1. Vulns in Markdown Parsers, Census II & Open Source Security, iCloud Private Relay – 12:00 PM-12:30 PM
Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
In the AppSec News: Finding vulns in markdown parsers, Census II and widespread open source dependencies, inside iCloud Private Relay, and cloud pentesting tools! This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!
Google and AWS WAFs bypassed with oversized post requests – This might not be completely new news, as bypassing WAFs has always been a bit of a (dark) art. The researcher here, though, put GCP at fault as they are not as transparent about how much of the request is inspected by the WAF.
Integer overflow in table parsing extension leads to heap memory corruption – A vuln that potentially turns a malicious markdown table (i.e. one with more than UINT16_MAX columns) into an RCE. It’s a classic C language error of integer math gone wrong with a bonus of unsafe memory handling. Notably the project has a fuzzing harness built in, but that fuzzing doesn’t include exercising the size boundaries for markdown features. It’s great to see the fuzzing capability (as well as explicit build options with clang’s Address Sanitizer). Sadly, it’s a reminder than integer overflow (and underflow) plus memory safety issues will always plague C, even when projects are well-maintained and curated.
It’s also a chance to review how the devs chose to fix this flaw. It requires tracking the overflow situation, being more careful how it tracks table columns, and — since we’re in C — having to free memory for any dangling nodes that might be left behind when the parser needs to bail on errors. All in all, more than a one-line fix and makes us think again about what it would mean to track not only the payouts awarded to bounties, but also the developer costs to fixing flaws. Check out the commit at https://github.com/github/cmark-gfm/commit/cf7577d2f74289cb83de0a652afc1a8b08a37036
Be sure to check out the researcher’s writeup at https://blog.dixitaditya.com/pwning-a-server-using-markdown
This example takes my mind to the idea that developers read code far more often than they write code. Hence, it’s more important that code be clear and understandable to humans than to compilers or run-time engines. But even with relatively simple code it’s still easy to make mistakes and, unfortunately, for those mistakes to have security consequences. I’d be curious what research has been done on logic statements and the mental overheard required for humans to parse them correctly — both within a clause itself and within the context of a dozen or so lines of code. Are there better patterns to follow for cascading if() statements? Are some patterns easier for humans to read and reason through?
Check out the writeup at https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/
Hundreds of Open Source Components Could Undermine Security, Census Finds – Yes, we all know open source dependencies have been and will be sources of vulns. Log4j gave us a nice reminder of the pervasiveness (and lack of patch management) for open source. This study helps quantify the problem and prioritize efforts to improve the security practices of popular projects. It covers both npms and non-npm packages. It’s a lot of familiar suspects (of course) and some packages that probably should have just been retired as no longer necessary, like isArray. Any time we can remove code, that’s a security win.
Check out the research page, which links to the PDF of the report, at https://www.linuxfoundation.org/tools/census-ii-of-free-and-open-source-software–application-libraries/
iCloud Private Relay: information for Cloudflare customers – This article appealed to me as an example of appsec as building an application — and architecture — to protect the security and privacy of users as opposed to appsec as a matter of just fixing (or preventing) vulns. It’s always nice to see security as a product feature. Plus, anything project that includes a “local pizza test” is going to get my attention.
Building for the 99% Developers – I’ve linked to a few security-related cryptocurrency articles in the past and now it’s time for the first (or one of the first) articles from a VC. This article has an important message, “A FAANG-like company is different from an SMB or your typical Fortune 500 company along many dimensions, including scale needs, stance on building vs. buying, and makeup of the engineering team.”
These ideas also apply to how companies approach security or security tooling. After all, not everyone has hundreds of dedicated security engineers. If appsec only focuses on how big corporations solve the hard problems of asset inventory, patch management, and software composition analysis (to name just a few), then we risk setting unachievable goals for smaller orgs.
Cloud 9: Top Cloud Penetration Testing Tools – We’ll continue to highlight resources and tools that provide appsec capabilities. Bishop Fox put together this list of cloud-focused security tools for identifying flaws and misconfigurations within the major cloud service providers. They can also be a great educational tool if you’re building your own home labs to learn about cloud security.
2. Deep Visibility & Understanding the Underlying Data Layer – 12:30 PM-01:00 PM
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
As the volume of API traffic increases, it becomes a greater threat to an organization’s sensitive data. Motivated attackers will increasingly target APIs as the pathway to the underlying infrastructure and database. Imperva API Security is a new product that delivers rapid API discovery and data classification — helping an organization truly protect all paths to the data, without slowing down the application development lifecycle. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!
Lebin Cheng – Head of API Security at Imperva
Lebin Cheng is a technologist and serial entrepreneur with more than 20 years of experience in cybersecurity. Cheng co-founded Netskope and later cofounded CloudVector, acquired by Imperva. He was awarded 15 patents in areas such as network security, application infrastructure and API inspection. He holds an MBA degree from the Haas School of Business at the University of California Berkeley and a MS in Computer Science from Purdue University.