HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ncc-erik

no profile record

Submissions

Show HN: Principal Mapper v1.1.0 – AWS IAM Security Analysis

github.com
7 points·by ncc-erik·5 anni fa·3 comments

comments

ncc-erik
·4 anni fa·discuss
My measurement was imprecise and that probably throws things off:

    python -m timeit '64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367*33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711 == 2140324650240744961264423072839333563008614715144755017797754920881418023447140136643345519095804679610992851872470914587687396261921557363047454770520805119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937'
    500000 loops, best of 5: 496 nsec per loop
So roughly 2 verifications per core-millisecond, ~170 quadrillion ratio?
ncc-erik
·4 anni fa·discuss
Found in 2700 core-years, verified in < 1 core-second

    >>> 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367*33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711 == 2140324650240744961264423072839333563008614715144755017797754920881418023447140136643345519095804679610992851872470914587687396261921557363047454770520805119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937
    True
ncc-erik
·4 anni fa·discuss
I maintain an open-source project [1] that uses graphs to model data. I wanted to make my project as accessible as possible, so Graphviz was perfect since it's dead-simple to install and use on all major OS platforms.

[1] https://github.com/nccgroup/PMapper
ncc-erik
·5 anni fa·discuss
I think what makes this hard for folks is tracking what the expected form of data is at each step of its lifecycle, especially considering people working with new and unfamiliar codebases or splitting focus on multiple projects.

There are some frameworks that try using types to solve the problem. Alternatively, the developers could throw in a comment that looks something like:

// client == submits raw data ==> web_server == inserts raw data (param. sql stmt) ==> db_server ==> returns query with raw data ==> our_function == returns html-escaped data ==> client
ncc-erik
·5 anni fa·discuss
Depending on what your job role is, this last weekend probably sucked. But IMO it's also pretty typical that a few of these sorts of events happen every year.

Reminder that this exists: https://paulbellamy.com/vulnerability-name-generator
ncc-erik
·5 anni fa·discuss
Not a ton of benefit here, because drawing attention without having the patch fully ready means more eyeballs looking. More eyeballs means someone inevitably finds and exploits/publishes before it can be mitigated.
ncc-erik
·5 anni fa·discuss
I only imported 10 dependencies, but those 10 dependencies each had 10 dependencies which each had 10 dependencies which each had 10 dependencies and all of the sudden I'm at 10k dependencies again...
ncc-erik
·5 anni fa·discuss
I took a networks class during college, and there was a homework question from the textbook about a scenario like this. It had you compare transferring a large amount of data over the Internet versus loading it onto a disk and driving a physical distance to load it onto the other computer. The answer depended on the available bandwidth against the distance to drive.

And for other practical applications related to this idea: https://aws.amazon.com/snowmobile/
ncc-erik
·5 anni fa·discuss
The one a lot of folks know about was the soft hyphen (U+00AD) to bypass swear filters. I was able to use normalization to create XSS attacks.
ncc-erik
·5 anni fa·discuss
Very comprehensive blog, nice work.

As a pentester, I always get excited when I see ACAO or an OPTIONS request in my proxy logs. It's still really hard to wrangle and get right.
ncc-erik
·5 anni fa·discuss
Neat project, thank you for sharing.

Do you currently, or plan to, handle Condition constraints? Also, how does wonk handle combinations with statements that have the Deny effect?
ncc-erik
·5 anni fa·discuss
Big shoutout to lru_cache. I tossed in two lines of code and was able to get a 60x speedup in my code by reducing the amount of regular expression compilations I had to do.
ncc-erik
·5 anni fa·discuss
I saw an app prefix the prompt to allow tracking with a similar-looking pop-up that said something like "please press allow on this next step ...". That pop-up only had one button, saying "Allow", then the actual pop-up asking to allow tracking came up after that.
ncc-erik
·5 anni fa·discuss
It will stand alone, but I keep in touch with the ScoutSuite folks. I'm thinking at some point I'll build in graph-creation based off of ScoutSuite's data collection.
ncc-erik
·5 anni fa·discuss
Hi HN!

Principal Mapper is a tool + library for analyzing and securing your AWS IAM configuration. It generates a model of your account and/or organization and uses it to give you a better idea of the effective permissions of your IAM Users and Roles. It has privilege escalation detection built-in and is hopefully written in a way that will let you extend it for your use-cases.

This v1.1.0 update covers more types of policies (resource policies, permission boundaries, session policies, SCPs), supports AWS Organizations, enables cross-account checks, and more!

https://github.com/nccgroup/PMapper

https://research.nccgroup.com/2021/03/29/tool-release-princi...

Happy to answer any questions you have here!