Twitter 2FA, Server-Side Prototype Pollution, AI Security & Privacy, Smarter Testing – ASW #230
Twitter 2FA goes away, safe testing for server-side prototype pollution, OWASP's guide on AI security & privacy, Adobe's approach to smarter security testing, a fast web fuzzer
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
- 1. Analysts Slam Twitter’s Decision to Disable SMS-Based 2FA
It's a bad step to tie security to premium features. Plus, SMS-based 2FA is the weakest of the available options. Phone numbers are easier to manage and more portable than authenticator apps, but authenticator apps are almost always better in the long run as long as they can be backed up and recovered in case of a lost device.
This is also a lesson in communications. Even if this is just motivated by reducing costs for text messages, it would have been helpful to launch a campaign that encourages everyone to shift to authenticator apps or at least be clear that users have that alternative to 2FA.
The bigger picture is that, as of December 2020, only about 2.3% of users enabled 2FA in the first place, and 80% of those relied on SMS. Looking at this from an appsec perspective, focusing on SMS ignores the problem that almost every user doesn't even use 2FA in the first place.
Another article walks through how to setup for 2FA. All apps should support 2FA without additional cost to the user.
- 2. Server-side prototype pollution: Black-box detection without the DoS | PortSwigger Research
Really cool, detailed research on identifying flaws in server-side JavaScript apps. It's a good review of prototype pollution and an even better review of crafting safe, reliable payloads. It's possible to DoS a site with this kind of testing. That, of course, means there's a bug to fix. But it's more useful to be able to probe for this kind of vuln without taking down the site for everyone else.
Every pentester likely has one story about a test gone wrong -- a payload shutdown a service or erased data. This article shows how to be deliberate and careful with security testing in order to keep those stories rare.
- 3. OWASP Kubernetes Top 10 – Sysdig
This is a nice overview of the Top 10 K8s issues from OWASP. It highlights three themes: misconfigurations, lack of visibility, and vulnerability management.
The OWASP cheatsheet has more details. There's also another checklist and a checklist from k8s itself. Eventually, we'll have better default security and less need for long checklists.
- 4. OWASP AI Security and Privacy Guide
OWASP has a new project on AI security and privacy. Right now it has an overview of common attacks against ML models along with pitfalls of training data.
- 5. Black Hat to Launch Official Certification Program
We haven't talked about certifications on the show, but we should! Now Black Hat is getting into the certification business. Their current syllabus for it is half web hacking and half infrastructure hacking. The web hacking basically looks like items from the OWASP Top 10 and Portswigger articles (shout out to directory traversal vulns!). The infrastructure side seems heavy on corp IT, with Active Directory and lateral movement techniques.
It's interesting to see where this kind of cert focuses attention. For example, there's mention of S3 buckets and Docker escapes, along with "common security weaknesses" in the cloud.
More details at https://secops.group/blackhat-certified-pentester-bcpen/
- 6. TOOL: ffuf: Fast web fuzzer written in Go
Fuzz Faster U Fool (ffuf) is a Go-based web fuzzer that turns wordlists and patterns into HTTP requests to find directories, virtual hosts, usernames, and otherwise fuzz parameter names and values. While its pronunciation may be mysterious, its utility in discovering resources makes it a top choice for bug bounty researchers. The fuzzer might find unprotected pages, bypasses against weak security checks and poor regexes, misconfigurations, and exploitable flaws.
Additional resources:
p.s. here at ASW we pronounce it to rhyme with tough, just like Billy Ocean
- 7. npm flooded with 15k spam packages with phishing links
It feels like a time of reckoning is coming for npm.
- 1. Cyber attacks work because CISOs don’t do basic security: Microsoft
This somewhat controversial article argues that CISOs aren't doing the basics right, resulting in breach after breach. The author gives several points as to what CISOs could be doing better and makes some...strongly worded arguments in the process.
- 2. Dole Experiences Cybersecurity Incident
Dole recently experienced a cyber incident that was identified as ransomware. While it is unclear based on their statement how much this incident has impacted their operations, other sources say that Dole had to shut down one of their plants for a day, impacting the availability of their salad products in grocery stores.
- 1. Adobe targeted appsec testing
Adobe's pivoting to a model where they try to focus their security testing on types of attacks that are being seen. That sounds simple, but to do it with intention across a line of products like Adobe has is impressive.
Moreso, though - is the also mentioned Adobe Trust Center. They're providing access to customers who sign an NDA to be able to review the pentest results and security whitepapers for various products.
- 2. npm flooded with 15k spam packages with phishing links
- 3. Fish shell plans to “port” to Rust
This will be interesting to watch: The maintainer of the Fish shell is planning on a "port" (not a rewrite - definitely not a rewrite) of fish from C++ to Rust, pointing to things such as memory safety and...c++ header files?
Anyways - the reason this will be interesting is it's being well planned (https://github.com/fish-shell/fish-shell/blob/master/doc_internal/fish-riir-plan.md), is happening in public, and they're already cognizant of a few issues - not everyone on the existing team knows Rust (or perhaps wants to learn), bugs may be introduced, and it will probably require pausing feature development while the port is worked on.
- 4. Crypto Wallet Firm claims magic links have critical vulnerability
- 5. Salesforce web3 guy: “the wallet is the new cookie”
To me, browser cookies don't have a positive connotation?