ASW #225 – Dan Moore

Every app relies on secrets. How you rotate them is a reflection of maturity in tools and processes. When you rotate them is...sometimes influenced by breaches. We'll be hearing about CI/CD hardening and third-party risk throughout 2023 -- which isn't much of a surprise.

Read the disclosure from CircleCI at https://circleci.com/blog/january-4-2023-security-alert/

Web interfaces and connected systems are bug bounties waiting to happen. Here's a roundup of several dead simple techniques (like hard-coded secrets and trivial SQL injection) and some patience (fuzzing paths to find security bypasses). It shows how much of car hacking can still be successful without access to the car itself. After all, not everyone has a spare Ferrari in the garage to experiment with.

This is the kind of bounty that can pay for a car (see the previous article web apps and car hacking).

It's also a great writeup that starts with an "I wonder" about hacking Google smart speakers, then walks through intercepting web traffic, looking at protobufs, dealing with OAuth, and Wi-Fi security. You don't have to be an expert on any of those topics to follow the techniques and the tools covered are useful in all sorts of situations, especially if you like to hack on IOT and smart home devices.

The gpsoauth library is at https://github.com/simon-weber/gpsoauth.

Find mitmproxy at https://mitmproxy.org (you can also install it from brew!).

The movie "Office Space" is too often omitted from lists of hacking movies (as is Superman III, which in turn inspired part of the plot). "Business logic" vulns are often included on lists of hacking threats, but too often remain generic or hand-wavy.

This article combines both. Not only did a developer modify code to steal money from customers, but they then changed the code again when an audit team was discovering discrepancies.

Google's Android team has put together a short course for learning Rust. As the project notes, it might not be ideal for self-study since a lot of the material is intended for interactive discussion. But if you're trying to learn the language or teaching it to others, this could be a useful reference.

All of the material is on git.

There's also, of course, resources from the rust-lang.org site itself.

Just a quick reminder why the burden of security should start with appsec, devops, and applications instead of dumping responsibility onto users.

The OWASP Amass project is designed to "perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques."

It's written in Golang. The project repo is at https://github.com/OWASP/Amass

We'll be highlighting different types of tools all year. Let us know what you'd like to see us include!

"Pwning the source prompts of Notion AI, 7 techniques for Reverse Prompt Engineering... and why everyone is wrong about prompt injection"

You can find the full list of notion AI prompts here

This short article suggests what types of automated security tests to run on your code both inside and outside of the ci/cd pipeline to keep up with the speed of dev and ops.

Want to learn more about OAuth inherent vulnerabilities? Check out this resource delving into how OAuth works and how it can be exploited.

We've talked through 2022 about various supply chain incidents, but this writeup is interesting in that Phylum (who focuses on Python's PyPi supply chain issues) breaks down how installing a package with pip turns into powershell running and then using a cloudflare tunnel to bypass http filtering. While I often share posts that allow us to see what good code looks like, this post lets us learn what to look for when malicious code is present.

Hyper - a popular http package for Rust applications has a function to_bytes() which performs no length checks while concatenating buffers from a http response body to a bytes. The documentation clearly mentions to developers to be careful when handling responses from untrusted sites, but still many packages - including a few popular Rust frameworks - were not paying heed to this, resulting in potential DOS situations