Marine Corps engineer-turned offensive security expert offers careers advice and his best and worst experiences

Marine Corps engineer-turned offensive security expert offers careers advice and his best and worst experiences

John Jackson has been working in cybersecurity for less than five years, but already has several significant wins under his belt.

After five years as an engineer in the Marine Corps he founded white-hat hacker collective Sakura Samurai, which last year discovered git directories and credential files within United Nations infrastructure that exposed more than 100,000 private employee records.

On a roll, the group soon after publicly disclosed vulnerabilities within the Indian government that allowed them to access personal records, police reports, and other hugely sensitive data, along with session hijacking and arbitrary code execution flaws on finance-related governmental systems.

Jackson’s other notable successes have included the discovery of a vulnerability in the Talkspace mental health app and two serious bugs in Chinese-made TCL brand televisions.

In a follow-up to the first part of our two-part feature on becoming a pen tester, we asked Jackson, now senior offensive security consultant at Trustwave, about his achievements, his love for pen testing, and the skills that would-be penetration testers need to succeed.

Daily Swig: How did you get into pen testing?

John Jackson: My story’s a little non-traditional. I didn’t grow up as a computer nerd. I was actually going to college for philosophy at CU Denver when I got a phone call from a recruiter and he asked me, hey, do you want to be a hacker?

I went through a boot camp and by the time I got to certified ethical hacker level I was actually helping class members learn, because I had done so much self-study on my own as I was just so excited.

I got recruited by TEKsystems as a contractor to go and work for Staples, initially as a cybersecurity engineer, and after the first six months there, they switched me to endpoint detection response. I went from application security engineer to senior applications security engineer for Shutterstock and after that, I went to Trustwave.

I was still hacking on my own time doing ethical hacking, and I established a group at the time called Sakura Samurai.

DON’T MISS How to become a pen tester: Part 1 – your path into offensive security testing

DS: What’s the best way to get into penetration testing?

JJ: There’s not a linear path. When I was getting into it, they \[the industry\] didn’t have as many certifications as they do now, and they also didn’t have as many materials, but nowadays they have things like Hack the Box, which can be a good way in.

I think there is no definitive skill that makes you a good hacker – it’s not so much a skill but a mindset. It’s endless curiosity.

If you’re not the type of person that likes spending a lot of your free time learning then it’s not the best field for you, because you’re always going to have to improve, and it’s very difficult to improve if you’re not continually learning, and a lot of the time that’s on your own time.

DS: What are your favourite things about your job?

JJ: One of my favourite things is the ability to hack so many different things. I’ve done ATM hacking, I’ve done phishing and social engineering, and then I moved into red teaming where the scope is a lot larger, and you have a lot more control over how you hack the organizations because you emulate advanced persistent threat actors.

Pen testing is amazing because I’m always learning – it really keeps me going and keeps my brain fresh. I don’t get bored because every day is new.

DS: And the worst?

JJ: A lot of non-technical people are sometimes involved in setting up and arranging pen tests and red teams, and sometimes they under-scope the assessments and take a very check-in-the-box approach to pen testing.

I think that that’s bad for everyone involved – it’s bad for the pen testers because you’re limited to such a narrow scope of what you can and can’t do, and it’s bad for security because in reality it’s just not realistic. A criminal hacker is not going to stop and say “you know what, this domain’s out of scope, this technology’s out of scope, I’m not going to mess with that”.

Pen testers are highly technical and sometimes you’re dealing with people that are more salesy or C-level, and you have to explain why it matters – and that can be tough.

MUST READ A rough guide to launching a career in cybersecurity

DS: What’s the most enjoyable project you’ve ever worked on?

JJ: I think my favourite project was a bank that wanted a red team with a scope of pretty much everything. That was a lot of fun, because I got to use the expertise I had to think outside of the box and use some of their own platforms to abuse their company.

They were blown away because they didn’t expect to see this or that service get abused, so I felt kind of proud doing that. \[It felt like\] finally someone appreciates that outside of the box thinking.

‘Red teaming’ gives you much ‘more control over how you hack the organizations because you emulate’ APTs

DS: And the most serious?

JJ: With the UN, with my group Sakura Samurai, we found GitHub credentials. We used the GitHub credentials to download the organization’s internal GitHub code and then, going through the code, we found over 100,000 lines of employee information. It was insane. That was definitely pretty scary.

The Indian government hack was crazy too – that was on another level. We found a lot of vulnerabilities – credentials, remote code execution, you name it. We were just going in and gave them a very extensive report, and actually coordinated it with DC3 \[Department of Defense Cyber Crime Center\] to help us disclose, because we were so worried about how much we found.

DS: What are your thoughts about bug bounties?

JJ: I’ve got a lot of complaints \[about\] bug bounty \[programs\], the biggest one being that you have to sign non-disclosure agreements when you submit these bugs, and sometimes that’s a moral conflict because you’ll discover things that are really bad. I was a blue teamer for half of my career, so when I find these certain types of bugs in bug bounty programs it’s unnerving because I know they’re not going to handle this how they need to handle this, they’re going to try and sweep this under the rug.

I moved towards vulnerability disclosure programs because you give them time to fix it and then you can disclose the bug that you found. I think that all hackers should try some vulnerability disclosure because it really just gives you a chance to get your hands on hacking a lot of things at once and then go through the process.

Read more of the latest news from the pen testing industry

DS: What are you working on now?

JJ: Right now, I’m working on another red team engagement. We’re on the internal phase, so the phase of just being inside the organization and looking for security vulnerabilities to see what we can and can’t do, how far we can go.

It’s always exciting. I love doing it, as this just really combines a lot of elements of hacking – network hacking, web hacking, and then the social aspects like what type of technologies do people use, and how can you abuse that internally?

A good example that I can say on record because it’s very obvious is Office 365, using Microsoft products to get more passwords or access to the organization, so that’s what I’m dealing with right now.

DS: What careers could pen testing lead on to?

JJ: I definitely have moved towards red teaming more, which is just a different form of pen testing. But I’d say for me red teaming and pen testing is the end of the line.

You could spend your entire life as a pen tester, absolutely, but I think a lot of people in the different client environments have shifted into a model of wanting pen testers to do more threat emulation – specific goals like ‘steal our credit card data, steal our employee accounts’.

The reality is it’s just endless, and there’s always something bigger you can aspire to. So if you’re a pen tester maybe \[the next step is\] senior pen tester, if you’re a senior pen tester maybe it’s to go to offensive security consultant, moving into red teaming. I think shifting into red teaming is the end goal for a lot of people.

YOU MAY ALSO LIKE How to become a CISO – Your guide to climbing to the top of the enterprise security ladder

How to become a penetration tester: Part 2 – ‘Mr hacking’  John Jackson on the virtue of ‘endless curiosity’ 

Definitive solution is ‘non-trivial’ since behavior arises from customers processing non-RFC compliant requests

Definitive solution is ‘non-trivial’ since behavior arises from customers processing non-RFC compliant requests

A vulnerability in how Akamai retrieves Amazon Web Services (AWS) S3 resources could allow attackers to stage web cache poisoning attacks against websites.

Web cache poisoning involves malicious clients forcing content delivery networks (CDN) or web servers to cache malicious content and later serve it to other clients requesting the same resource.

**Double misconfiguration**

Akamai can map various HTTP requests to their corresponding S3 bucket and cache them for later retrieval. Security researcher Tarunkant Gupta discovered that he could trick the Akamai server into caching files from malicious buckets.

“A few months back I encountered a non-exploitable AWS S3 misconfiguration and I was just revisiting it to check if that still exists or not, but this time I wanted to explore all attack possibilities,” he told The Daily Swig. After trying different attack vectors, Gupta ran into a misconfiguration in Akamai’s cache servers that could be leveraged to exploit the S3 bug.

RELATED Akamai WAF bypassed via Spring Boot to trigger RCE

Akamai said creating “a blanket ‘patch’” was “not trivial, as that may have a big negative impact on legitimate internet traffic”, according to a technical writeup from Gupta. In the meantime, Gupta said users can protect themselves by not accepting any headers containing Unicode characters at the Akamai level. 

**Tampering header commands**

To exploit the vulnerability, an attacker must send a web request for a benign file, but modify the header directives to add a header preceded by a hex value (e.g. ) and followed by the malicious S3 address.

If the request results in a cache hit, then the Akamai server will prioritize the header with the Unicode value over the original header and cache the malicious file to serve it to future users who request the same path.

“Because of the S3 misconfiguration, it prioritizes the first header over the target origin and Akamai’s incorrect parsing on the inclusion of Unicode character let me pass exactly what I wanted to the S3 buckets, a malicious host on the first occurrence of the header,” Gupta explained.

**Attacking at scale**

The attack will only work if benign and malign files are stored in S3 buckets located in the same region. The attacker can create S3 buckets in all available regions and upload the malicious file to all of them.

Exploiting the bug would then be a matter of brute-forcing the web cache poisoning attack on the target web resource to see which bucket works.

Gupta tested the attack with an SVG file, which is usually a cached file type and can contain JavaScript code – making it especially dangerous. But the attack can also work with any other file type cached by the server.

Gupta also developed a pair of Python scripts that can find targets stored in S3 buckets and cached by Akamai.

“This issue is very easy to exploit, and one simple cURL can create a malicious cache,” Gupta said. “An automation script was created to exploit at scale. This issue can result in various types of attacks such as XSS, JavaScript injection, open redirection, DoS, spoofing, etc.”

**RFC non-compliance**

Akamai told Gupta that the configuration issue “results from certain customers’ needs to process non-RFC compliant requests for their applications to function correctly, and therefore cloud vendors offering features to support such traffic unless explicitly instructed not to do so.”

Kaan Onarlioglu, senior infosec architect at Akamai, told The Daily Swig: “By default, Akamai edge servers allow certain invalid HTTP headers to pass through, treating them as custom headers.”

Catch up with the latest hacking techniques news and analysis

This feature is necessary to support large volumes of legitimate traffic flows and origin applications that rely on invalid headers to function correctly, he said. However, it could sometimes lead to unexpected interactions between Akamai and origin servers, depending on the origin’s request processing behavior.

“Akamai provides a strict header parsing configuration option to block traffic containing invalid headers, and we strongly urge our customers to utilize it unless that interferes with their operations,” Onarlioglu continued.

According to Onarlioglu, Akamai is currently working on making strict header parsing a default behavior instead of offering an opt-out mechanism for customers. The work is expected to be finalized early in 2023.

Gupta advised web developers to always follow RFC and its recommendations. “Many companies don’t follow them and also don't put any countermeasures around it, which sometimes becomes a serious issue,” he said.

RECOMMENDED Researcher discovers 70 web cache poisoning vulnerabilities, nets $40k in bug bounty rewards

Akamai wrestles with AWS S3 web cache poisoning bug 

Prizes offered to anyone who can bypass the library and capture the flag

Prizes offered to anyone who can bypass the library and capture the flag

A new open source library designed to thwart server-side request forgery (SSRF) attacks plugs a significant gap in Go developers’ armory, according to its architects.

Safeurl, a one-line drop-in replacement for Go’s native , validates incoming HTTP requests against allow and block lists, as well as defending against DNS rebinding attacks.

“All the heavy work of parsing, validating, and issuing requests is done by the library,” said Doyensec security engineers and Safeurl creators Viktor Chuchurski and Alessandro Cotto in a blog post.

“The library works out-of-the-box with minimal configuration, while providing developers the customizations and filtering options they might need. Instead of fighting to solve application security problems, developers should be free to focus on delivering quality features to their customers.”

**SafeCURL inspiration**

Chuchurski and Cotto said they wanted to give Go applications the same protection afforded to counterparts written in other languages through SafeCURL and (the identically named but differently capitalized) SafeURL.

“Our clients were asking for recommendations on a Go-specific solution to mitigate \[SSRF\] attacks,” the pair told The Daily Swig. “There was nothing built specifically for Go so we took on the challenge.”

Read more of the latest dev stack tech news and analysis

SSRF exploits involve inducing server-side applications into make requests to unintended locations.

“It is common for modern web applications to make HTTP requests, but a secure implementation can be quite difficult,” continued Chuchurski and Cotto.

“We hope our library will satisfy that need. It was designed with ease of use in mind and protects apps simply with its drop-in default settings.”

**Erring on the side of caution**

Safeurl blocks all traffic to private or reserved IP addresses by default, as prescribed by RFC1918.

“It’s easier (and safer) to explicitly set allowed destinations, as opposed to having to deal with updating a blocklist in today’s ever-expanding threat landscape,” explained the blog post.

The safeurl.Config can be used to customize the safeurl.Client to set , , , , , , , , , and .

The open source library allows configuration of HTTP redirects, cookie jar settings, and request timeouts.

DNS rebinding attacks, which exploit mismatches in DNS responses between two or more consecutive HTTP requests, are repelled by performing allow/block list validations on the IP address used to make the HTTP request via Go’s net/dialer package and the hook.

**Swag, gadgets up for grabs**

The researchers have created a Capture the Flag (CTF) challenge for Safeurl with “swag and some cool gadgets” on offer to anyone who succeeds.

“We’re confident in our code and the CTF is putting that confidence to the test,” said Chuchurski and Cotto. “It’s a simple web server with an SSRF vulnerability.

“The twist is that the point where the vulnerability is triggered is protected by the ‘safeurl’ library. If anyone is able to find a bypass, they'll find further instructions.”

YOU MIGHT ALSO LIKE Critical IP spoofing bug patched in Cacti

Safeurl HTTP library brings SSRF protection to Go applications

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 16 December 2022 at 17:43 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Apache CXF / Critical / SSRF (server-side request forgery) vulnerability in parsing the href attribute of XOP / Disclosed with patch, December 13
*   Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint” / Disclosed with patch, November 22
*   Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files” / Disclosed with a patch, December 13
*   Ping / CVE-2022-23093 / Memory-handling vulnerability involving networking protocol implementation by FreeBSD prompted its developers to test their own software, which unearthed a flaw in OpenBSD’s implementation of Ping that dates back to software changes introduced 24 years ago
*   Planet eStream / Critical / Vulnerabilities in video platform geared towards online learning enable attackers to take over user accounts with administrative privileges and execute arbitrary JavaScript code, among other attacks / Vendor has released software updates

**Research and attack techniques**

*   A researcher documented how it’s possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism to control access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed but can seemingly be exploited to bypass CSRF protections or run cross-site tracking (XST) attacks.
*   Lightspin uncovered a serious flaw in an AWS-hosted service that allows software developers to find and share public container images. Attackers could potentially delete all images in the AWS Elastic Container Registry (ECR) Public Gallery or update image contents to inject malicious code, prompting AWS to resolve the problem within a day of its disclosure.
*   A series of flaws in three popular applications that allows an Android device to be used as a remote keyboard and mouse were exposed by Synopsys Cybersecurity Research Center (CyRC) The authentication, authorization, and insecure communication flaws potentially opened up attacks including keystroke sniffing.
*   Supposedly ‘air-gapped’ networks without direct access to the internet often require DNS services in order to resolve a company’s internal DNS records – a weakness potential hackers might be able to exploit, as a blog post by Pentera explains.
*   SALT Labs used a LEGO\-run site as a testbed to illustrate the general risk posed by API security issues. Researchers uncovered a variety of API-related security issues in LEGO’s Brick Lane, including a potential vector to internal production data and systems or manipulating users into surrendering control of their accounts.

LEGO reportedly fixed a number of API security issues found by SALT Labs

**Bug bounty / vulnerability disclosure**

*   HackerOne revealed that cloud-based vulnerabilities account for a growing proportion of vulnerabilities reported by bug bounty hunters, now totalling 65,000 in 2022, a year-on-year rise of 21%.
*   A security researcher who discovered a means to achieve unauthorized access to resumes stored on LinkedIn may have been left underwhelmed by the $5,000 bounty he received for his find, given the potential impact of the issue on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more unsavoury parties to download resumes without permission.
*   Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.

**New open source infosec/hacking tools**

*   Node Security Shield – a defensive tool that takes an allow-listing approach to protecting zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
*   Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communications channel.
*   Kubeshark – API Traffic Viewer for Kubernetes, providing “deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster”

**For devs**

*   Google has announced a free-of-charge scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open source vulnerability database.
*   OWASP, best known for its ‘Top 10 Web Application Security Risks’ framework, is backing the creation of a similar scheme to index classes of security risks in the world of AppSec and DevSecOps. The Top 10 CI/CD Security Risks taxonomy aims to catalogue risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
*   The SHA-1 cryptographic algorithm, in use since 1995, has reached the end of its useful life, announced the National Institute of Standards and Technology (NIST), which says the federal government should phase out its use by 2030.
*   Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects”.

**For fun**

ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.

The results were more than satisfactory:

In the realm of computers, where data flows like a stream  
There are those that seek to exploit and cause us all to scream  
They are the hackers, the codebreakers, the malicious ones  
And among their favorite trick is the art of SQL injection

Chorus:

SQL injection, SQL injection  
A dangerous game, a digital infection  
SQL injection, SQL injection  
Beware of the hackers and their devious invention

To paraphrase the great man himself, I still don’t know what I was waiting for... but it definitely wasn’t this.

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat 

‘Not that hard to execute if attacker has access to a monitoring platform running Cacti’

‘Not that hard to execute if attacker has access to a monitoring platform running Cacti’

A dangerous bug in Cacti, the RRDTool frontend and performance/fault management framework, potentially allowed attackers to run arbitrary PHP commands on the server.

Cacti is a popular open-source network graphing, monitoring, and fault-management tool written in PHP. RRDTool stands for round-robin database tool.

While Cacti is not usually meant to be accessible from public networks, an attacker with network access to the server would be able to leverage the remote code execution (RCE) bug without authentication.

The flaw affects version 1.2.22 and has been patched in versions 1.2.23 and 1.3.0.

**Flimsy safeguard**

The vulnerability resides in a PHP file in Cacti that allows remote agents to run different actions on the server. The only safeguard this file offered was to check whether requests were coming from an authorized IP address. Unfortunately, however, IP addresses can be spoofed with the right configuration of HTTP headers.

This allows an attacker to gain access to the file’s commands without being authenticated into the Cacti application.

Read more of the latest PHP security news

“The exploit is not that hard to execute if the attacker has access to a monitoring platform running Cacti,” Mark Brugnoli-Vinten, one of the maintainers of Cacti, told The Daily Swig.

“Most installations that I know of do not advertise themselves over the internet so the impact is mostly reduced to internal intrusions. If they have access to your internal network, there are larger problems at play, but this could be used by them.”

**Command injection**

One of the functions in the vulnerable file, called polldata, loads data from the backend database based on user-provided arguments. If the server is configured to allow PHP script actions, the attacker could use this command to execute arbitrary scripts on the server.

According to the advisory for the bug, this configuration is “very likely on a productive instance because this action is added by some predefined templates”.

Said Brugnoli-Vinten: “When exploited, it grants the attacker the ability to run commands under the same user that the website process is executing.”

But, he added, as long as your system “is secured using recommended safety/security procedures, such as AppArmour/SELinux or even separate user/group permissions, then the impact should be fairly limited”.

**Secure PHP coding lessons**

The bug was assigned a critical CVSS score of 9.8, which “is one of the reasons we published the advisory before the release was complete,” Brugnoli-Vinten said.

The team patched the vulnerability with the help of Stefan Schiller, security researcher at Sonar, who first reported the bug through GitHub’s advisory system.

The flaw held some lessons in secure PHP coding for the Cacti team.

“In recent years, I’ve taken to saying that you should never trust the input from a user, make sure it’s validated. However, the same also applies to settings in the environment,” Brugnoli-Vinten explained.

“PHP, for example, provides a lot of information in the variable, and even experienced users of the language may not realize which entries are set by the system and which are provided by the browser. If it can come from the browser, it can be spoofed.”

YOU MIGHT ALSO LIKE Akamai WAF bypassed via Spring Boot to trigger RCE

Critical IP spoofing bug patched in Cacti

Akamai issued an update to resolve the flaw several months ago

Charlie Osborne 14 December 2022 at 12:01 UTC  
Updated: 14 December 2022 at 12:04 UTC

Akamai issued an update to resolve the flaw several months ago

A researcher has disclosed a technique that bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).

Akamai’s WAF, which was patched several months ago, has been designed to mitigate the risk of Distributed Denial-of-Service (DDoS) attacks and uses adaptive technologies to block known web security threats.

Security researcher Peter H, who also goes by the pseudonym ‘pmnh’, said the attack used Spring Expression Language (SpEL) injection.

The bug bounty hunter found the bypass with the assistance of Synack pentester Usman Mansha during an engagement with a private Bugcrowd program.

**Server-side template injection**

A server-side template injection (SSTI) is at the core of the bypass, a technical write-up by Peter H reveals. Vulnerable versions of Spring Boot throw up error messages in a SpEL expression with whitelabel error pages, they explained. When a vulnerable framework is used, this injection is evaluated server-side – opening a potential pathway for abuse.

Akamai’s WAF blocked the SSTI during testing. However, the team persisted in looking for ways of utilizing SpEL to invoke an operating system command – likely via Java.

RELATED JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs

The most obvious route was to find a way to the class, starting with SpEL reference , but this was blocked by Akamai’s software.

“I suspected this would not work, but when trying to work around a WAF it’s really important to build up from small things that you know work, to larger and more complex payloads,” the researcher said.

The next stage was finding a reference to an arbitrary class, which Peter H said would allow “direct method invocation or reflection-based invocation to get at the method we want”.

Peter H and Mansha used a reflection method to obtain access to , built an arbitrary String with the value, accessed the method, and created another string to access – thus enabling development of a workable RCE payload.

The final payload was under 3kb and was accepted by the server as a GET request.

**Elusive entry point**

However, bypassing the WAF was by no means an easy task. Peter H noted it took approximately 500 crafted attempts and over 14 hours to find an entry point.

The researcher declined to supply a final payload in a text format to prevent blind copycats.

“In this case, deep knowledge of Java and SpEL capabilities was required to construct a payload that would both bypass the Akamai WAF as well as work in the context where it was executing,” they noted.

**Akamai response**

When approached for comment, Akamai told The Daily Swig that the bypass was only possible as the researchers used an old version of the Akamai WAF protection engine.

A patch was issued on July 25, 2022. As a result, customers running the latest engine version are not at risk of exploitation.

Read more of the latest web application firewall news

Akamai said: “Akamai is aware of the findings of a security researcher who has claimed to have bypassed Akamai’s WAF. This issue was discovered and an update was issued several months prior to this blog post being published.

“The Akamai Threat Research team is always on the lookout for new attack types and works to proactively update protections on a regular basis. Akamai recommends that all customers ensure that Adaptive Security Engine, the protection engine that powers Akamai WAF, is up to date, ideally via automatic updates.”

The Daily Swig has reached out to the researchers involved and we will update this article if and when they comment.

DON’T MISS Black Hat Europe 2022: Hacking tools showcased at annual security conference

Akamai WAF bypassed via Spring Boot to trigger RCE

Impact of cloud migration and shift to remote work evident in new report

Impact of cloud migration and shift to remote work evident in new report

Bug bounty hunters are increasingly unearthing cloud-based vulnerabilities as organizations undergo ‘digital transformation’, a new report has found.

Researchers have uncovered more than 65,000 software vulnerabilities through bug bounty platform HackerOne in 2022, a year-on-year rise of 21%.

The increase, revealed in HackerOne’s 2022 Hacker-Powered Security Report, released today (December 13), is precisely the same percentage jump recorded in last year’s edition.

**Misconfigurations on the rise**

Now on its sixth instalment, the report also explores the continued impact of digital transformation on attack surfaces.

Cloud migration and the shift to remote work have seen organizations instituting ever-more granular permissions, a trend reflected in growing numbers of misconfiguration vulnerabilities – jumping 150% – and improper authorization issues, increasing by 45%.

Web applications continue to dominate the landscape, with 95% of hackers prioritizing websites. The next most popular targets are APIs (45%), Android mobile apps (38%), cloud platforms (24%), and open source (24%).

RECOMMENDED Bug Bounty Radar // The latest bug bounty programs for December 2022

Meanwhile, companies running bug bounty programs should take note that slow response times (51%), limited scopes (50%), and poor communication (49%) were the most significant deterrents to engaging with a program.

HackerOne, which polled 5,000 hackers between September and October 2022, also found that 38% of bug hunters cited in-house expertise as the biggest cybersecurity challenge facing organizations. This finding reflects the intertwined trends of growing attack surfaces and the cybersecurity skills gap.

**The utility of utilities**

The most popular hacking tools used by ethical hackers are Burp Suite (87%), fuzzing utilities (47%), and web proxies or scanners (38%). One in three (34%) even build their own tools.

Nevertheless, 92% still back themselves to find vulnerabilities missed by scanners, with tools often proving useful for reconnaissance, according to the report.

“I use automated tools in my reconnaissance flow to find opportunities where to focus my efforts,” US hacker Jon Colston told HackerOne.

“While it can send immediate notification of a quick win, I’m more interested in collecting as much information as possible from various data repositories to analyze trends.

“Specifically, I’m identifying where an organization will likely store specific files or documentation which I can leverage into more advanced attacks. Performing recon with a purpose helps me develop a better picture of the landscape and quickly narrow down my list of targets from 5000 to 500.”

RELATED Million-dollar bug bounties: The rise of record-breaking payouts

Although seven-figure payouts are increasingly common, HackerOne reports that mean and median bounty prices have not risen markedly – save for in the cryptocurrency and blockchain world, where average payouts soared by 315%.

While bug hunting only turns a select few into millionaires, 41% earned enough to consider it a career in itself, while 25% believed their freelance exploits had helped them get a promotion in their salaried position or otherwise progress their career.

Cross-site scripting (XSS) was again the most common bug reported, with total submissions up 32% year on year.

DON’T MISS HackerOne encourages customers to adopt standard policy to protect hackers from legal problems

Cloud flaws brought to the fore as bug bounty vulnerabilities hit 65k in 2022 – HackerOne

Catch up on the highlights of last week’s cybersecurity conference

Catch up on the highlights of last week’s cybersecurity conference

Alongside the release of hacking tools and a thought-provoking keynote, there was plenty on offer for web security professionals among the briefings at Black Hat Europe last week.

Vulnerability researchers often leave out the gnarly bits in talks that focus on their success in finding vulnerabilities, but a pair of hackers from Trellix gave a talk on how to learn from missteps and failures along the way.

Apparent failures can offer salutary lessons and – mixed with no little grit and persistence –eventually result in significant discoveries, researchers Douglas McKee and Philippe Laulheret told Black Hat delegates.

The session – ‘Fail Harder: Finding Critical 0-Days in Spite of Ourselves’ – took a “deep dive into all the things that didn’t work, along with the many challenges that preceded the findings of critical zero-day bugs across multiple projects”.

Among other things, the researchers explained how “failing harder” requires “lots of time spent researching systems before they can be hacked”.

**Ethics in social engineering**

In another talk, Ragnhild ‘Bridget’ Sageng of Orange Cyberdefence explored the ethics of using social engineering in penetration tests.

Such tests attempt to raise employee awareness about phishing attacks, but if not well thought through they can be counterproductive – especially if workers are left feeling duped or blamed for failures. Playing the blame game runs counter to fostering a productive learning experience, Sageng argued.

After all, the results of such tests have shown that even security professionals can fall victim to phishing lures, hence the need to increase focus on the (often neglected) post-engagement process.

**Wif WAF**

Back in the arena of finding vulnerabilities in technology, researcher Noam Moshe from Claroty’s Team82 explained how they discovered that a range of web application firewalls (WAFs) could be rendered blind to SQL injection payloads.

The issue – which stemmed from a failure to support JSON syntax in the SQL injection inspection process – affected technology from five leading vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva. All five fixed the problem after Claroty highlighted the issue, as explained in more depth by The Daily Swig last week.

**Delivering Parcels**

Deserialization flaws have yielded a steady stream of issues for traditional apps over recent years. The hacking technique has also proven a problem for Android-based mobile systems.

During a presentation at Black Hat Europe, a team of engineers from Google outlined the evolution of Android Parcels, a technology designed to manage cross-process interaction and clamp down on bugs that arise from deserialization.

**Bohemian hack story**

Active defense has been discussed as an approach to thwart cyber-attacks orchestrated by nation states for several years. The details of how such an approach might work in practice have been shrouded in secrecy, but a talk by two threat intel experts from the state treasury of the Czech Republic showed how a combination of threat intelligence and active defense was used to thwart a series of attacks blamed on Russia.

The analysts explained that it was only by continuously improving their threat model and fine tuning their approach that they were able to make improvements in making critical information infrastructure more resilient.

**Binded by the light**

Web security researchers and bug hunters were offered insights into how it might be possible to hack web-based frameworks by abusing DataBinding.

DataBinding is used to bind request parameters to a domain object.

The approach is supported by a variety of programming frameworks, including Java, JavaScript, Groovy, Python, and Ruby.

However, implementation flaws in databinding have spawned a number of flaws in platforms including Spring, Struts, Grails, and Ruby on Rails.

Haowen Mu and Biao He from Ant Security FG Lab explained how the insecurity of the DataBinding mechanism itself spawned the infamous Spring4Shell, among other flaws, during their presentation at Black Hat.

YOU MAY ALSO LIKE Black Hat Europe 2022: Hacking tools showcased at annual security conference

Black Hat Europe redux: The top web hacking talks for 2022

Aids and techniques demonstrated at this year’s arsenal track

Aids and techniques demonstrated at this year’s arsenal track

  

Tools to enable the work of security researchers, pen testers, and bug bounty hunters were demonstrated at this year’s Black Hat Europe conference, held at London’s Excel Centre this week.

The annual security conference saw hackers from across the world gather to share research and other insights.

One of the conference’s regular features is the arsenal track, where attendees can witness live demos of various hacking tools.

**Node Security Shield**

One of the tools showcased this year, Node Security Shield, “provides zero-day protection for NodeJS applications”, Lavakumar Kuppan of Domsdog Security, which created the tool, told The Daily Swig.

“It is a defensive tool designed to be used by developers as well as security engineers,” they said.

“Existing defensive systems like WA \[web application firewall\], RASP or any of the supply chain attack protection systems all take a similar approach. They look for known bad patterns. This approach is fine for blocking well known attacks, but it is ineffective against zero-days.

“Node Security Shield takes the opposite approach. Application owners typically know and can define the expected behavior of their application. Node Security Shield ensures that only the defined good behavior is allowed, and any deviations are either blocked or trigger an alert.”

Node Security Shield supports a ‘Resource Access Policy’, inspired by Content Security Policy, a simple JavaScript object where the application owner defines the expected behavior of their app.

Read more of the latest news about hacking tools

“This enables us to block or provide exploitation mitigation against zero-day attacks. Also this approach is extremely fast compared to the other systems that have to compare every incoming request against an ever increasing list of attack patterns.

“With systems like WAF and RASP (runtime application self-protection) there is a risk of legitimate functionality being affected because it is unclear what those products will block and allow. That risk is significantly less with this approach since the application owners have a very clear understanding of what this tool will allow and what it will block.”

The tool was inspired by the Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework, which could lead to arbitrary code execution. Many application that relied on Log4j became vulnerable as a result of the problem.

“The fact that an application can just randomly make a network connection to a server that the developer’s never intended it to, bothered us a lot.

“So \[we\] set out to build a system where the application owners can define who their application can talk to and enforce it, thereby blocking the exploitation of zero-days like Log4Shell.”

The tool was developed as an internal project at Domdog Security to protect their own NodeJS applications, however the team said they are “aware of at least two other companies that are experimenting with it now”.

Kuppan added: “We are looking to add the ability to control file system access in the next release. Most user feedback has pointed towards wanting the ability to update the Resource Access Policy dynamically without requiring app restart. So that is also in the roadmap.”

**JavaScript obfuscation**

Also presenting at the show was Or Katz, who showed a tool designed to be able to detect JavaScript code as being obfuscated, detecting obfuscation by using structure-based signatures.

It detects JavaScript code before being rendered by the browser “which is more challenging as the obfuscation tool will create different variations of the same malicious JavaScript each time \[it is\] being obfuscated”, Katz told The Daily Swig ahead of his presentation JavaScript Obfuscation – It’s All About the P-a-c-k-e-r-s.

“Using this static code detection approach has \[meant it has\] better performance compared to techniques that require rendering of the page.

The tool also exposes a set of features collected from JavaScript code that enables more detection and classification capabilities.

Katz added: “We have future thoughts on adding more capabilities for more coverage on obfuscation tools, using collecting features for training of machine learning modules that will enable classification of malicious versus benign code.”

**Invoke-DNSteal**

A third tool, Invoke-DNSteal, allows users to perform file transfers using the DNS protocol as a covert communications channel, its creator Joel Gamez told The Daily Swig.

Although it has been designed primarily for pen testers, bug bounty hunters could also use it in “very restricted environments, in order to exfiltrate information from a compromised computer”, Gamez noted.

“Unlike other DNS data exfiltration tools, Invoke-DNSteal stands out for two main features:

The first, is that it does not use any type of library nor does it depend on third parties to work.

“For the server side, it only uses Python and sockets, so any device (however limited) that can run Python can run the server.

“For the victim (or client, if you prefer) side, native PowerShell queries will be used to send information via DNS, thus bypassing many anti-virus and EDR solutions.”

Also unlike other tools, says Gamez, Invoke-DNSteal focuses on the resolver and not the DNS domain.

“All DNS exfiltration tools need a domain to send information to. To do so, they will need to resolve that request using any DNS resolver.

“In the case of Invoke-DNSteal, we focus on using a resolver (or a list of them) controlled by the attacker, which will resolve any domain, even if it does not exist.

“In this way, it is possible to send information to random domains that do not exist, thus circumventing most DNS anti-spoofing solutions on the market.”

Users are also able to control the size and sending time of the payloads, which will also help them to evade protections.

“I decided to create this tool because I did not find any that solved this problem, or that used this technique of using random domains that do not exist to perform these bypasses,” Gamez said.

“In the next versions we will add a sequence control (remember that UDP \[User Datagram Protocol\] does not exist by default), payload encryption by default, a client for Linux and some improvements in payload compression, among many other things.”

YOU MAY ALSO LIKE Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Black Hat Europe 2022: Hacking tools showcased at annual security conference

Improving large language models offer ‘just one more way to attack code, and one more way to defend code’

Improving large language models offer ‘just one more way to attack code, and one more way to defend code’

A supposed security researcher has tried and failed to file an apparently bogus cryptocurrency vulnerability with the help of ChatGPT, the latest and most eerily impressive large language model (LLM) from OpenAI.

The report of the ‘bug’ in OUSD stablecoin was sent to Daniel Von Fange, a distributed systems engineer who contributes to several cryptocurrency code repositories. After a bit of back and forth, it became clear to Von Fange that his interlocutor was at least partly a bot.

**A bug that doesn’t exist**

The first report claimed that two important access control modifiers in the OUSD implementation were “not defined anywhere in the code”. As a result, the reporter warned, anyone could potentially call these functions and “access or manipulate the \[smart\] contract’s assets in unintended ways”.

The report also contains several paragraphs on the impact of the bug and possible remedies.

The claims were obviously bogus, Von Fange told The Daily Swig, because the code would neither compile nor deploy if it tried to call internal code that wasn’t there.

“I first assumed that it was a new bounty hunter who didn’t know that contracts could inherit code from other contracts,” Von Fange said. “While it was obviously a wrong report, I still checked that the code was actually there, and sent a link back to the reporter. We try to be both fast and paranoid about security reports.”

**A stubborn reporter that gets the facts wrong**

After Von Fange replied that the modifiers were inherited from another module, the bug reporter persisted by providing a code snippet that purportedly demonstrated exploitability.

Again, Von Fange tested the code and proved that the exploit did not work. However, the reporter returned with another long description, which still got the facts wrong.

RELATED Take threats against machine learning systems seriously, security firm warns

“I was most surprised by the mixture of clear writing and logic, but built off an ignorance of 101-level coding basics,” he said. “It’s like someone with all the swagger and sponsor-covered nomex of a NASCAR driver, but who can’t find the steering wheel in a pickup truck.”

At this point, Von Fange became almost certain that he was dealing with an AI bot and finished the conversation with: “Nice try, ChatGPT”. The reporter later confirmed to Von Fange that ChatGPT was being used in the reports but nevertheless demanded a bounty for the ‘vulnerabilities’.

**Unmasking ChatGPT**

“What actually tipped me off was the inconstancy between emails – each email seemed to pretend we were discussing a different bug, and each was a bug based on nonsensical premises, and each set of code sent along to prove the issues was valueless,” Von Fange said.

It’s not unusual for people to send bug reports that could never happen, or code that proves nothing, he continued.

“But humans don’t usually forget the context of what you have been talking about, and low-effort bounty hunters usually go elsewhere as soon as they realize they are dealing with someone who has seen through a bogus submission,” he added.

On Twitter, Von Fange described ChatGPT’s report as “plausible text and impacts wrapped in magnificent misunderstandings of the basics”.

This description of ChatGPT’s capabilities and limitations reflects observations of the LLM made by AI experts.

Exposed to enormous volumes of text and guidance from human trainers, the large language model can compose prose that is grammatically correct and mostly coherent. However, it often lacks basic facts, common sense, and other knowledge that is not clearly defined in its training text.

**LLMs and the future of bug hunting**

LLMs have proven to be useful for programming. Codex, another language model developed by OpenAI, is very good at autocompleting lines or generating complete blocks of code.

However, existing LLMs also have distinct constraints when it comes to logic and reasoning.

“I think the current LLMs are good at finding plausible reasons why code might have a vulnerability,” Von Fange said. “The big missing piece is determining if that vulnerability is actually there.”

A bigger breakthrough will come when the AI can automatically write and run code to verify if the vulnerability can actually be exploited, Von Fange believes.

“Of course, bad guys will hook this up to automatically exploit code once when a vulnerability is discovered,” he said. “This will be an arms race between the good guys and the bad guys.

“But that is what security always has been. There is no silver bullet, just one more way to attack code, and one more way to defend code.”

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Source

PortSwigger