Skip to Content

Cybersecurity and Infosec News Headlines Update on February 27, 2022

Two ways to improve the security of open-source software

The Open Source Security Foundation is launching the Alpha-Omega Project to improve open-source software security with an initial investment of USD$5m from Microsoft and Google. The Alpha ‘arm’ will provide tailored help to improve security in the most critical open-source software. The Omega arm will use automated techniques to improve security across at least 10,000 widely deployed open-source projects.

samczsun, gf_256, and ret2jazzy reverse engineer the wormhole crypto exploit

Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.

How I hacked a hardware crypto wallet and recovered $2 million

I’ve previously shared this in article form but the video is a must-watch. Joe Grand was contacted to hack a Trezor One hardware wallet and recover $2 million worth of cryptocurrency (in the form of THETA).

Solving DOM XSS Puzzles

DOM-based Cross-site scripting (XSS) vulnerabilities rank as one of spaceraccoon’s favorite vulnerabilities to exploit. It’s a bit like solving a puzzle; sometimes you get a corner piece like $.html(), other times you have to rely on trial-and-error.

What Bypassing Razer’s DOM-based XSS Patch Can Teach Us

An old story of a bug EdOverflow uncovered and reported to Razer’s vulnerability disclosure program resurfaced recently while they were chatting with Linus Särud.

Changelog

PentesterLab released the last 3 challenges for the HTTP Badge.

New ZAP Networking Layer: The latest Weekly and Live ZAP releases are now using a completely different networking stack. Previously, ZAP used code written for Paros Proxy on top of an old and out of date version of the Apache Commons HttpClient library.

reconFTW v2.2: a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities.

Osmedeus v4.0.2: A Workflow Engine for Offensive Security.

Semgrep’s February 2022 Updates – Developer Feedback, Editor, and much more.

SecLists 2022.1 release: SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place.

Events

2022 security conferences people are looking forward to.

SE Village operator humanhacker has been banned from the conference due to COC violations: Also DEF CON Group DCG414 has been disbanded due to COC violations by the group’s primary point of contact.

Celebrate Valentine’s Day with Hack The Box: A new Valentine’ss Day tournament is coming,

OWASP DevSlop – Attacking JSON Web Tokens with Louis Nyffenegger: Scheduled for Feb 18, 2022.

Black Hat Europe 2021 Videos: Abstracts and slides on the main conference page here.

Infosec WriteUps’ Conference 2022: February 26th & 27th. #hacking #infosec #bugbounty #IWCON22

NahamCon 2022 #NahamCon2022

Unchained – RazzorSec Feb 26, 2022.

Articles

Bug bounty hunter to working at Microsoft: In this blog post they’ll be going over the differences between bug hunting as a hobby and vulnerability research as a job.

I Used Apple AirTags, Tiles and a GPS Tracker to Watch My Husband’s Every Move.

Google Vulnerability Reward Program – 2021 Year in Review: Last year was another record setter for their Vulnerability Reward Programs (VRPs). Throughout 2021, they partnered with the security researcher community to identify and fix thousands of vulnerabilities – helping keep their users and the internet safe.

CVE-2022-21703: cross-origin request forgery against Grafana: This post is a writeup about CVE-2022-21703, which is the result of a collaborative effort between bug-bounty hunter abrahack and jub0bs.

A technique to semi-automatically find vulnerabilities in WordPress plugins.

Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite: Lark is an online, all-in-one collaborative platform offering calendar, document and chat functions.

Hacking Google Drive Integrations: Have you ever observed Google Drive integrations in your bug bounty targets and wondered what else might be there besides the OAuth CSRF? Is it possible to hack this integration a step further? That’s exactly what you’ll explore today.

Moodle – Blind SQL Injection (CVE-2021-36393) and Broken Access Control (CVE-2021-36397): Earlier this year 0xkasper participated in the bug bounty program of Moodle. By doing both static and dynamic analysis they found a few vulnerabilities. This lead to a nice bounty and their very first CVE IDs.

mBot v2.0.0 – An update to my mission bot for Synack Red Team members: Due to the frequent session timeouts experienced on the Synack platform, un4gi and various others decided that it would be great to be able to automate the login process.

OSINT without APIs: APIs are great – they make things almost too easy because data is validated and gathered for you, then served to you on a beautifully formatted JSON platter.

decalage2/awesome-security-hardening: “A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources” by Philippe Lagadec, covering major operating systems, network devices, containers, SSH, web servers, and more.

Silly proof of concept: Anti-phishing using perceptual hashing algorithms: Anvil Secure’s Diego Freijo proposes a way to detect phishing websites without a centralized repository of malicious sites. Basically, it’s a browser extension that computes a fingerprint of screenshots of sites you visit, and then if you visit a site that visually looks similar but is from a different domain, it warns you. Sort of like SSH’s trust on first use (TOFU) approach for keys but for the visual appearance of websites. Neat idea. Source code.

Stop Storing Secrets In Environment Variables!: Forces Unseen’s Matt Hamilton @theeriner argues that you should instead use ephemeral filesystem mounts.

Non-Security Things That Can Sink A Security Program: Helen Patton @CisoHelen describes a number of important company aspects that impact the effectiveness of your security program, including asset management, identity strategy, technology stack, and inter-department governance.

How to Pick a Good Monitor for Software Development: Nick Janetakis covers when to buy a new monitor, understanding physical size vs resolution, pixels per inch, scaling, picture quality and color accuracy, refresh rates and input lag, and more.

“Everything is content”: Inside the daily grind of one of India’s biggest influencer families: An interesting peak inside a family that has oriented itself around regularly creating social media content, and the impact it can have on the family.

“When spending time with the children becomes the job, the family fails to create memories that go beyond ‘content,’ and the children grow up to feel more alienated,” Laskari said.

Resources

Rachel Tobac book recommendation: written by Maxie Reynolds, The Art of Attack: Attacker Mindset for Security Professionals.

Henk van Ess on how to do audio OSINT.

Joran shares what makes a good bug report.

trickest/cve: Gather and update all available and newest CVEs with their POC.

EdOverflow’s Bookshelf.

PentesterLab made Wordle but for CVE.

cve-schema: Specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record.

Security practices in AWS multi-tenant SaaS environments: Challenges, opportunities and best practices covering identity, tenant isolation, and how isolation enforcement depends on the service involved.

reapoc: OpenSource POC and Vulnerable-Target Storage Box.

misp-warninglist: Warning lists to inform users of MISP about potential false-positives or other information in indicators.

Global Security Database (GSD): The GSD data files are JSON and use a simple name spacing strategy to support multiple data formats.

outsideris/citizen: A Private Terraform Module and Terraform Provider registry, by @Outsideris.

bridgecrewio/kustomizegoat: Purposefully vulnerable Kustomize.io Kubernetes templates for training and education purposes, by Bridgecrew.

Testing Infrastructure-as-Code Using Dynamic Tooling: NCC Group’s Erik Steringer describes how to shift left with dynamic cloud security tools. Rather than testing against a live development or production environment, you can run tools like Scout Suite and PMapper against Terraform using LocalStack, by spinning up a local environment. Neat! Tool release: Aerides.

Testing Infrastructure-as-Code Using Dynamic Tooling

Complete guide for picking the right tool for Terraform Security Code Analysis: Revolgy’s Marko Fábry and Marek Šottl discuss evaluating Checkov, Snyk, terrascan and tfsec for finding security vulnerabilities and misconfigurations in AWS and GCP Terraform files. The post includes a nice feature set comparison table, sections on each tool, and comparing the results of each tool on terragoat.

Complete guide for picking the right tool for Terraform Security Code Analysis

infracost/infracost: Tool by Infracost that shows cloud cost estimates for Terraform changes on pull requests. This enables DevOps, SRE and engineers to see a cost breakdown and understand costs before making changes.

infracost/infracost

Videos

IppSec tackling HackTheBox – EarlyAccess.

How to Be an Ethical Hacker in 2022 by The Cyber Mentor.

Reverse Engineering 101 – Introduction to IDA Free on Linux: Reversing 2 crackmes.

Bug Bounty Live Recon – Grabbing Domains.

Practical HTTP Header Smuggling – Sneaking Past Reverse Proxies to Attack AWS and Beyond: Web applications commonly rely on proxy servers adding, modifying, or filtering HTTP headers to pass information to back-end servers.

Reverse Engineering 101 – Introduction to IDA PRO Reversing/Patching a Binary from crackmes.one: This week Busra shares a tutorial on IDA PRO by patching/reversing a binary from crackmes.one. This will be an ongoing series for various binaries from crackmes by using different tools such as Ghidra or IDA Pro.

John Hammond tackles SQLi, SSTI & Docker Escapes / Mounted Folders – HackTheBox University CTF “GoodGame”.

InsiderPhD’s API Testing Automated Toolbox: APIs in the real world are huge, especially on large scope programs.

Fuzzing Java to Find Log4j Vulnerability – CVE-2021-45046: After the log4shell (CVE-2021-44228) vulnerability was patched with version 2.15, another CVE was filed.

OrwaGodFather Methodology: Video series where GodFather Orwa explains their bug bounty methodology.

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker