Dates
Conferences
Tags
Sort by:
Most recent
Conference: Defcon 31
Authors: Mikhail Shcherbakov KTH Royal Institute of Technology, Musard Balliu KTH Royal Institute of Technology
2023-08-01
Many have heard about Prototype Pollution vulnerabilities in JavaScript applications. This kind of vulnerability allows an attacker to inject properties into an object's root prototype that may lead to flow control alteration and unexpected program behavior. Every time a successful exploit looks like magic or is limited to a denial of service (DoS). Would you be surprised if I told you that every application has a chain of methods that can be triggered by Prototype Pollution and leads to arbitrary code execution? Such gadgets populated Node.js core code and popular NPM packages. Keep calm. Not every app can be exploited! However, this fact increases the risk of exploitation many times over.
In our research, we studied Prototype Pollution beyond DoS and analyzed Node.js source code against the gadgets. We then analyzed 15 popular Node.js apps from GitHub and got 8 RCEs. Through this talk, I will elaborate on the detected gadgets and vulnerabilities. We will also take a look at how the recent changes in Node.js mitigate these issues.
Conference: Black Hat Asia 2023
Authors: Mikhail Shcherbakov
2023-05-11
Many have heard about Prototype Pollution vulnerabilities in JavaScript applications. This kind of vulnerability allows an attacker to inject properties into an object's root prototype that may lead to flow control alteration and unexpected program behavior. Every time a successful exploit looks like magic or is limited to a denial of service (DoS). Would you be surprised if I told you that every application has a chain of methods that can be triggered by Prototype Pollution and leads to arbitrary code execution? Such gadgets populated Node.js core code and popular NPM packages. Keep calm. Not every app can be exploited! However, this fact increases the risk of exploitation many times over.In our research, we studied Prototype Pollution beyond DoS and analyzed Node.js source code against the gadgets. We then analyzed 15 popular Node.js apps from GitHub and got 8 RCEs. Through this talk, I will elaborate on the detected gadgets and vulnerabilities. We will also take a look at how the recent changes in Node.js mitigate these issues.
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Hung-Ying Tai, Vivian Hu
2023-04-21
tldr - powered by Generative AI
The presentation discusses the need for a lighter and more efficient way to manage microservices in the post-pandemic rise of lightweight microservices. The solution presented is the use of WebAssembly System Interface (WASI) to create a more lightweight and efficient infrastructure.
- The rise of lightweight microservices has created a need for a more efficient way to manage them
- Current technology is not efficient enough for the large number of microservices required by modern applications
- WebAssembly System Interface (WASI) provides a more lightweight and efficient infrastructure for managing microservices
- WASI enables non-blocking sockets, supports domain name lookup, and extends the current API to allow for more functionality
- WASI can be integrated with various databases and frameworks, including MySQL, Maria DB, PostgreSQL, and Redis server
- The use of WASI can lead to a more efficient and lightweight infrastructure for managing microservices
Conference: Global AppSec Dublin 2023
Authors: Gareth Heyes
2023-02-15
tldr - powered by Generative AI
The presentation discusses the detection and prevention of Prototype Pollution vulnerabilities in JavaScript applications.
- Prototype Pollution vulnerabilities can be exploited to execute malicious code in JavaScript applications
- The Prototype Pollution scanner can be used to detect and prevent these vulnerabilities
- Object.freeze or seal methods can be used to protect against Prototype Pollution
- Inherited properties in parameter names or values can be used to leak JavaScript native code
- Detection of JavaScript engines can be done by looking for specific inherited properties
Conference: Global AppSec Dublin 2023
Authors: Gal Weizman
2023-02-15
tldr - powered by Generative AI
The presentation discusses the importance of improving security and visibility in JavaScript Realms through third-party solutions. However, these solutions lack visibility into JavaScript Realms, which affects security.
- Third-party solutions can assist in improving security and visibility in JavaScript applications
- Behavioral overriding or monkey patching is used by third-party solutions to gain control over the application and runtime
- However, these solutions lack visibility into JavaScript Realms, which affects security
- Realms are ecosystems in which JavaScript plugins exist and have their own global execution environment
- Improving security and visibility in Realms requires solutions that can provide visibility into Realms
Conference: Global AppSec San Francisco 2022
Authors: Marius Musch
2022-11-17
As websites grow ever more dynamic and load more of their content on the fly, automatically interacting with them via simple tools like curl is getting less of an option. Instead, headless browsers with JavaScript support, such as PhantomJS and Puppeteer, have gained traction on the Web over the last few years. For various use cases like messengers and social networks that display link previews, these browsers visit arbitrary, user-controlled URLs. To avoid compromise through known vulnerabilities, these browsers need to be diligently kept up-to-date.In this talk, we investigate the phenomenon of what we coin 'server-side browsers' at scale and find that many websites are running severely outdated browsers on the server-side. Remarkably, the majority of them had not been updated for more than 6 months and over 60% of the discovered implementations were found to be vulnerable to publicly available proof-of-concept exploits.
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Vivian Hu
2022-10-25
Dapr is a very popular sidecar-based application framework that supports microservices written in many languages. WasmEdge is a cloud-native WebAssembly runtime. It provides the necessary networking APIs to support WebAssembly-based microservices. In this talk, I will demonstrate how to create Rust and JavaScript functions, and run them as Dapr microservices through the WasmEdge runtime. I will also cover more advanced topics such as how to interact with Dapr APIs from the WebAssembly function and how to manage the WadmEdge microservices using Kubernetes. Source code and a live example are available here: https://github.com/second-state/dapr-wasm
Conference: CloudOpen 2022
Authors: Michael Yuan
2022-06-22
tldr - powered by Generative AI
WebAssembly can be used as a secure container format to run microservices alongside other containers and VMs. The runtime can be made fully OCI-compliant and support JavaScript to make it widely adopted. However, there are challenges in supporting Node.js APIs and a community effort is needed to support JavaScript APIs.
- WebAssembly can be used as a secure container format to run microservices alongside other containers and VMs
- The runtime can be made fully OCI-compliant and support JavaScript to make it widely adopted
- Challenges in supporting Node.js APIs and a community effort is needed to support JavaScript APIs
Conference: OWASP 20th Anniversary Event
Authors: Phu H. Phung
2021-09-24
Abstract:Although there exist technical solutions or legislation laws, online user privacy is still an open issue and an unsolved crisis. Indeed, there is no formal assurance mechanism to guarantee that a web application will not violate its users' privacy stated in the user agreement. In this presentation, we introduce a new method to protect web users' privacy by monitoring JavaScript code based on the source of the code, i.e., code origin. Our code-origin policy enforcement approach advances the conventional same-origin policy standard and allows the users to customize their protection. We demonstrate that our privacy policies can be certified at the development phase and verified at runtime to provide formal assurance of the enforcement.