Malicious PHP Commits, OAuth Attacks & XML Injection, & Zines For DevSecOps – ASW #146

Announcements

• Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

• Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Hosts

Mike Shema

Tech Lead at Block

1. 1. PHP releases on hold
   Last week PHP admins noticed two malicious commits pushed to the php-src repo (https://news-web.php.net/php.internals/113838). The team noticed this quickly and put releases on hold out of caution. None of this is unique to PHP; it's a departure point for discussing infrastructure security, signing commits, identity, and the attack surface of a CI/CD pipeline. It takes budget to use SaaS infrastructure, discipline to manage certs, and threat models to understand which controls address which types of attacks.
2. 2. Pair of Apex Legends Players Banned for DDoS Server Attacks
   Another example of why application defenses and threat models should worry less about motivations or "who" of an attack and more about the means of an attack. Resiliency and uptime are important requirements for modern apps, and a reminder that availability of the CIA triad remains an important security concern.
3. 3. How to execute an object file: Part 2
   A well-written article about the journey from source code to executable binary. It's a nice reference whether you're interested in getting into reverse engineering or designing controls to harden execution environments like containers. It can be a helpful primer to better understand concepts like ASLR, return-oriented programming in exploits, and even syscall filtering. Be sure to check out part 1 at https://blog.cloudflare.com/how-to-execute-an-object-file-part-1/
4. 4. Wizard Zines Collection!
   We talk a lot about the importance of communicating security and engineering concepts well. Julia Evans has approached this with a wonderful combination of art and text in the zine format. You'll find everything from a refresher on command-line arguments you might already know to tips and tricks that might make your command-line skills more effective. Check out her blog at https://jvns.ca
5. 5. Hidden OAuth attack vectors
   OAuth, SAML 2.0, and OpenID Connect are modern ways to delegate authentication so that apps can focus on protecting tokens and trust relationships instead of protecting passwords. Yet it's still a design pattern that carries some misconfiguration minefields. So make sure you're considering all of these attacks in your threat model and, of course, remember that there's a big difference between authentication that says who you are and authorization that says what you can do.
6. 6. SAML XML Injection
   A good companion to the Portswigger article on Hidden OAuth Attack Vectors, this describes potential issues in the assertions and attributes in the XML that composes SAML. Delegated authentication and SSO remains a recommended design pattern, just make sure your implementation doesn't fall victim to this attack category.
7. 7. Approaches for authenticating external applications in a machine-to-machine scenario
   Although this is focused on AWS, the background and reasoning on different mutual authentication scenarios can be applied to many environments. As an article oriented towards engineering, its "Use X when Y" formulation is a good demonstration of tradeoffs and design considerations.

John Kinsella

Co-founder & CTO at Cysense