Attacking OSS Using Abandoned Resources
In December I discovered a supply chain vulnerability that impacted 6,530 public npm package versions, at least I thought I did. Turns out that earlier in October of 2020 Security Innovation published similar research dubbing the issue Repo Jacking. This initially took the wind out of my sails but after I thought about it rediscovery is pretty cool and I was able to expand upon it a bit by focusing on abandoned S3 buckets, Google Cloud Storage bucket, expired domain names, and finding and reporting a vulnerability in GitHub to make exploitation possible in some conditions.
Read MoreHeadless Holiday Hack: Flag 1
Last night I tossed up a quick CTF-esque challenge with a couple of flags defined.
Read MoreUsing Chrome Debugger Metasploit Gather Module
This last week Nick Starke got the chrome debugger metasploit module pushed over the line and merged into master. I figured I’d write up a quick intro to the module and how it might be used should you happen to stumble across a chrome debugger laying around the network.
Read MoreEnumerating Files Using Server Side Request Forgery and the request Module
If you ever find Server Side Request Forgery (SSRF) in a node.js based application and the app is using the request module you can use a special url format to detect the existence of files / directories.
Read Morenpm Registry Spelunking: Dependencies Referenced by URL
I’ve learned a long time ago that not all security research pans out with a stack of vulnerabilities but every time I venture down a rabbit hole I learn something along the way. This is one of those times.
Read MoreBypassing npm / yarn ignore Scripts with Command Injection
Before you read this post please run git --version and if it’s not 2.14.1 or greater then please go upgrade it.
Compromising Node.js apps using Machine-in-the-Middle
Just before the New Years I published 140+ advisories on Node.js modules. I’ve been researching ways to compromise developers & node.js applications without compromising the npm registry or their CDN.
Read MoreAtom.io Misconfiguration Allowed Code Execution on Untrusted Networks
Developers have increasingly become a more valuable target to compromise in recent years. The DevOps movement means they have more access to production, not to mention the plethora of source code and keys that you are likely to find.
Brilliant Hire Exposure No Bounty
During security research a few years back, I discovered an exposure on SAP’s BrilliantHire API - an exposed Node.js debugger instance that provided full remote code execution capabilities and access to sensitive AWS credentials, database encryption keys, and production source code. The finding highlights how a simple misconfiguration can lead to complete system compromise.
Read More