Research

My Favorite Vulnerability: From ERROR to inter-protocol exploitation

I’m excited to finally write up and share my favorite vulnerability I’ve ever found. It’s a story where all the right pieces fell into place to make it exploitable. The names, ports, and other details have been changed to protect the vulnerable even though this took place probably 6 years ago and I believe the devices are now sunsetted.

Read More

Identify an O.MG Cable

Today I got my hands on an O.MG cable. It is extremely well manufactured and to most it will be extremely stealthy.

Read More

Leveraging Javascript Debuggers for compromise

Summary

I discovered that developers do leave remote JavaScript debuggers and headless browsers laying around on the internet leading to sensitive data exposure and an interesting remote position for an attacker.

Read More

npm Registry Spelunking: Dependencies Referenced by URL

I’ve learned a long time ago that not all security research pans out with a stack of vulnerabilities but every time I venture down a rabbit hole I learn something along the way. This is one of those times.

Read More

In Memory Backdoor for Node.js Express Apps

Earlier this week Zach Grace published an article on one way that you could backdoor a Node.js Express application without touching disk. This jogged my memory of something I posted in our team’s chat this last week but never wrote about; how I would in memory backdoor an express application. It’s a bit different than how Zach approached it so I thought it would be good to expand upon his post sharing the knowledge.

Read More

Pillaging Distributed Version Control 5 Years Later

5 years ago at DEFCON 19 I gave a talked titled “Pillaging DVCS repos for fun and profit.” The technique & tool I outlined in that talk has been very fruitful through out the years and plenty of security consultants have told me that this had helped them have breakthroughs during penetration tests. If it’s useful to us it’s also useful to attackers.

Read More

What Are the Bots Up to on npm?

Last year (2015) I had a thought, “who else is downloading and running / testing random modules on npm.” Postulating that there might be bots, build systems or other researchers mass downloading and running modules from npm. I figured it might be an interesting vector to attack systems and gain a foothold for some org and I was curious to know what that traffic looked like.

Read More

Regular Expression Denial of Service Affecting Express.js

At the end of April I found a flaw in a module that Express and many other frameworks use. This flaw allows a remote attacker to block the event loop of a remote site causing a Denial of Service effectively blocking the site from being accessed. This type of attack is known as a Regular Expression Denial of Service attack and we’ve found it to be quite common in applications and modules we test.

Read More