Ethical hackers and bug bounty hunters invited to test Department of Defense assets

Jessica Haworth 17 January 2023 at 14:04 UTC

Ethical hackers and bug bounty hunters invited to test Department of Defense assets

  

The US Department of Defense (DoD) is holding its third annual Hack The Pentagon challenge, it announced this week.

Hack The Pentagon was launched in 2016, opening the door for security researchers to look for vulnerabilities in some of its top assets.

Since its creation, the program has seen more than 600 ethical hackers and bug bounty hunters invited to find bugs in DoD resources, resulting in the disclosure of more than 700 issues so far.

Read more of the latest bug bounty news

In a statement posted to the US government website, the DoD confirmed it will be organizing a third iteration of the competition this year.

It also confirmed that it is looking for contractors to partner on the program.

“The DoD’s first Vulnerability Disclosure Policy (VDP) established a 24/7 pathway for security experts to safely disclose vulnerabilities on public-facing DoD websites and applications,” the US government website states.

“DDS \[Defense Digital Service\] has ongoing contracts with security firms HackerOne, Synack, and Bugcrowd to facilitate assessments for DoD components and military services against their respective assets.”

**Going further**

In 2021, the DoD expanded its VDP beyond its public-facing websites and web applications to encompass all publicly accessible information systems.

This brought into scope all public-facing DoD networks, radio frequency-based communication platforms, IoT devices, and industrial control systems, among other technologies.

BACKGROUND US government launches ‘Hack the DHS’ bug bounty program

Also 2021, the US Department of Homeland Security (DHS) also launched a bug bounty program, inviting selected security researchers to test for vulnerabilities in its systems.

Dubbed ‘Hack the DHS’, the program, held in 2022, included three different phases – a pen test, a live hacking event, and a detailed review process.

More than 450 vetted security researchers identified 122 vulnerabilities, of which 27 were subsequently determined to be critical, the DHS revealed, adding that it awarded a total of $125,600 for the bugs.

RECOMMENDED Tell us what you think – fill out this quick survey and be in with a chance of winning Burp Suite swag

US government announces third Hack The Pentagon challenge

John Leyden 16 January 2023 at 16:07 UTC

How the build pipeline was compromised

Popular DevOps platform CircleCI has blamed an attack that successfully planted malware on an internal engineer’s laptop for a recent security breach.

The attack, acknowledged on January 4, prompted CircleCI to advise software developers that relied on its platform to rotate secrets and API tokens.

In a post-mortem on the breach, published on Friday (January 13), the San Francisco-based company offered a detailed description of what went wrong.

BACKGROUND Devs urged to rotate secrets after CircleCI suffers security breach

CircleCI said it first got wind that something was wrong on December 29 when one of its customers reported “suspicious GitHub OAuth activity”, prompting an investigation involving CircleCI’s security team and GitHub.

The security team at the continuous integration and continuous delivery (CI/CD) vendor then discovered that an “unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO \[single sign-on\] session” on or around December 16.

The malware enabled unnamed attackers to steal session cookie data before impersonating the targeted employee in order to access a “subset of CircleCI’s production systems” using forged access tokens.

“Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys,” CircleCI’s write-up of its post-mortem explains.

Miscreants were subsequentially able to extract “encryption keys from a running process, enabling them to potentially access the encrypted data” on or around December 22.

**Incident response**

In response to the attack, CircleCI restricted employee access to its production systems as a temporary measure before rebuilding its production environment with clean hosts and revoking project API tokens.

Bitbucket and GitHub OAuth tokens were rotated in the days after the attack as customers were urged to refresh and change their secrets and API tokens. In addition, CircleCI worked with AWS to notify customers of potentially affected AWS tokens.

CHECK IT OUT Potentially win swag by telling us how to improve The Daily Swig

In the wake of the attack, CircleCI has worked with external incident response experts alongside rolling out a suite of measures designed to harden the security of its platform and help its customers to better secure any secrets.

CircleCI’s writeup goes on to sketch out the tactics and techniques of its attackers alongside the publication of indications of compromise (IOCs), data that will help security defenders at other companies in both identifying and blocking similar attacks.

Although some in the security community faulted CircleCI for failing to follow best practice, particular in a failure to apply adequate access controls to production systems, others praised its “transparent and detailed incident disclosure” and the overall response to the post-mortem from infosec Twitter was positive.

DON’T MISS Deserialized web security roundup – Slack, Okta breaches; lax US gov passwords report; and more

Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Jessica Haworth 13 January 2023 at 18:31 UTC  
Updated: 16 January 2023 at 14:29 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

  

Slack suffered a security breach recently, “involving unauthorized access to a subset of Slack’s code repositories” according to the messaging platform.

The company said that although no customers were affected, an internal investigation revealed that an unknown actor downloaded private code repositories on or around December 27.

“We discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” a statement read.

“No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”

Identity management company Okta also fell victim to a breach when an unknown actor accessed its code repositories.

The incident occurred “in early December 2022”, the vendor said, without confirming whether or not any data was stolen.

It did confirm that it “promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications”.

And over in the US, a government watchdog spent $15,000 to build a password-cracking program – only to discover employees were using easily-guessable credentials all along.

The complicated software, financed by the Department of the Interior, was designed to take on tasks such as recovering hashed passwords.

However it ultimately found that it was able to recover nearly 14,000 employee passwords, – 16% of all department accounts – due to “easily cracked passwords, lack of multifactor authentication, and other failures”.

Among other stories from The Daily Swig in recent days were secure messaging app Threema disputing the seriousness of flaws in its software, developers being urged to rotate secrets in CircleCI due to a security breach, and cross-origin resource (CORS) misconfigurations in the environments of enterprises including Tesla that left internal networks vulnerable.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Cisco / Critical / RCE, authentication bypass vulnerabilities / Disclosed with patch, January 11
*   CKEditor / Critical / CSRF vulnerability in CKEditor can lead to RCE (remote code execution) in XWiki / Patched in CKEditor Integration version 1.64.3
*   Mozilla / Moderate / Attacker could inject markup due to the fact Firefox failed to implement the unsafe-hashes CSP (content security policy) directive / Disclosed with patch, December 13
*   VMWare / Critical / Command injection, directory traversal vulnerabilities / Patched in VMWare vRealize Network Insight v6.8
*   Zoom / Medium, High / Path traversal, local privilege escalation bugs for Windows, Android, MacOS clients / Patched January

**Research and attack techniques**

*   Researchers from Sonarsource discovered a command injection vulnerability as well as an authentication bypass vulnerability in open source web-based monitoring tool Cacti which allowed unauthenticated exploitation.
*   A malicious Python file found on the PyPi repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK (software development kit) client from security firm SentinelOne, researchers at ReversingLabs have reported.
*   Also concerning PyPi, researcher Tom Forbes found 57 valid AWS keys present on the Python package index belonging to Amazon, Intel, and other organizations by scanning new packages with GitHub Actions.
*   A research team from Imperva demonstrated how they discovered a vulnerability in Google Chrome that led to the theft of sensitive files, such as crypto wallets and cloud provider credentials.
*   And Harsh Bothra from Cobalt released this handy write up on how pen testers can spot prototype pollution-style attacks.
**Bug bounty/vulnerability disclosure**

*   Researcher Matt Kunze netted a $107,500 bug bounty reward from Google for reporting vulnerabilities in the Google Home Mini smart speaker which allowed him to access the microphone on the device and make arbitrary HTTP requests on the local network.
*   Security firm CloudSek released BeVigil, a tool to enable bug bounty hunters to find and report vulnerabilities in mobile apps.
*   And hacker Jerry Gamblin published this extensive guide on the CVE year in review, featuring data on assigned vulnerabilities from the year 2022.
**New open source infosec/hacking tools**

*   GCP Goat is a vulnerable cloud infrastructure tool featuring the latest released OWASP Top 10 web application security risks and other misconfiguration, designed to help test developers test their code in a cloud environment.
*   Another cloud-based tool, PEACH is a tenant isolation framework for cloud applications to help protect against malicious actors accessing “data belonging to other customers”, for example, in cases such as ChaosDB, ExtraReplica, and AttachMe.
*   Open source tool sbom-utility has been released, an API platform for validating, querying, updating, and managing standardized SBOMs.
**For devs**

*   Exact Realty has released this blog post explaining how developers can defend against introducing cross-site request forgery (CSRF) vulnerabilities into websites.
*   Google’s Chromium project now supports the use of third-party Rust libraries from C++, and will include Rust code in the Chrome binary “within the next year”.
**For fun**

Finally, SplendidData’s bonkers bug bounty program policy was subject to online infosec scrutiny recently.

The rules date back to at least early 2021, however it still sparked a lively discussion thread on Twitter over the last week as some of its questionable terms were highlighted.

Its policy boasts guidance such as ‘we will not respond to your request’ and that the company ‘cannot guarantee’ that no legal action will be taken, even if the vulnerability was disclosed responsibly.

Unsurprisingly, this spread like wildfire on infosec Twitter with one user called TJ joking: “I like the “we MIGHT sue you, idk” aspect… adds a little excitement to life.”

RECOMMENDED Prototype pollution-like bug variant discovered in Python

Deserialized web security roundup – Slack and Okta breaches, lax US government passwords report, and more&nbsp;

Jessica Haworth 13 January 2023 at 18:31 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

  

Slack suffered a security breach recently, “involving unauthorized access to a subset of Slack’s code repositories” according to the messaging platform.

The company said that although no customers were affected, an internal investigation revealed that an unknown actor downloaded private code repositories on or around December 27.

“We discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” a statement read.

“No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”

Identity management company Okta also fell victim to a breach when an unknown actor accessed its code repositories.

The incident occurred “in early December 2022”, the vendor said, without confirming whether or not any data was stolen.

It did confirm that it “promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications”.

And over in the US, a government watchdog spent $15,000 to build a password-cracking program – only to discover employees were using easily-guessable credentials all along.

The complicated software, financed by the Department of the Interior, was designed to take on tasks such as recovering hashed passwords.

However it ultimately found that it was able to recover nearly 14,000 employee passwords, – 16% of all department accounts – due to “easily cracked passwords, lack of multifactor authentication, and other failures”.

Among other stories from The Daily Swig in recent days were secure messaging app Threema disputing the seriousness of flaws in its software, developers being urged to rotate secrets in CircleCI due to a security breach, and cross-origin resource (CORS) misconfigurations in the environments of enterprises including Tesla that left internal networks vulnerable.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Cisco / Critical / RCE, authentication bypass vulnerabilities / Disclosed with patch, January 11
*   CKEditor / Critical / CSRF vulnerability in CKEditor can lead to RCE (remote code execution) in XWiki / Patched in CKEditor Integration version 1.64.3
*   Mozilla / Moderate / Attacker could inject markup due to the fact Firefox failed to implement the unsafe-hashes CSP (content security policy) directive / Disclosed with patch, December 13
*   VMWare / Critical / Command injection, directory traversal vulnerabilities / Patched in VMWare vRealize Network Insight v6.8
*   Zoom / Medium, High / Path traversal, local privilege escalation bugs for Windows, Android, MacOS clients / Patched January

**Research and attack techniques**

*   Researchers from Sonarsource discovered a command injection vulnerability as well as an authentication bypass vulnerability in open source web-based monitoring tool Cacti which allowed unauthenticated exploitation.
*   A malicious Python file found on the PyPi repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK (software development kit) client from security firm SentinelOne, researchers at ReversingLabs have reported.
*   Also concerning PyPi, researcher Tom Forbes found 57 valid AWS keys present on the Python package index belonging to Amazon, Intel, and other organizations by scanning new packages with GitHub Actions.
*   A research team from Imperva demonstrated how they discovered a vulnerability in Google Chrome that led to the theft of sensitive files, such as crypto wallets and cloud provider credentials.
*   And Harsh Bothra from Cobalt released this handy write up on how pen testers can spot prototype pollution-style attacks.
**Bug bounty/vulnerability disclosure**

*   Researcher Matt Kunze netted a $107,500 bug bounty reward from Google for reporting vulnerabilities in the Google Home Mini smart speaker which allowed him to access the microphone on the device and make arbitrary HTTP requests on the local network.
*   Security firm CloudSek released BeVigil, a tool to enable bug bounty hunters to find and report vulnerabilities in mobile apps.
*   And hacker Jerry Gamblin published this extensive guide on the CVE year in review, featuring data on assigned vulnerabilities from the year 2022.
**New open source infosec/hacking tools**

*   GCP Goat is a vulnerable cloud infrastructure tool featuring the latest released OWASP Top 10 web application security risks and other misconfiguration, designed to help test developers test their code in a cloud environment.
*   Another cloud-based tool, PEACH is a tenant isolation framework for cloud applications to help protect against malicious actors accessing “data belonging to other customers”, for example, in cases such as ChaosDB, ExtraReplica, and AttachMe.
*   Open source tool sbom-utility has been released, an API platform for validating, querying, updating, and managing standardized SBOMs.
**For devs**

*   Exact Realty has released this blog post explaining how developers can defend against introducing cross-site request forgery (CSRF) vulnerabilities into websites.
*   Google’s Chromium project now supports the use of third-party Rust libraries from C++, and will include Rust code in the Chrome binary “within the next year”.
**For fun**

Finally, SplendidData’s bonkers bug bounty program policy was subject to online infosec scrutiny recently.

The rules date back to at least early 2021, however it still sparked a lively discussion thread on Twitter over the last week as some of its questionable terms were highlighted.

Its policy boasts guidance such as ‘we will not respond to your request’ and that the company ‘cannot guarantee’ that no legal action will be taken, even if the vulnerability was disclosed responsibly.

Unsurprisingly, this spread like wildfire on infosec Twitter with one user called TJ joking: “I like the “we MIGHT sue you, idk” aspect… adds a little excitement to life.”

RECOMMENDED Prototype pollution-like bug variant discovered in Python

Deserialized web security roundup – Slack, Okta security breaches, lax US government passwords report, and more&nbsp;

Library has somewhat of an image problem given history of serious bugs

Library has somewhat of an image problem given history of serious bugs

  

A new tool enables developers to better protect themselves against vulnerabilities in popular file converter ImageMagick, which has suffered from various security holes in the past.

ImageMagick is used by websites to convert files and currently supports the conversion of more than 100 types.

While it has proven to be popular due to the sheer number of conversions it offers, the tool has also been subject to a number of critical security vulnerabilities over the years.

Read more of the latest web security vulnerability news

In 2016, researchers released ImageTragick, a series of vulnerabilities in the library – one of which could lead to remote code execution (RCE) via a crafted malicious image.

Two years later, Google Project Zero’s Tavis Ormandy published details of how supporting external programs can also leave ImageMagick vulnerable to RCE.

Then in 2020, researcher Alex Inführ found a shell injection vulnerability in ImageMagick, and in 2021 Synacktiv researchers demonstrated how they were able to achieve arbitrary file upload using known flaws in the library.

**Policy problem**

To protect users against these kinds of bugs, ImageMagick contains a security policy that can be customised by developers.

It’s “very tuneable policy mechanism” has options that adjust all the specific internal thresholds and features that the library can tolerate, Doyensec’s Lorenzo Stella, the tool’s author, told The Daily Swig.

Stella added, however, that the policy can cause confusion as it sometimes contains terms only people familiar with the library can recognize. “On top of that, not all the available options are listed on this page, so the code is often the only real documentation,” he said.

The new tool, called ImageMagick Security Policy Scanner, therefore enables users to evaluate the security policies on offer to determine which is right for them.

LIKE THE DAILY SWIG? Tell us what you think by filling in our survey and be in with the chance to win Burp Suite swag

In a blog post released this week (January 10), Stella wrote: “Because of the number of available options and the need to explicitly deny all insecure settings, this is usually a manual task, which may not identify subtle bypasses which undermine the strength of a policy.

“It’s also easy to set policies that appear to work, but offer no real security benefit.

“The tool’s checks are based on our research aimed at helping developers to harden their policies and improve the security of their applications, to make sure policies provide a meaningful security benefit and cannot be subverted by attackers.”

**CSP Evaluator similarities**

The researcher said the tool is similar to Google’s CSP evaluator in that it can immediately identify any security gaps in a policy and is designed to be used by both auditors and developers.

Stella also added a guide that describes how developers can harden it even more in their environments, identify different commands, verify if the policy is enforced, and more.

He added: “It’s important to remember that securing an ImageMagick installation does not stop with setting a secure policy, but should be paired with a number of other defense-in-depth practices.

“To the best of my knowledge, this is the first tool of its kind for ImageMagick,” said Stella, who noted that the security team at ImageMagick added a reference to the tool to their security page.

RECOMMENDED Threema disputes crypto flaws disclosure, prompts security flap

New tool protects against vulnerabilities in popular file converter ImageMagick

‘Condescending’ response to vulnerability disclosure angers infosec community

‘Condescending’ response to vulnerability disclosure angers infosec community

Security researchers have defended academics who discovered several serious security flaws in Threema following criticism of their work by developers of the encrypted messaging app.

A team of computer scientists from Swiss university ETH Zurich found a total of seven vulnerabilities in secure messaging app Threema, which boasts 10 million users including the Swiss Government and current Chancellor of Germany, Olaf Scholz.

**Threat models**

The ETH team – comprising Professor Kenneth Paterson, Matteo Scarlata, and Kien Tuong Truong – found that Threema features neither ‘forward security’ nor post-compromise security.

Forward security means that even after a compromise, an attacker will be unable to decrypt data encrypted prior to the hack. Post-compromise security involves setting up such an architecture so that security can be restored after an attack, providing any attacker is purged from the process of communication exchange.

The seven vulnerabilities discovered fell across three distinct threat models: network attacker, compromised server, and compelled access.

**Rolling their own crypto**

Problems arose because of Threema’s use of bespoke encryption technologies. For example, the Swiss service’s bespoke client-to-server (C2S) protocol features ephemeral keys. This ought, in theory, to make sessions independent from each other.

However, ETH researchers discovered that compromising a single client ephemeral key allowed an attacker to impersonate that client indefinitely.

DON’T MISS The chance to win swag by telling us how to improve The Daily Swig

The researchers disclosed this flaw and six other vulnerabilities to Threema’s developers in early October last year. Modifications were made before Threema released a new protocol, Ibex, to further mitigate the attacks in late November 2022.

The researchers held off on publishing their findings until Monday January 9, as agreed.

**‘Hopelessly oversell’**

Threema decided to then disrespect the researchers in responding to publication of their findings, earning the ire of the wider infosec community in the process.

“There’s a new paper on Threema’s old communication protocol,” the vendor wrote on its official Twitter account. “Apparently, today’s academia forces researchers and even students to hopelessly oversell their findings. Here’s some real talk.”

In an associated statement, Threema acknowledged that “while some of the findings presented in the paper may be interesting from a theoretical standpoint, none of them ever had any considerable real-world impact”.

**‘Condescending’**

Swiss security researcher Christian Folini described Threema’s response as “condescending”.

“It’s not your job to judge the quality of security research. Your job is to get your act together, present us with the fixes, and leave the assessment to third parties,” Folini said on Twitter.

Professor Alan Woodward, a computer scientist at the University of Surrey, agreed that Threema had unnecessarily attacked the researchers for what he characterized as constructive criticism of the encrypted messaging app.

Catch up on the latest encryption security news

“Their \[Threema’s\] tone was rather dismissive stating it was an older version and they had fixed all the issues identified, but Threema were able to say this because of the work and the responsible disclosure,” Professor Woodward told The Daily Swig.

“I can’t help \[but\] think that researchers might be less inclined to cooperate as responsibly if the app developers take this attitude.”

On the substance of the security issues identified, Professor Woodward told The Daily Swig that the problems “appears to arise because they \[Threema\] rolled their own protocol plus they were working with some limitations of the chosen library, Nacl”.

The Daily Swig invited the ETH team to comment on the flaws they discovered and the disclosure process. No word back as yet, but we’ll update this story as and when more information comes to hand.

Professor Kenneth Paterson has spoken publicly of his disappointment in Threema's response.

“After a constructive engagement with ThreemaApp during responsible disclosure, this is unexpectedly dismissive. We broke their protocol six ways. They updated it, thanks to our work,” Professor Paterson said on Twitter.

RELATED Boffins rekindle one-time program cryptographic concept

Threema disputes crypto flaws disclosure, prompts security flap

‘Class pollution’ flaw similar to dangerous vulnerability type found in JavaScript and similar languages

‘Class pollution’ flaw similar to dangerous vulnerability type found in JavaScript and similar languages

Prototype pollution is a dangerous bug class associated with prototype-based languages, the most popular among them JavaScript.

One researcher, however, has found a variant of prototype pollution that is applicable to Python, while other class-based programming languages might also be vulnerable to similar attacks.

**From prototype pollution to class pollution**

In JavaScript, each object inherits the ‘prototype’ of its parent object, which contains all the attributes and functions of that object. JavaScript objects can traverse the prototypes of their parents to access their functionality.

Prototypes can be modified at runtime, which makes JavaScript dynamic and flexible, but also dangerous. Prototype pollution attacks exploit this characteristic to modify the behavior of JavaScript applications and perform malicious actions.

Class-based languages such as Python are supposedly immune to such manipulations.

LIKE THIS KIND OF CONTENT? Tell us about your experience of The Daily Swig to win swag

However, security researcher Abdulraheem Khaled has discovered a coding scheme that can allow attackers to perform prototype pollution-like attacks on Python programs. He calls it ‘class pollution’ in a blog post documenting his findings.

Khaled told The Daily Swig that he discovered the attack during attempts to translate the concepts of JavaScript prototype pollution to Python.

**Manipulating Python classes**

In order to pollute Python objects, the attacker needs an entry point that uses user input to set the attributes of an object. If the user input determines both the attribute name and value, then an attacker can exploit it to manipulate the program’s behavior.

“The key factor to look for is whether the application uses unsanitized user-controllable input to set attributes of an object (controlling the attribute name to be set and its value) or not,” Khaled told The Daily Swig.

If the target function uses recursive loops to traverse the object’s attributes, then the attacker can potentially gain access to parent classes, global variables, and more. Khaled calls this an “unsafe merge”.

For example, an attacker can use such functionality to modify command strings executed by the system, change the value of sensitive variables, and trigger denial of service attacks (DoS) by making critical classes dysfunctional.

Unlike with JavaScript, Python class pollution attacks are limited by the manipulations that are possible on built-in object types.

BACKGROUND Prototype pollution: The dangerous, underrated vulnerability impacting JavaScript applications

“Unlike JS \[JavaScript\], you cannot set attributes on the global/built-in object class as it’s an immutable type. This puts some limitations when looking for gadgets,” Khaled said.

Changing the base object prototype is one of the key attack vectors in JavaScript prototype pollution, which makes Python attacks somewhat limited.

However, Khaled found that the vulnerable merge function might enable attackers to overcome this limitation by giving them access to global in-app variables and other classes defined in the Python program or imported modules.

**Class pollution in the wild**

Khaled said that all kinds of Python applications can be vulnerable to this type of attack as long as they take unsanitized user input and implement a form of unsafe object attribute assignment.

During his investigations, he found several instances of popular Python libraries that had an unsafe merge function exposing them to class pollution attacks.

The minimum impact of class pollution would be DoS. But attacks could potentially have deeper effects on Python web applications such as:

*   Overwriting the secret key used to sign sessions in Flask web applications and manually crafting valid sessions to stage account takeover attacks
*   Circumventing filters – for example bypassing the path traversal prevention implemented in Jinja when trying to load a template file. This leads to local file disclosure and inclusion by enabling attackers to load files from any local directory without being restricted to the templates directory
*   Remote command execution, by overwriting COMSPEC or PATH environment variables

“Prototype pollution is definitely one of the topics that deserve more attention from the community, and we started to see more focus on it recently,” Khaled said.

“Class pollution might be a new vulnerability that has just come to light, \[but\] I expect to see it in other programming languages soon.”

YOU MAY ALSO LIKE Devs urged to rotate secrets after CircleCI suffers security breach

Prototype pollution-like bug variant discovered in Python

Protection against XSS, SQLi, and more web attacks for Go-based web applications

Protection against XSS, SQLi, and more web attacks for Go-based web applications

A developer has released a new tool for Go applications that is designed to combat web-based attacks.

Developer and security engineer Dwi Siswanto revealed the open source teler-waf software on January 2. The 24-year-old said on Twitter that the technology was designed to “improve the security of Go-based web applications”.

Available on GitHub, teler-waf acts as HTTP middleware, with an interface for integrating intrusion detection system (IDS) functionality into existing applications.

Teler-waf’s security functions include protection against common web-based threats, such as cross-site scripting (XSS) attacks and SQL injections.

Furthermore, the tool will detect bad IP addresses linked to known threat actors and botnets; malicious HTTP referers, crawlers, and scrapers suspected of causing performance issues or performing illicit data scraping; and locations associated with directory-based brute-force attacks.

**Under the bonnet**

Speaking to The Daily Swig, Siswanto, who developed teler-waf independently, said the software has several benefits.

A key feature, for example, is the use of datasets updated daily that track known vulnerabilities and malicious patterns of attack. External resources include information from the PHPIDS project, CVE lists from the Project Discovery team, and collections sourced from the Nginx Ultimate Bad Bot Blocker and Crawler Detect.

WIN SWAG Complete our reader survey to be in with a chance of winning Burp Suite merchandise

In addition, teler-waf comes with a net/http handler for integration with application routing functionality, which Siswanto said “makes it easy to integrate into any framework and \[is\] also highly configurable, allowing it to be tailored to the specific needs of a given web application.

“When a client makes a request to a route protected by teler-waf, the request is first checked against the teler IDS to detect known malicious patterns,“ the developer says. “If no malicious patterns are detected, the request is then passed through for further processing.”

**Show and teler**

Siswanto is also the creator of teler, a real-time HTTP intrusion detection and threat alert system.

He told us that the popularity of the Go framework persuaded him to adapt teler IDS to resemble a past project, AntiScanScanClub, an automatic website scan blocker package.

“My goal was to use teler IDS functionality not only for detection, but also for early prevention,” he explains. “I could say that teler-waf is a progress from the AntiScanScanClub.”

At this time, there is no formal development timeline, although there are hopes for future contributors to join and some milestones are “still being determined”.

Teler-waf’s inaugural and current release, v0.0.1, is labeled as experimental.

Siswanto said: “It \[is\] experimental because there are currently some TODO lists I \[have\] to revisit that need to be addressed, which might be major changes that could affect both configuration and performance. I hope that teler-waf will become stable and ready for use in production in the near future.”

As Go continues to increase in popularity, other developers have also released tools to protect applications built using the language. In December, for instance, Viktor Chuchurski and Alessandro Cotto released Safeurl, software designed to thwart server-side request forgery (SSRF) attacks.

RELATED Safeurl HTTP library brings SSRF protection to Go applications

Meet teler-waf: Security-focused HTTP middleware for the Go framework

Vendor patched the vulnerability in October after a red team alert

Adam Bannister 06 January 2023 at 15:40 UTC

Vendor patched the vulnerability in October after a red team alert

A pre-authentication remote code execution (RCE) exploit has landed for popular web hosting platform Control Web Panel (CWP).

The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25. All previous versions are affected.

CWP, formerly CentOS Web Panel, is a free-to-use, Linux control panel with roughly 200,000 servers in active use.

DON’T MISS Tell us what you think of The Daily Swig to be in with a chance of winning Burp Suite swag

The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security.

Türle told The Daily Swig that he disclosed technical details and requested a CVE after receiving assurances that a sufficient number of servers had been updated to the patched version.

The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.

**Double quotes problem**

The flaw resides in the component and allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

According to Türle, it resulted from CWP using the following structure to log incorrect entries:

“Since the request URI comes from the user, and as you can see it is within double quotes, it is possible to run commands such as , which is a bash feature,” he said.

“They have made the request URI into , but double quotes are interpreted on the bash side. It is actually just a problem with double quotes. It was a small problem but could be very annoying.”

**Timeline**

Türle said the bug emerged from zero-day research undertaken on third-party applications used by customers of Gais Security.

“We discovered this vulnerability in July 2022 and closed the ports by first notifying our customers,” he said.

CWP was notified and remediation began on July 30. “Since it was a busy period, we sent the full report to the CWP team on 22.10.2022. The CWP team submitted a special version within two days and we confirmed that we were able to reproduce the vulnerability and submitted a new report.”

Türle praised CWP’s security team for a “very fast fix”.

“While vulnerabilities that I have previously communicated to other companies can take almost one to three months, the CWP team closed the vulnerability in two days,” he added.

The Daily Swig has contacted CWP for comment and will update this article accordingly if they do so.

YOU MAY ALSO LIKE Tesla tackles CORS misconfigurations that left internal networks vulnerable

Exploit drops for remote code execution bug in Control Web Panel 

Typosquatting ploy successfully bypassed firewalls of multiple organizations

Typosquatting ploy successfully bypassed firewalls of multiple organizations

Tesla is one of several organizations to remedy cross-origin resource sharing (CORS) misconfigurations after security researchers proved they could exfiltrate data from the carmaker’s internal network.

That’s according to Truffle Security, which said its researchers earned a “few thousand dollars” from CORS vulnerabilities submitted through various bug bounty programs.

With the help of an exploitation toolkit custom-built for the project, the flaws validated Truffle Security initial hypothesis that “large internal corporate networks are exceedingly likely to have impactful CORS misconfigurations”.

**CORS for concern**

Truffle Security has detailed how its team leveraged typosquatting to sidestep constraints routinely imposed by bug bounty programs in a blog post and accompanying video (embedded below).

“Usually internal networks are out of scope for bug bounties due to the strict rules against lateral movement and social engineering,” it noted. “We’re aware we’re walking very close to the line, but we don’t believe it’s been crossed.”

CORS is a browser security mechanism that offers controlled access to resources situated outside of a given domain. In doing so it helps developers by offsetting the rigidity of same-origin policy (SOP), which restricts scripts on one origin from accessing data from another.

However, overly permissive configurations can leave the door open to cross-domain attacks.

DON’T FORGET TO READ Car companies massively exposed to web vulnerabilities

Truffle Security’s research centers on ‘wildcard’ configurations, which by not sending login session information are generally secure for externally-facing websites, “but can go horrendously wrong for internal facing web apps that don’t use authentication”.

This is because “people’s browsers straddle multiple networks so when a victim visits an evil website that evil website can hit all of the internal apps on internal networks.”

**Of-CORS you can**

Truffle Security has invited other bug hunters to target similar vulnerabilities with the tool it built for the project.

Of-CORS, a Python3 application, can “sneakily prod target corporate networks for CORS misconfigurations using typosquatting and phone home with data when found”.

As for reconnaissance, bug hunters are advised to identify internal, second-level domains in use by target companies by checking old commits in Github repos, Android builds, and even StackOverflow threads.

Truffle Security then recommends purchasing typosquatting domains that capitalize on the “off-by-one copy paste error that occurs when you drop the first or last character”.

For instance, in Tesla’s case eslamotors.com snared a victim within a few days. A service worker registered by of-CORS then probed around 150 teslamotors.com subdomains and found that 12 were configured to allow cross-origin access with CORS.

Read more news of the latest hacking techniques

“We demonstrated the ability to access and exfiltrate data from Tesla’s internal network just by setting an innocuous trap and waiting for employees to wander into it,” said the blog post. “Delightful.”

Tesla, which sanctioned public disclosure, was praised for “quickly” escalating, resolving, and paying out for the high severity issue through its Bugcrowd bug bounty program.

The Daily Swig has invited Tesla to comment but we are yet to hear back. The story will be updated accordingly if we do.

YOU MAY ALSO LIKE Critical vulnerability allowed attackers to remotely unlock, control Hyundai, Genesis vehicles

Source

PortSwigger