Security
- Home /
- Categories /
- Security
Attacking OSS Using Abandoned Resources
In December I discovered a supply chain vulnerability that impacted 6,530 public npm package versions, at least I thought I did. Turns out that earlier in October of 2020 Security Innovation published similar research dubbing the issue Repo Jacking. This initially took the wind out of my sails but after I thought about it rediscovery is pretty cool and I was able to expand upon it a bit by focusing on abandoned S3 buckets, Google Cloud Storage bucket, expired domain names, and finding and reporting a vulnerability in GitHub to make exploitation possible in some conditions.
Read MoreEnumerating Files Using Server Side Request Forgery and the request Module
If you ever find Server Side Request Forgery (SSRF) in a node.js based application and the app is using the request module you can use a special url format to detect the existence of files / directories.
Read MoreBypassing npm / yarn ignore Scripts with Command Injection
Before you read this post please run git --version and if it’s not 2.14.1 or greater then please go upgrade it.
Compromising Node.js apps using Machine-in-the-Middle
Just before the New Years I published 140+ advisories on Node.js modules. I’ve been researching ways to compromise developers & node.js applications without compromising the npm registry or their CDN.
Read More