Blog Posts

Home /
Blog Posts

Enumerating Files Using Server Side Request Forgery and the request Module

If you ever find Server Side Request Forgery (SSRF) in a node.js based application and the app is using the request module you can use a special url format to detect the existence of files / directories.

npm Registry Spelunking: Dependencies Referenced by URL

I’ve learned a long time ago that not all security research pans out with a stack of vulnerabilities but every time I venture down a rabbit hole I learn something along the way. This is one of those times.

Bypassing npm / yarn ignore Scripts with Command Injection

Before you read this post please run git --version and if it’s not 2.14.1 or greater then please go upgrade it.

My story about mentorship and my career

The Practical Developer DevDiscuss one day got me thinking about mentorship and how it’s impacted my life. It doesn’t fit in a tweet or a thread of tweets so you get the story about how a mentorship gave me my entire career in security. This is going to be a bit stream of mind so give me a break on grammar and spelling :)

In Memory Backdoor for Node.js Express Apps

Earlier this week Zach Grace published an article on one way that you could backdoor a Node.js Express application without touching disk. This jogged my memory of something I posted in our team’s chat this last week but never wrote about; how I would in memory backdoor an express application. It’s a bit different than how Zach approached it so I thought it would be good to expand upon his post sharing the knowledge.

Compromising Node.js apps using Machine-in-the-Middle

Just before the New Years I published 140+ advisories on Node.js modules. I’ve been researching ways to compromise developers & node.js applications without compromising the npm registry or their CDN.

Pillaging Distributed Version Control 5 Years Later

5 years ago at DEFCON 19 I gave a talked titled “Pillaging DVCS repos for fun and profit.” The technique & tool I outlined in that talk has been very fruitful through out the years and plenty of security consultants have told me that this had helped them have breakthroughs during penetration tests. If it’s useful to us it’s also useful to attackers.

What Are the Bots Up to on npm?

Last year (2015) I had a thought, “who else is downloading and running / testing random modules on npm.” Postulating that there might be bots, build systems or other researchers mass downloading and running modules from npm. I figured it might be an interesting vector to attack systems and gain a foothold for some org and I was curious to know what that traffic looked like.

Atom.io Misconfiguration Allowed Code Execution on Untrusted Networks

Developers have increasingly become a more valuable target to compromise in recent years. The DevOps movement means they have more access to production, not to mention the plethora of source code and keys that you are likely to find.

Regular Expression Denial of Service Affecting Express.js

At the end of April I found a flaw in a module that Express and many other frameworks use. This flaw allows a remote attacker to block the event loop of a remote site causing a Denial of Service effectively blocking the site from being accessed. This type of attack is known as a Regular Expression Denial of Service attack and we’ve found it to be quite common in applications and modules we test.