Koney, our k8s operator which places 🍯 traps in clusters to catch hackers - as seen at KubeCon+CloudNativeCon last week in London - is now open-source and available on GitHub: https://github.com/dynatrace-oss/koney

🧪 Try it out, ⭐ star it, 💭 and tell @golim and me how you like it!

Do hackers fall for traps? What are the most effective traps to catch them?

Our latest paper "Honeyquest" answers these questions! 🎉 I presented our work (co-authored by Stefan Achleitner, Stefan Rass, and @rene_mobile) at the RAID 2024 conference in Padua 🇮🇹 this week.

Presentation Slides: https://doi.org/10.5281/zenodo.13880652
Paper: https://doi.org/10.1145/3678890.3678897

How can we embed cyber traps (e.g., honeytokens) into applications, at runtime, without modifying their source code?

Find out in our recent paper, which I presented at the 3rd Workshop on Active Defense and Deception (AD&D), co-located with Euro S&P 2024, in Vienna, this week.

Slides: https://zenodo.org/records/12699007
Preprint: https://arxiv.org/abs/2405.12852 (in press)

Apple iOS converts double dash characters (--) to a single em dash character (—), even in PASSWORD fields. To avoid this, turn off "Smart Interpunction".

My parents contacted me to ask why they could not log into a website on their iPhone, but could on their desktop PC. It took me a while to figure out what was going on here.

This is now my favourite example of a feature interaction bug.

Together with two fabulous colleagues, Simon and Markus, we used Kyverno to automatically mount honeytokens in each container, and Tetragon to detect attempts to access those honeytokens. We also identify the attacker's IP address and block them cluster-wide with a network policy.

You can find a nice report on how we built and orchestrated this security incident runbook for Kubernetes here: https://www.dynatrace.com/news/blog/context-aware-security-incident-response/

Blocking bad symbols from user input is often done to aid security. Avatar from #glacierctf offers a new example on how to bypass that. Let's write a calculator in Python and pass user input to eval() only allowing these chars:

" ( ) = - + * / > < { } f

Looks safe, right?

It's not. Let's build this from the ground up. We first need some zeros and ones. How about this?

()==()

I am just comparing two empty tuples. That gives me a "True" result ;D Likewise, we can do the following:

()>()

That gives me a "False" result.

Booleans are almost numbers, so let's do some math with them. What's that?

(()==())+(()==())

Just a weird way of encoding the number 2 in Python.

You see where this is going: The first screenshot shows some code to encode each digit with just ( ) = + * > ... cool, right?

There is a cool trick to move from numbers to letters now. Python allows us to format strings with f-strings and there is the {:c} presentation type that converts integers to unicode characters. Here is an example:

f"{100:c}"

That prints the letter with ASCII code 100 "d"

This gives us a method to write arbitrary strings with this minimal set of characters ;) The full write-up explains how we encode our payload, and eventually get a shell without built-in functions. https://sigflag.at/blog/2023/writeup-glacierctf23-avatar/

Peak from #glacierctf was a challenge with three ingredients: (1) An XSS vulnerability, but with (2) a strict CSP that made it impossible to include external JS scripts, and (3) a bullet-proof implementation of an image upload contact form. We hacked it anyway. Read on.

The XSS vulnerability allowed us to post content with <script> tags on that PHP site. But this was the CSP:

Content-Security-Policy: script-src 'self'

So we can't embed an external script that would steal user cookies. But what about uploading a file to their server?

Sadly, the file uploader implementation followed all the best practices: It checked file extensions, it checked MIME type, it gave uploads a new random name, it didn't allow for path traversal attacks, and it even loads the image to see if it can get its dimensions.

We had no clue for hours until we stumbled upon a great article by @gaz from Dec 2016 on bypassing CSP using polyglot JPEGs. We expected that this 7+ year old trick to not work anymore in modern browsers, but it totally did! Thanks Gareth! https://portswigger.net/research/bypassing-csp-using-polyglot-jpegs

Here is the write-up of the full exploit - explaining the XSS vulnerability, the CSP bypass with a JPEG/JS polyglot, stealing browser cookies, and finally exploiting an XXE in the admin panel to read arbitrary files from the victim server: https://sigflag.at/blog/2023/writeup-glacierctf23-peak/