Two ways to improve the security of open-source software
The Open Source Security Foundation is launching the Alpha-Omega Project to improve open-source software security with an initial investment of USD$5m from Microsoft and Google. The Alpha ‘arm’ will provide tailored help to improve security in the most critical open-source software. The Omega arm will use automated techniques to improve security across at least 10,000 widely deployed open-source projects.
samczsun, gf_256, and ret2jazzy reverse engineer the wormhole crypto exploit
Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.
How did the @wormholecrypto exploit work? I joined forces with @gf_256 and @ret2jazzy to reverse engineer the exploit, and now that it's been patched we can finally share it with you👇 pic.twitter.com/lXwD0GLZ3N
— samczsun (@samczsun) February 3, 2022
How I hacked a hardware crypto wallet and recovered $2 million
I’ve previously shared this in article form but the video is a must-watch. Joe Grand was contacted to hack a Trezor One hardware wallet and recover $2 million worth of cryptocurrency (in the form of THETA).
DOM-based Cross-site scripting (XSS) vulnerabilities rank as one of spaceraccoon’s favorite vulnerabilities to exploit. It’s a bit like solving a puzzle; sometimes you get a corner piece like $.html(), other times you have to rely on trial-and-error.
An old story of a bug EdOverflow uncovered and reported to Razer’s vulnerability disclosure program resurfaced recently while they were chatting with Linus Särud.
PentesterLab released the last 3 challenges for the HTTP Badge.
And we released the last 3 challenges for the HTTP Badge: https://t.co/4rrzT5KFYK!
— PentesterLab (@PentesterLab) February 8, 2022
New ZAP Networking Layer: The latest Weekly and Live ZAP releases are now using a completely different networking stack. Previously, ZAP used code written for Paros Proxy on top of an old and out of date version of the Apache Commons HttpClient library.
reconFTW v2.2: a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities.
Osmedeus v4.0.2: A Workflow Engine for Offensive Security.
Semgrep’s February 2022 Updates – Developer Feedback, Editor, and much more.
SecLists 2022.1 release: SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place.
2022 security conferences people are looking forward to.
Yo #infosec peeps :)
Any 2022 security conferences coming up that you're feeling some type of way about? (hopefully a good type of way).
Looking for more technically-minded events, although all mentions are still welcome. Thanks!
— Naughty🍯Honeypot (@unfoldmybrain) February 11, 2022
SE Village operator humanhacker has been banned from the conference due to COC violations: Also DEF CON Group DCG414 has been disbanded due to COC violations by the group’s primary point of contact.
@defcon has updated their DC29 Transparency Report:
SE Village operator @humanhacker has been banned from the conference due to COC violations.
— Steve Ragan (@SteveD3) February 10, 2022
Celebrate Valentine’s Day with Hack The Box: A new Valentine’ss Day tournament is coming,
Celebrating Valetine's Day with @ippsec & @_JohnHammond? #LifeGoals!
A new #ValentinesDay #HBG tournament is coming, sponsored by @snyksec and supported by @RavenGG!
This year, #hacking will tear us apart 💔
👉 Read the full story: https://t.co/T9RuYE7ZHM#HTB #InfoSec #Gaming pic.twitter.com/rbYBYYK8wj
— Hack The Box (@hackthebox_eu) February 7, 2022
OWASP DevSlop – Attacking JSON Web Tokens with Louis Nyffenegger: Scheduled for Feb 18, 2022.
Black Hat Europe 2021 Videos: Abstracts and slides on the main conference page here.
Infosec WriteUps’ Conference 2022: February 26th & 27th. #hacking #infosec #bugbounty #IWCON22
He'll speak on How To Get Better At Hacking.
Catch him live on 26th Feb, 8pm IST.
— InfoSec Community (@InfoSecComm) February 4, 2022
NahamCon 2022 #NahamCon2022
— Ben Sadeghipour (@NahamSec) February 3, 2022
Unchained – RazzorSec Feb 26, 2022.
Bug bounty hunter to working at Microsoft: In this blog post they’ll be going over the differences between bug hunting as a hobby and vulnerability research as a job.
Google Vulnerability Reward Program – 2021 Year in Review: Last year was another record setter for their Vulnerability Reward Programs (VRPs). Throughout 2021, they partnered with the security researcher community to identify and fix thousands of vulnerabilities – helping keep their users and the internet safe.
CVE-2022-21703: cross-origin request forgery against Grafana: This post is a writeup about CVE-2022-21703, which is the result of a collaborative effort between bug-bounty hunter abrahack and jub0bs.
Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite: Lark is an online, all-in-one collaborative platform offering calendar, document and chat functions.
Hacking Google Drive Integrations: Have you ever observed Google Drive integrations in your bug bounty targets and wondered what else might be there besides the OAuth CSRF? Is it possible to hack this integration a step further? That’s exactly what you’ll explore today.
Moodle – Blind SQL Injection (CVE-2021-36393) and Broken Access Control (CVE-2021-36397): Earlier this year 0xkasper participated in the bug bounty program of Moodle. By doing both static and dynamic analysis they found a few vulnerabilities. This lead to a nice bounty and their very first CVE IDs.
mBot v2.0.0 – An update to my mission bot for Synack Red Team members: Due to the frequent session timeouts experienced on the Synack platform, un4gi and various others decided that it would be great to be able to automate the login process.
OSINT without APIs: APIs are great – they make things almost too easy because data is validated and gathered for you, then served to you on a beautifully formatted JSON platter.
decalage2/awesome-security-hardening: “A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources” by Philippe Lagadec, covering major operating systems, network devices, containers, SSH, web servers, and more.
Silly proof of concept: Anti-phishing using perceptual hashing algorithms: Anvil Secure’s Diego Freijo proposes a way to detect phishing websites without a centralized repository of malicious sites. Basically, it’s a browser extension that computes a fingerprint of screenshots of sites you visit, and then if you visit a site that visually looks similar but is from a different domain, it warns you. Sort of like SSH’s trust on first use (TOFU) approach for keys but for the visual appearance of websites. Neat idea. Source code.
Non-Security Things That Can Sink A Security Program: Helen Patton @CisoHelen describes a number of important company aspects that impact the effectiveness of your security program, including asset management, identity strategy, technology stack, and inter-department governance.
How to Pick a Good Monitor for Software Development: Nick Janetakis covers when to buy a new monitor, understanding physical size vs resolution, pixels per inch, scaling, picture quality and color accuracy, refresh rates and input lag, and more.
“Everything is content”: Inside the daily grind of one of India’s biggest influencer families: An interesting peak inside a family that has oriented itself around regularly creating social media content, and the impact it can have on the family.
“When spending time with the children becomes the job, the family fails to create memories that go beyond ‘content,’ and the children grow up to feel more alienated,” Laskari said.
Rachel Tobac book recommendation: written by Maxie Reynolds, The Art of Attack: Attacker Mindset for Security Professionals.
— Rachel Tobac (@RachelTobac) February 12, 2022
Henk van Ess on how to do audio OSINT.
Today I was trying to find if company X said anything about company Y in …audio. It can be exhausting to listen for hours to podcasts or radio interviews just to find that mention. Here is how I manage the process. (1/4) pic.twitter.com/jUjIWxjWGw
— 𝚑𝚎𝚗𝚔 𝚟𝚊𝚗 𝚎𝚜𝚜 (@henkvaness) February 11, 2022
Joran shares what makes a good bug report.
What makes a good bug report?
Let's have a quick look: pic.twitter.com/PdlUFbz6Jc
— Joran Honig (@joranhonig) February 11, 2022
trickest/cve: Gather and update all available and newest CVEs with their POC.
PentesterLab made Wordle but for CVE.
— PentesterLab (@PentesterLab) February 2, 2022
cve-schema: Specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record.
Security practices in AWS multi-tenant SaaS environments: Challenges, opportunities and best practices covering identity, tenant isolation, and how isolation enforcement depends on the service involved.
reapoc: OpenSource POC and Vulnerable-Target Storage Box.
misp-warninglist: Warning lists to inform users of MISP about potential false-positives or other information in indicators.
Global Security Database (GSD): The GSD data files are JSON and use a simple name spacing strategy to support multiple data formats.
Testing Infrastructure-as-Code Using Dynamic Tooling: NCC Group’s Erik Steringer describes how to shift left with dynamic cloud security tools. Rather than testing against a live development or production environment, you can run tools like Scout Suite and PMapper against Terraform using LocalStack, by spinning up a local environment. Neat! Tool release: Aerides.
Complete guide for picking the right tool for Terraform Security Code Analysis: Revolgy’s Marko Fábry and Marek Šottl discuss evaluating Checkov, Snyk, terrascan and tfsec for finding security vulnerabilities and misconfigurations in AWS and GCP Terraform files. The post includes a nice feature set comparison table, sections on each tool, and comparing the results of each tool on terragoat.
infracost/infracost: Tool by Infracost that shows cloud cost estimates for Terraform changes on pull requests. This enables DevOps, SRE and engineers to see a cost breakdown and understand costs before making changes.
IppSec tackling HackTheBox – EarlyAccess.
How to Be an Ethical Hacker in 2022 by The Cyber Mentor.
Reverse Engineering 101 – Introduction to IDA Free on Linux: Reversing 2 crackmes.
Bug Bounty Live Recon – Grabbing Domains.
Practical HTTP Header Smuggling – Sneaking Past Reverse Proxies to Attack AWS and Beyond: Web applications commonly rely on proxy servers adding, modifying, or filtering HTTP headers to pass information to back-end servers.
Reverse Engineering 101 – Introduction to IDA PRO Reversing/Patching a Binary from crackmes.one: This week Busra shares a tutorial on IDA PRO by patching/reversing a binary from crackmes.one. This will be an ongoing series for various binaries from crackmes by using different tools such as Ghidra or IDA Pro.
John Hammond tackles SQLi, SSTI & Docker Escapes / Mounted Folders – HackTheBox University CTF “GoodGame”.
InsiderPhD’s API Testing Automated Toolbox: APIs in the real world are huge, especially on large scope programs.
Fuzzing Java to Find Log4j Vulnerability – CVE-2021-45046: After the log4shell (CVE-2021-44228) vulnerability was patched with version 2.15, another CVE was filed.
OrwaGodFather Methodology: Video series where GodFather Orwa explains their bug bounty methodology.