ORM leaks, CSRF is alive, lockpicking lessons – ethical hacker news roundup

August 14, 2024

A two-part deep dive into object relational mapper (ORM) leak vulnerabilities by Elttam kicks off our latest roundup of InfoSec news and hacking writeups.

ORM leak flaws apparently occur when ORMs fail to validate user inputs, potentially resulting in the exposure of sensitive data. 💻 Part one of Elttam’s research – described as “super-interesting” with “tons of potential for further research” by PortSwigger’s James Kettle – focuses on the Django ORM and relational filtering attacks. The concluding part exploits the Prisma ORM and is, according to Kettle, “a beautiful example of abusing framework features to make timing attacks that work in the wild”. 🔥

James Kettle X post recommending ORM leak research from Elttam

Don’t write off CSRF

Elttam’s work featured on r/websecurityresearch, meaning moderators have deemed the research truly novel in the realm of web security. 🚀

The same applies to Doyensec research that discovered that cross-site request forgery (CSRF) remains a viable vector in today’s applications despite browsers having been considerably hardened against CSRF (notably through SameSite). 🧐 The vulnerability research firm successfully used client side path-traversal “to resuscitate CSRF for the joy of all pentesters” and unearth vulnerabilities in major web messaging applications, wrote Doyensec researcher Maxence Schmitt. The research is documented more extensively in a whitepaper and has spawned a new Burp extension “that provides advanced capabilities and automation for finding and exploiting Client-Side Path Traversal”. 👌

Concurrency (mis)control

Other groundbreaking research to satisfy the exacting criteria of r/websecurityresearch recently includes: Eugene Lim aka Spaceraccoon extending browser extension messaging chains with native messaging to achieve ‘universal code execution’; Doyensec’s Viktor Chuchurski on how inadequate concurrency control in databases can lead to race condition bugs; and a layered XSS attack “that is often overlooked by pentesters”, courtesy of CREDS. 🧠

Assetnote co-founder and CTO Shubham Shah, meanwhile, deemed @hash_kitten’s ServiceNow bug trio to be “one of the most critical exploit chains in the history of @assetnote”, no less. 😮 The researcher in question praised ServiceNow’s security team as being “excellent to work with” in securing the more than 40,000 potentially affected instances.

Evernote RCE

Other notable research includes an Evernote RCE writeup from 15-year old (!!!) researcher Patrick Peng, specifically leading ‘from PDF.js font-injection to All-platform Electron exposed ipcRenderer with listened BrokerBridge RCE’; PortSwigger’s Zakhar Fedotkin showing “how to create a hybrid PDF that abuses widget annotations to create render discrepancies, and share the code so you can generate your own”; Sonar’s Stefan Schiller on the value of giving charset information when serving HTML documents to reduce the risk of XXS bugs; and ‘how we discovered the AWS Organization ID for any AWS Account’ from the CTO and co-founder of Tracebit. 😎

LLM kryptonite

Over in LLM world, a former Apple engineer has criticised “an almost complete lack of bug reporting infrastructure from the LLM providers” after documenting his efforts to report a delirium-inducing prompt that he dubbed “LLM kryptonite”. 🦸 In a column in The Register, Mark Pesce had recounted how he had induced “every chatbot I could access” bar Anthropic’s Claude 3 Sonnet into descending into a “babble-like madness”. 🤪 In a follow-up piece, LLM vendors came under fire for apparently declining to acknowledge issues while surreptitiously deploying “behind-the-scenes patches”. 😲

Metawar thesis and system 2 thinking

As well as hosting a live Bug Bounty with L’Oreal 💄 (see the highlights video below or read our event recap), YesWeHack had a booth at leHACK in Paris last month and can relay some interesting insights from the conference track at France’s biggest hacker con.

Winn Schwartau, the influential American owriter and thinker on InfoSec, cyber warfare and internet privacy, was reassuring on the topic of resisting manipulation by AI and malign online actors in delivering his ‘Metawar Thesis’.

If humans seem increasingly helpless to resist their minds being 'hacked' by ever-more sophisticated algorithms, then who better to show how to fight back than the human hackers?

Schwartau said a cybersecurity mindset could inoculate us against the algorithmic manipulations that keep us scrolling, clicking and feeling negative emotions – anger, disgust – that most effectively drive social media ‘stickiness’.

“Apply cybersecurity to it and there is hope,” he said. The speaker urged humanity to “take a pause” and engage in slow, deliberate and conscious system two thinking. 🧠 He also recommended resources for building resilience against misinformation and disinformation, such as the Bad News game and Misinformation Susceptibility Test. Schwartau also lamented how while the UK and EU have numerous studies or initiatives on countering misinformation, the US has none – the most recent, the Stanford Internet Observatory, had closed down. 😯

Winn Schwartau discusses his ‘Metawar Thesis’ at leHACK 2024 in Paris

Marc Tobias, a lock-picker extraordinaire, offered some fascinating insights into the vulnerabilities of physical locks. 🔒

How many of the lessons he drew apply to digital security? “Always look for simple solutions to what look like complex problems” when vuln hunting for instance. “Clever does not mean secure,” is another. The author of a definitive book on the topic bemoaned a “lack of imagination by design engineers and red teams”. 🧐

Tobias played several videos of himself and others defeating high security locks within minutes or even seconds – including an exploit demonstrated at DEF CON 16 in 2008. 🔥 Another remarkable exploit was defeating a Kryptonite bike lock with a ballpoint pen. Tobias has also featured on an NBC Today segment on lock-picking in 2009, as you can see below. 👇

Solomon Sonywa warned that only a ‘response in kind’ could adequately tackle the threat of machine learning supercharging malware development and distribution. The former assistant professor of computer science at the US Air Force Academy noted that VirusTotal reports a daily submission of two million malware samples, around one million of which are unique – a challenge traditional detection mechanisms are hopelessly ill-equipped to address.

Sonywa demoed a research project that used machine learning “to provide enhanced classification of an entire 200+ gigabyte-malware family corpus consisting of 80K+ unique malware samples and 70+ unique malware families.” 👏

There were also talks on the prevalence, usefulness and drawbacks of neuro-divergence in InfoSec. In ‘a praise to laziness (or why hackers are awesome people)’, Damien Cauquil said laziness had motivated inventions as significant as washing machines, balance bikes and neural networks. The pen tester-turned-hacker, who has ADHD, admitted being too ready to abandon promising projects when he reached seeming dead ends, but said his low tolerance for boredom has driven him to create tools to automate the most tedious tasks. 🧐

The neurodivergent brain has benefits and drawbacks

Xdebug and white-box pentesting

We also have some new hacking resources to announce… Our newest addition to our Dojo platform, for instance, is the second of four new WAF bypassmodules, this time focused on transformations.

Our latest technical guide, meanwhile, centres on white-box penetration testing with Xdebug, specifically explaining how to: configure a PHP web application within a docker environment; set up Xdebug; detect PHP vulnerabilities using this PHP debugger; and create custom payloads to deploy in black-box engagements.

White box pentesting to find PHP vulnerabilities

Kudos also to the winners of our latest monthly CTF challenge, AI Image Generator, which involved exploiting an XXE vulnerability.

Finally, we’d like to tip our hat to Raphaël Arrouas, aka Xel for breaking into the all-time top three of our Bug Bounty leaderboard. 👏 Check out our video interview with Xel from last year. 👇 As for the 2024 leaderboard so far, Rabhi is top of the pile (and the all-time leader), followed by Noam and then st0rm_. 🏆

Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.

Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.