Welcome to the first issue of Navigating Security #00

🍃Quote of the week:

TLDWTR 🙄

• Why did I start a newsletter? I might just be a bit impulsive.

• Mobile Pentesting might be cool - for iOS though. Everyone knows how to test an Android app, but that does not seem to be the case with iOS so let’s get good at that - maybe.

• A lot of web vulnerabilities still appear in GenAI/LLm platforms because most are built to be used programmatically then someone decides it needs a UI. Guess what that means - the web UI exposes way too much.

• CVE-2023-1177: LFI in MLFow allows any files from the server to be fetched.

⚠️ Not sponsored. I wish though, lol.

Why A Newsletter? 🤔

I am inconsistent with most of my social media because I constantly have to think about what to post next. Do I post what I want or do I try to please the algorithm? This, on the other hand, can be as formal/informal as I want it to and there’s not much thinking involved. If anything it’ll help me measure how much information I retain by giving a summary of whatever I decide to include here.

Mobile Security Is Cool? 📱

Apparently, hacking mobile devices and their subsequent applications is pretty fun. I wouldn’t have thought! Maybe it’s because I am more interested in iOS as compared to Android which I have tried before. The barrier to entry for iOS-related hacking is pretty steep so guess what that means, LESS COMPETITION! In security, less competition doesn’t mean <1000 people though, keep that in mind.

Jason Haddix came back with his newsletter and highlighted some cool talks and presentations about how you can use Frida to read files, set breakpoints, disable SSL pinning, and more without having to root a device. Not sure if most people know that, but I’m usually told I would need a rooted device to get started. I shall go the Frida way for now - maybe.

Learning iOS application structure

• Code review from a dev’s perspective: https://betterprogramming.pub/swift-the-art-of-code-reviewing-e4785da7e0c6

  • Anyone new to the code base must feel comfortable with it - this is the hallmark of a well-structured code base.

  • A common ‘language’ should be spoken. As soon as someone introduces changes that do not align with the company’s framework, iterations should be made as this would be spotted via code review.

• iOS Code Review Checklist: https://dev.to/bornfightcompany/ios-code-review-checklist-53ia

  • Might not be the most useful from a security standpoint. A couple of security-related examples would be:

    • Authentication and Authorization:

      • Example: Verify that OAuth 2.0 is properly implemented for secure user authentication.

    • Data Encryption:

      • Example: Check that AES encryption is used for protecting user data at rest.

    • Input Validation:

      • Example: Ensure that all user inputs in forms are sanitized to prevent SQL injection.

Opensource AI/ML Bug Bounty 🤖

If you’ve ever heard about the huntr platform formally known as huntr.dev you’ll know that they still have their bug bounty but for AI/ML platforms. These are still open source platforms so I will be doing some hunting on there as well.

Guide to getting started: https://huntr.com/get-started/intro/

This guide is a gold mine as it contains a lot of details on where to start and realistic areas to find bugs in MLs that are easily reportable via their platform.

The article goes over LFI, SSRF, RCE, CORS, and file upload issues that you will find in the web application portions of MLs. Most issues seem to stem from the fact that most MLs are first developed to be used programmatically then a UI is built sometime down the road to allow less technical folks to use the ML. This exposes programmatic functionality that causes a lot of issues.

Hacking AI: CVE-2023-1177

https://protectai.com/blog/hacking-ai-system-takeover-exploit-in-mlflow

This is some LFI that allowed an attacker to fetch whatever files they wanted from the system. Always check if the application in question is using relative or absolute file paths to retrieve artifacts as this is more prone to security risks if not properly validated and restricted.

The hardest thing about discovering this vulnerability was the setup. Joe Helle (TheMayor) mentioned that in one of his blogs; setting up these opensource tools/applications is the hardest part, but the harder the setup, the easier it will be to find bugs because best believe most people gave up while trying to install - less competition.

Suggestions

Hit me up on Discord or LinkedIn if you have anything you feel would be cool to include. Thanks, Cheers.