ncc-erik's comments

My measurement was imprecise and that probably throws things off:

    python -m timeit '64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367*33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711 == 2140324650240744961264423072839333563008614715144755017797754920881418023447140136643345519095804679610992851872470914587687396261921557363047454770520805119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937'
    500000 loops, best of 5: 496 nsec per loop

So roughly 2 verifications per core-millisecond, ~170 quadrillion ratio?

Found in 2700 core-years, verified in < 1 core-second

    >>> 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367*33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711 == 2140324650240744961264423072839333563008614715144755017797754920881418023447140136643345519095804679610992851872470914587687396261921557363047454770520805119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937
    True

I maintain an open-source project [1] that uses graphs to model data. I wanted to make my project as accessible as possible, so Graphviz was perfect since it's dead-simple to install and use on all major OS platforms.

[1] https://github.com/nccgroup/PMapper

I think what makes this hard for folks is tracking what the expected form of data is at each step of its lifecycle, especially considering people working with new and unfamiliar codebases or splitting focus on multiple projects.

There are some frameworks that try using types to solve the problem. Alternatively, the developers could throw in a comment that looks something like:

// client == submits raw data ==> web_server == inserts raw data (param. sql stmt) ==> db_server ==> returns query with raw data ==> our_function == returns html-escaped data ==> client

Depending on what your job role is, this last weekend probably sucked. But IMO it's also pretty typical that a few of these sorts of events happen every year.

Reminder that this exists: https://paulbellamy.com/vulnerability-name-generator

Not a ton of benefit here, because drawing attention without having the patch fully ready means more eyeballs looking. More eyeballs means someone inevitably finds and exploits/publishes before it can be mitigated.

I only imported 10 dependencies, but those 10 dependencies each had 10 dependencies which each had 10 dependencies which each had 10 dependencies and all of the sudden I'm at 10k dependencies again...

I took a networks class during college, and there was a homework question from the textbook about a scenario like this. It had you compare transferring a large amount of data over the Internet versus loading it onto a disk and driving a physical distance to load it onto the other computer. The answer depended on the available bandwidth against the distance to drive.

And for other practical applications related to this idea: https://aws.amazon.com/snowmobile/

The one a lot of folks know about was the soft hyphen (U+00AD) to bypass swear filters. I was able to use normalization to create XSS attacks.

Very comprehensive blog, nice work.

As a pentester, I always get excited when I see ACAO or an OPTIONS request in my proxy logs. It's still really hard to wrangle and get right.

Neat project, thank you for sharing.

Do you currently, or plan to, handle Condition constraints? Also, how does wonk handle combinations with statements that have the Deny effect?

Big shoutout to lru_cache. I tossed in two lines of code and was able to get a 60x speedup in my code by reducing the amount of regular expression compilations I had to do.

I saw an app prefix the prompt to allow tracking with a similar-looking pop-up that said something like "please press allow on this next step ...". That pop-up only had one button, saying "Allow", then the actual pop-up asking to allow tracking came up after that.

It will stand alone, but I keep in touch with the ScoutSuite folks. I'm thinking at some point I'll build in graph-creation based off of ScoutSuite's data collection.

Hi HN!

Principal Mapper is a tool + library for analyzing and securing your AWS IAM configuration. It generates a model of your account and/or organization and uses it to give you a better idea of the effective permissions of your IAM Users and Roles. It has privilege escalation detection built-in and is hopefully written in a way that will let you extend it for your use-cases.

This v1.1.0 update covers more types of policies (resource policies, permission boundaries, session policies, SCPs), supports AWS Organizations, enables cross-account checks, and more!

https://github.com/nccgroup/PMapper

https://research.nccgroup.com/2021/03/29/tool-release-princi...

Happy to answer any questions you have here!

Thanks for the PMapper shoutout!

Note: I am a current NCC Group employee.

It does one thing very well: quickly grabbing a snapshot of the security posture of a public cloud account's resources with little fuss. It's an ideal solution as an outsider looking in at someone's account. But, I wouldn't use it as-is for other needs (say, those of in-house security folks) like continuous monitoring. That would be like using a Polaroid camera to create a movie.

My go-to link for that class of issue is: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simpl...

It's usually a lot easier to write the PoC with fetch() though.