Security in Wrenches, Vulns in Atlassian and GitLab, 2023’s Top Web Hacking Tricks – ASW #270

Apologies up front for including a press release that points to a report behind a regwall, but I chose it as a prompt to talk about what platforms can do about secret scanning. GitHub already does this. Where's the funding and engineering investment to bring that kind of capability to npm and PyPI?

Sure, it's a setup for joking about how IPv6 adoption (second only to Linux on the desktop...), but it's a reminder that we're going to see lists of "integer underflow", "buffer overflow", "out of bounds read", and similar memory safety issues until we move on from C and C++.

A slew of 28 vulns, including RCEs, in a memory safe language (Java). The list also includes SSRF, which is a reminder (and broken record, sorry) that memory safety is an important first step towards secure code.

From the Risky Business newsletter, this has a dead simple account takeover payload: user[email][][email protected]&user[email][][email protected]

But I wanted to highlight this as a writeup with a decent amount of transparency that includes steps taken to deal with the underlying issues of the vulns rather than just focus on a patch.

I'm primarily including this to tie in with our interview segment where Sandy Carielli talks about bots and API security. The relevant piece from this article is how Cloudflare “...found 30.7% more API endpoints through machine learning-based discovery than the self-reported approach, suggesting that nearly a third of APIs are “Shadow APIs” — and may not be properly inventoried and secured.”

Community nominations are over. Now's the time for the community to vote. What's your favorite technique from 2023?

Some fun computing history: "...on January 18 in 1944, a man called Tommy Flowers drove to Bletchley Park — the secret codebreaking facility about 50 miles north of London — in a truck carrying an enormous electronic machine that was instantly nicknamed Colossus." It was "...perhaps the first-ever digital computer, used to crack messages between senior German commanders encrypted with the Lorenz cipher…"

Bluetooth keeps on giving.

Vulnerabilities (CVE-2023-45866, CVE-2024-21306) were discovered that allow either pairing a virtual keyboard with an already paired computer - without authentication. This has been patched in most but not all OSes.

Additionally on MacOS, Apple tried doing something smart by allowing a magic keyboard to do out-of-band authentication over USB/Thunderbolt (thunderbolt is dead - long live USB) so a user wouldn't have to type in 6 numbers to pair a device. Problem here is an attacker can connect to that USB/thunderbolt port after the keyboard is disconnected, and gather that pairing key for their own uses.

We might have covvered this before - I do lose track somewhat. But posting again just as a reminder to network operators and software developers - don't expose your admin interfaces to the internet.

This is based on a CVE from last year - 2023-46604 - a unsafe deserialization vuln in OpenWire protocol that ActiveMQ uses. Some folks have figured out how to use that to upload a payload to render in the web interface, allowing a remote webshell on the host.

Why I mention this - we (I?) talk about wanting "nice" UIs to make using technology easier for those less technically-focused. But we must keep in mind when we add these UIs that we can't be adding a bunch of vulnerabilities at the same time. They're usually added quickly at the last minute after the "real" work is done...but need to be considered earlier and implemented with respect.