asw187

Application Security Weekly Episode #187 – March 07, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Vulns in Markdown Parsers, Census II & Open Source Security, iCloud Private Relay – 12:00 PM-12:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Join us March 10th for our next Security Weekly Unlocked webcast for an intro to KQL queries! To register visit https://securityweekly.com/webcasts. Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand.

Description

In the AppSec News: Finding vulns in markdown parsers, Census II and widespread open source dependencies, inside iCloud Private Relay, and cloud pentesting tools! This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. Two more firefox bugs – “Use after free” vulnerabilities found in both XSLT and WebGPU
  2. Google and AWS WAFs bypassed with oversized post requests – This might not be completely new news, as bypassing WAFs has always been a bit of a (dark) art. The researcher here, though, put GCP at fault as they are not as transparent about how much of the request is inspected by the WAF.

    WAF inspection is expensive, especially for CSPs.

  3. Homomorphic encryption “bypassed” via side-channel attacks
MikeShema

Mike Shema

@Codexatron

Security Partner at Square

  1. Integer overflow in table parsing extension leads to heap memory corruption – A vuln that potentially turns a malicious markdown table (i.e. one with more than UINT16_MAX columns) into an RCE. It’s a classic C language error of integer math gone wrong with a bonus of unsafe memory handling. Notably the project has a fuzzing harness built in, but that fuzzing doesn’t include exercising the size boundaries for markdown features. It’s great to see the fuzzing capability (as well as explicit build options with clang’s Address Sanitizer). Sadly, it’s a reminder than integer overflow (and underflow) plus memory safety issues will always plague C, even when projects are well-maintained and curated.

    It’s also a chance to review how the devs chose to fix this flaw. It requires tracking the overflow situation, being more careful how it tracks table columns, and — since we’re in C — having to free memory for any dangling nodes that might be left behind when the parser needs to bail on errors. All in all, more than a one-line fix and makes us think again about what it would mean to track not only the payouts awarded to bounties, but also the developer costs to fixing flaws. Check out the commit at https://github.com/github/cmark-gfm/commit/cf7577d2f74289cb83de0a652afc1a8b08a37036

  2. Remote code execution vulnerability uncovered in Hashnode blogging platform – Our second markdown-based attack for this week — with an added bonus of path traversal! It’s not exactly a vuln that’s going to lead to mass compromises, but it’s a nice writeup that walks through the ideation, discovery, and refinement from being curious about an error to creating an exploit.

    What’s fun about these markdown attacks is that they’re relatively simple and have a high impact on a text-based feature, markdown, that’s had parsers around for ages. It’s easy to point to the complexity of HTML and JavaScript, where we hardly bat an eye at the idea of yet another vuln in code that parsers such content. But markdown is pretty simple, so seeing these kinds of flaws makes us question whether they were unavoidable human error, if they still could have been prevented by some type of better build analysis, or could have been detected in an automated way by some security tool. That’s not to say we want to tune processes to specific flaws, but understand if these kinds of flaws have some underlying attribute that could be targeted. After all, the answer can’t just be “use a memory safe language” –in the other article we had a mishandling of integers and heap corruption, but here we have a LFI and path traversal.

    Be sure to check out the researcher’s writeup at https://blog.dixitaditya.com/pwning-a-server-using-markdown

  3. RCE vulnerability in Dynamicweb enterprise software could allow server compromise – A theme this week is more about a variety of vulns rather than the software they’re in. This example boils down to a mistake in using Boolean AND (&&) instead of OR (||) within an if() statement.

    This example takes my mind to the idea that developers read code far more often than they write code. Hence, it’s more important that code be clear and understandable to humans than to compilers or run-time engines. But even with relatively simple code it’s still easy to make mistakes and, unfortunately, for those mistakes to have security consequences. I’d be curious what research has been done on logic statements and the mental overheard required for humans to parse them correctly — both within a clause itself and within the context of a dozen or so lines of code. Are there better patterns to follow for cascading if() statements? Are some patterns easier for humans to read and reason through?

    Check out the writeup at https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/

  4. Hundreds of Open Source Components Could Undermine Security, Census Finds – Yes, we all know open source dependencies have been and will be sources of vulns. Log4j gave us a nice reminder of the pervasiveness (and lack of patch management) for open source. This study helps quantify the problem and prioritize efforts to improve the security practices of popular projects. It covers both npms and non-npm packages. It’s a lot of familiar suspects (of course) and some packages that probably should have just been retired as no longer necessary, like isArray. Any time we can remove code, that’s a security win.

    Check out the research page, which links to the PDF of the report, at https://www.linuxfoundation.org/tools/census-ii-of-free-and-open-source-software–application-libraries/

  5. iCloud Private Relay: information for Cloudflare customers – This article appealed to me as an example of appsec as building an application — and architecture — to protect the security and privacy of users as opposed to appsec as a matter of just fixing (or preventing) vulns. It’s always nice to see security as a product feature. Plus, anything project that includes a “local pizza test” is going to get my attention.
  6. Building for the 99% Developers – I’ve linked to a few security-related cryptocurrency articles in the past and now it’s time for the first (or one of the first) articles from a VC. This article has an important message, “A FAANG-like company is different from an SMB or your typical Fortune 500 company along many dimensions, including scale needs, stance on building vs. buying, and makeup of the engineering team.”

    These ideas also apply to how companies approach security or security tooling. After all, not everyone has hundreds of dedicated security engineers. If appsec only focuses on how big corporations solve the hard problems of asset inventory, patch management, and software composition analysis (to name just a few), then we risk setting unachievable goals for smaller orgs.

  7. Cloud 9: Top Cloud Penetration Testing Tools – We’ll continue to highlight resources and tools that provide appsec capabilities. Bishop Fox put together this list of cloud-focused security tools for identifying flaws and misconfigurations within the major cloud service providers. They can also be a great educational tool if you’re building your own home labs to learn about cloud security.

2. Deep Visibility & Understanding the Underlying Data Layer – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/imperva for more information!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

As the volume of API traffic increases, it becomes a greater threat to an organization’s sensitive data. Motivated attackers will increasingly target APIs as the pathway to the underlying infrastructure and database. Imperva API Security is a new product that delivers rapid API discovery and data classification — helping an organization truly protect all paths to the data, without slowing down the application development lifecycle. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!

Guest(s)

Lebin Chang

Lebin Cheng – Head of API Security at Imperva

@imlebin

Lebin Cheng is a technologist and serial entrepreneur with more than 20 years of experience in cybersecurity. Cheng co-founded Netskope and later cofounded CloudVector, acquired by Imperva. He was awarded 15 patents in areas such as network security, application infrastructure and API inspection. He holds an MBA degree from the Haas School of Business at the University of California Berkeley and a MS in Computer Science from Purdue University.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Security Partner at Square