asw195

Application Security Weekly Episode #195 – May 02, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Bad Bots – Automated Threat Targeting Your Websites, Mobile Apps, & APIs – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/imperva for more information!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Description

Bad bots accounted for a record-setting 27.7% of all global website traffic in 2021. These automated threats create downtime, degrade service, and increase infrastructure costs. Lynn Marks from Imperva joins us as we talk about the complex and evolving risks bots create for businesses and how the online fraud prevention solution from Imperva protects against these threats.

This segment is sponsored by Imperva.

Visit https://securityweekly.com/imperva to learn more about them!

Guest(s)

Lynn Marks

Lynn Marks – Product Manager at Imperva

Lynn Marks is a skilled product manager with more than 10+ years of experience in R&D and B2B product management. Previously, she was product manager at Model N and Distil Networks (acquired by Imperva) where she oversaw the product roadmap and innovation. At Imperva she manages Imperva Advanced Bot Protection, Imperva Client Side Protection, and works closely with customers to solve complex business challenges. She holds a Bachelor’s Degree in Economics from UC Santa Barbara.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

2. ExtraReplica, Document.domain Disfavored, & Highlights From Thinkst Quarterly – 01:00 PM-01:30 PM

Announcements

  • Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Description

This week in the AppSec News: ExtraReplica in Azure, Chrome disfavors document.domain, appsec presentations highlighted in the latest Thinkst Quarterly, Nimbuspwn Vuln in Linux, & more!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

  1. Wiz Research discovers “ExtraReplica”— a cross-account database vulnerability in Azure PostgreSQL – Bypassing client isolation in multi-tenant cloud deployments is major goal of attackers and researchers. Here’s yet another series of vulns from Wiz.io that achieved this against Microsoft Azure. There are a lot of details to think about in this article. One of which is how a poorly crafted regex enabled this attack. On the positive side, the regex used anchors to match from the beginning to the end of a certificate’s Common Name. Forgetting to anchor text matches (and forgetting to ensure the test is handled as a single-line instead of multi-line) is a common security mistake because it allows an attacker to prepend or append arbitrary text to what an app is expecting to see. Unfortunately, adding an unrestricted wildcard at the end of a pattern mostly negates the end anchor, which is particularly important when checking certificates — you always want to match the full domain when you’re basing security decisions on domain membership.

    Check out Microsoft’s disclosure at https://msrc-blog.microsoft.com/2022/04/28/azure-database-for-postgresql-flexible-server-privilege-escalation-and-remote-code-execution

  2. Disavowed: Chrome plans to deprecate ‘document.domain’ lays the groundwork for shift in browser security – The article has a sentence that summarizes this change well, “Google is effectively killing a feature that is not widely used and is gaining a huge security benefit as a result.” In other words, rather than accommodate a feature that’s used in some situations to weaken the Same Origin Policy, Google is closing off that insecure design pattern in favor of more secure alternatives. It’s a good step (albeit a small one) towards making the browsing experience more secure.

    Read Chrome’s decision and recommendations on how to migrate away from this anti-pattern at https://developer.chrome.com/blog/immutable-document-domain/

    If you’re really curious about the process of proposing and discussing impactful changes like this, check out a W3C thread on the issue at https://github.com/w3ctag/design-reviews/issues/564

  3. Improving the state of go-fuzz – We’re a fan of making fuzz happen. Even if it’s going to take a while for fuzzing to become a regular part of the software development process.

    This article provides insights on Go’s fuzzer along with recommendations on how to improve it to be better at identifying flaws. One improvement is being smarter about understanding and manipulating the grammar of protocols like HTTP. Being able to use grammar and syntax that an app expects helps a fuzzer reach — and therefore disrupt — more states that the app can get into. Other improvements are very tactical in terms of manipulating bytes and variable encodings like little endian base 128. Creating more flexible fuzzers should lead to more reachable states and a wider variety of flaws to discover.

    Unrelated to Go, but also on the topic of fuzzing is this article from DoyenSec, https://blog.doyensec.com//2022/04/26/vbox-fuzzing.html. It describes the practical side of setting up and running fuzzers, in this case against VirtualBox device drivers. If you’re interested in setting up a lab to experiment with fuzzing, this would be a good start.

  4. ThinkstScapes Quarterly | 2022.Q1 – Thinkst have published another round-up of presentations. These have always been great ways to discover interesting conference presentations and, thankfully, the PDF isn’t behind a marketing page or registration wall.

    For the appsec population, the “Low-level, but high-privilege bug hunting” section covers five presentations that get into technical detail on mostly hardware and kernel-level issues. Then “Confidential computing for the masses” covers two approaches to protecting data within Kubernetes and observations on making post-quantum cryptographic algorithms more accessible for implementers.

    Skip to the “Nifty sundries” for broader appsec issues. “Attacking JavaScript Engines in 2022” is fun and “Why no one pwned Sinology at Pwn2Own and Tianfu Cup in 2021” offers insights into the positive impacts of following a secure SDLC by implementing good defaults, applying sandboxing principles, and taking steps to make attackers work harder when crafting exploits.

  5. Firms Push for CVE-Like Cloud Bug System – We’ve touched on this in the past and this article is still in the category of the calling for a CVE-like system, but it’s worth popping back up briefly to tie into the Azure vuln from Wiz.io we also cover in this episode. Perhaps one of the biggest questions about a need like this is who would the audience be and how would they use this information. For example, this week’s “ExtraReplica” in Azure doesn’t require any user action. So, how do we create new information sources — or perhaps present new information sources — in a way that helps users make decisions rather than just become another list.
  6. 2021 Top Routinely Exploited Vulnerabilities – A list! But…not really an interesting list? It seems to boil down to log4j, running Exchange Server, and a smattering of VPNs. It’s relevant if you have one of those three things, but otherwise doesn’t feel like it has a broader lesson or point of discussion on app security or architectures. However, path traversal made the list as one of the attack vectors, so it had to get a mention just for that.
  7. Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn – We’ve covered a handful of Linux kernel vulns recently, but that’s because the articles have all been excellent examples of explaining a complex topic. We’ll (almost) always highlight articles that walk through the attacker mindset, from describing the basics of the app being targeted, to describing its attack surface, to walking through the trial-and-error steps of probing security boundaries and trying various techniques until a flaw falls to an exploit. Plus, we haven’t covered race conditions and TOCTOU concepts very much, so this gives us a chance to expand the range of flaws we discuss.
  8. New from Anaconda: Python in the Browser – From this year’s PyCon (https://us.pycon.org/2022/), here’s a curious foray into the browser, HTML, and Python all bound together with WebAssembly. It demonstrates an emerging area for appsec practitioners to keep an eye on.

    The project is based on the open source Pyodide, which you can find at https://pyodide.org/en/stable/