ICYMI, this is how the #log4j#Log4Shell flaw works (in simple english), a 🧵 1. Victim is running a Java Web that uses the log4j logging lib 2. The victim web app has code that logs http request payloads/headers with log statements (example User-Agent)
1/
3. Attacker identifies vulnerable app and makes a request to the server with the User-Agent Value set to this. What does this mean? 2/
jndi == Java Naming and Directory Interface. Allows Java apps to access multiple apis for LDAP, Remote Method Invocation (RMI), etc through the JNDI Interface 4. The attacker tries to get the log4j library to lookup an LDAP server through JNDI 3/
If the log4j library is vulnerable, it will attempt to call the URI (ldap server). 5. The attacker runs the purported LDAP server and feeds a "malicious" class that contains some code that they want your app to run.
4/
6. Because your log4j library is vulnerable. It makes the LDAP call, receives the class, runs the code and you have RCE
Ok, now why is this sooo bad (other than the fact that its an RCE) 5/
a - because log4j is one of the most common libraries in any java app. Its basically as common to Java as OpenSSL is to the world. So think, heartbleed, but for Java apps
b - just like OpenSSL, log4j may be a nested dependency. An app's library's dependency. Therefore, hard 6/
This vulnerability is bad. So please deal with it ASAP. 1. Check if you're running a version of the Java JDK that seems to not be vulnerable to this flaw (because it sets a trust URLcodebase value to false), which is good. Versions above these 👇 are supposedly not vulnerable 7/
2. For log4j libraries 2.10.0 and above, you can use formatMsgNoLookups=true. Older versions also have (slightly more involved) fixes 3. Tune rules for payloads in WAF/APIGW 4. Scan for vulnerable log4j libs and patch immediately
For those following this thread. In light of new evidence. The Java jdk versions don’t make a difference. Please ignore. You have to either patch log4j or use the formatNoMsgLookups config flag to fix the issue
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Key Cloudwatch and Cloutrail concepts you should know for security monitoring on @AWS. A 🧵1/
@AWS Let's start with Cloudwatch. Lot of us assume that Cloudwatch is just a log management engine, i.e a time-series DB for logs from various AWS Services and your workloads on AWS. Its so much more than that. It has all of these capabilities 2/
@AWS However, the features I typically end up using the most are:
- Metrics and Alarms: You can use/configure measures for various events across several AWS services, log them and setup alarms when they hit a threshold. Example - memory consumption, 400 errors on API Gateway, etc. 3/
Webhooks are a big part of @kubernetesio. I've recently been going down the webhook rabbithole, especially for offensive use-cases. And here's what I think. A 🧵 1/
@kubernetesio#kubernetes uses an access control object called an Admission Controller. This is beyond AuthN and AuthZ. This allows you to create objects that will allow you the operator to define workloads and configs that are admitted in your cluster. appsecengineer.com/courses-collec…
2/
@kubernetesio This is largely done using Admission Control webhooks. There are two types of webhooks you can use in #k8s, they are:
- validating
- mutating
Watch my 1m video here if you want to learn the differences
3/
Container Registry Security controls you didn't know you needed. A 🧵 1/
Let's start with the basics. You need to scan your containers for vulns on the push. For that you need your registry to integrate with security scanners. Most registries support this out of the box. Some like @project_harbor even integrate with multiple scanners. Always 👍 2/
@project_harbor you need tag immutability. What if an attacker gets creds for your registry and commits container images with the tag "prod" that you use (well, for prod). you are in a world of 💩. Setting an immutable tag ensures that others can't commit to that specific "locked" tag 3/
#SSRF is a super popular vulnerability that is leveraged extensively, by bad actors. Let's look at SSRF defense in this 🧵 1/
Let's start with the basics. SSRF happens because your app makes requests to other URLs based on user-generated data. If your app doesnt need to redirect/request random URLs (functionality), ensure that you have a tight allowlist. Only redirect to URLs in the allowlist 2/
But if your app needs to redirect to a larger (purely user-defined) set of URLs, then things may get a little more complex. Now you need to validate inputs like a mf'er. Parse and Break down URLs by scheme, domain, etc. Validate each one as required 3/
The way I see it, both the identity and policy aspects of ZeroTrust require/can do with a solid "shift left" approach of being able to incorporate identity and policy checks in the build/deployment flows. 3/
Realized that there's a huge gap in knowledge for some taxonomy and terms in #infosec. Here's a 🧵
Let's start with CWE from @CweCapec. Common Weakness Enumeration.
* This is 🚫 a scoring system
* This is identifier for a type of vuln
For example: SQL Injection is CWE 89
It has broad "parent" and more specific "child" categories. But EOD, they are Vulnerability IDs 2/
@CweCapec Let's look the one its most confused with. CVE (@CVEnew). This is a number that is assigned to a specific vulnerability identified against software/hardware that is publicly available (commerical/OSS). Ex: CVE-2022-0847 is a CVE given to the Linux #DirtyPipe vul. 3/