snoopysecurity

|=-----------------------------------------------------------------------=|
|=-------------=[ 3 Years of Attacking JavaScript Engines ]=-------------=|
|=-----------------------------------------------------------------------=|
|=------------------------------=[ saelo ]=------------------------------=|
|=-----------------------------------------------------------------------=|

The following are some brief notes about the changes that have taken place
since the release of the "Attacking JavaScript Engines" paper [1]. In
general, no big conceptional changes have happened since. Mitigations have
been added to break some of the presented techniques and, as expected, a

snoopysecurity

Container security notes

Internet references

Kernel and architecture

• namespaces - overview of Linux namespaces http://man7.org/linux/man-pages/man7/namespaces.7.html

• mount_namespaces - overview of Linux mount namespaces

snoopysecurity

Command Execution

exec           - Returns last line of commands output
passthru       - Passes commands output directly to the browser
system         - Passes commands output directly to the browser and returns last line
shell_exec     - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen          - Opens read or write pipe to process of a command
proc_open      - Similar to popen() but greater degree of control
pcntl_exec - Executes a program

snoopysecurity

Introduction

rs-async-zip is a asynchronous ZIP archive reading/writing crate with a heavy focus on streaming support. This package is vulnerable to Zip Traversal (Zip Slip).

Note: This issue was privately disclosed to the maintainer. He has stated that he has made conscious decision not to mitigate any sort of traversal attacks within the library itself. He has however added a notice to to the example code https://github.com/Majored/rs-async-zip/commit/08587b8933f80f8a70b4e313313f2fffc22c983a

ZIP Traversal Attacks is a form of a Directory Traversal that can be exploited by extracting files from an archive. More about this type of vulnerability can be read about here: https://snyk.io/research/zip-slip-vulnerability

PoC/Steps to Reproduce

snoopysecurity

Problem

You have installed GPG, then tried to commit and suddenly you see this error message after it:

error: gpg failed to sign the data
fatal: failed to write commit object

Debug

snoopysecurity

How many times shouldn't it happen...

-- https://news.ycombinator.com/item?id=11396045

SELECT count(*)
FROM (SELECT id, repo_name, path
        FROM [bigquery-public-data:github_repos.sample_files]
 ) AS F

snoopysecurity

WordPress Flash XSS in flashmediaelement.swf

1. Intro
2. Background
3. Affected Systems
4. Mitigation

Quick Overview

snoopysecurity

Building Chrome V8 on Windows

In order to be able to build v8 from scratch on Windows for x64, please follow the following steps.

NOTE: While the Chrome team does provide decent documentation, there are some nuances and other additional steps that must be done for v8 to compile on Windows.

Documentation:

• https://chromium.googlesource.com/chromium/src/+/master/docs/windows_build_instructions.md#Setting-up-Windows
• https://v8.dev/docs/source-code
• https://v8.dev/docs/build

snoopysecurity

Technical Details: It's possible to conduct SSRF attacks because of the way URLs are parsed by URI built in module and hackey. Given the URL http://[email protected]/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will see host as 127.2.2.2/ . This can be abused to conduct SSRF attacks where a user is relying on the URL function for host checking. See POC below

import :hackney

defmodule MyApp do

  # Helper function to print the URL components
  def parse_and_print_url() do
    attack_string = "http://[email protected]/"