Conference:  Global AppSec San Francisco 2022

Authors: Marius Musch

2022-11-17

As websites grow ever more dynamic and load more of their content on the fly, automatically interacting with them via simple tools like curl is getting less of an option. Instead, headless browsers with JavaScript support, such as PhantomJS and Puppeteer, have gained traction on the Web over the last few years. For various use cases like messengers and social networks that display link previews, these browsers visit arbitrary, user-controlled URLs. To avoid compromise through known vulnerabilities, these browsers need to be diligently kept up-to-date.In this talk, we investigate the phenomenon of what we coin 'server-side browsers' at scale and find that many websites are running severely outdated browsers on the server-side. Remarkably, the majority of them had not been updated for more than 6 months and over 60% of the discovered implementations were found to be vulnerable to publicly available proof-of-concept exploits.

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Carolyn Van Slyck

2021-10-14

Porter is a safer alternative to curl pipe bash for cloud-native deployments

• Porter helps create bundles with just one file and structured metadata to pass data between steps
• Bundles borrow security features from existing tools and can be scanned for vulnerabilities
• Porter can check bundle signatures and verify trusted publishers
• Porter explain shows what's in the bundle and how to run it
• Porter install is always the same command regardless of the tech stack
• Bundles can help with quick starts, customer installations, troubleshooting, and backups