanding on Ben Bridts' previous work, Daniel presents πŸ›  conditional-love, a tool designed to automate the enumeration process.

πŸ“‘ (An Attempt at) Detecting Managed Identity Abuse | πŸ‘€ Ryan Hausknecht
Ryan offers an examination of managed identities, differentiating between system-assigned and user-assigned types, and their potential misuse. The article details abuse detection methods utilizing Azure and Entra's logging capabilities, and proposes enhancements for better security monitoring.

 πŸ€– Artificial Intelligence

πŸ“‘ Mitigating Security Risks in RAG LLM Applications | πŸ‘€ Ken Huang | πŸ“š23min.
Ken delves into the architecture of Retrieval-Augmented Generation (RAG) systems, identifying potential security risks at each stage and recommending mitigation techniques for RAG-based Large Language Model (LLM) applications. The author aims to equip developers with actionable insights for creating more secure LLM applications utilizing the RAG architecture.

βš”οΈ Red Team

πŸ“‘ Visualizing ACLs with Adalanche |πŸ‘€ Lsec
Adalanche is a tool that can enumerate and visualize ACLs in Active Directory, helping to identify potential attack vectors and misconfigurations. It can be used as both a collector and a visualizer, making it a versatile tool for analyzing Active Directory environments. Unlike BloodHound, Adalanche does not require a database or additional software, making it easier to deploy and use.

πŸ“¦ Supply Chain

πŸ“‘ Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins |πŸ‘€ Yaniv Nizry
Jenkins has been found to have critical security vulnerabilities. These vulnerabilities allow attackers to read arbitrary files, escalate privileges to admin, and execute arbitrary code on the server. The vulnerabilities were fixed in Jenkins versions 2.442 and LTS 2.426.3.

πŸ•΅ Threat Hunting

πŸ“‘ Rust Won't Save Us: An Analysis of 2023's Known Exploited Vulnerabilities | πŸ‘€ Zach Hanley 
An in-depth look at the leading causes of vulnerabilities and how threat actors exploit them. Zach Hanley analyzes all critical vulnerabilities from the 2023 CISA KEV catalog, attempting to determine if industry efforts align with the threat vectors currently being exploited.

πŸ“§ Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews