Attacking open source using abandoned resources

Feb 6, 20210 likes146 views

Adam Baldwin

Overview of a supply chain attack against node.js / npm based applications. (Similar to repo-jacking)

Attacking Open Source using
Abandoned Resources
Speakeasy JS - Feb 05, 2021

Discovery
Abandoned Resource Attacks
Fun Facts
Disclosure

“I wonder if…”
“Have you tried it yet”
Discovery

https:/
/blog.securityinnovation.com/repo-jacking-exploiting-the-dependency-supply-chain

APP
Dependency
express@4.3.1
npm Registry
Background

APP
Dependency
Dependency
express@4.3.1
npm Registry
https:/
/example.com/pkg-1.0.0.tgz
File
Background

APP
Dependency
Dependency
Dependency
express@4.3.1
npm Registry
https:/
/example.com/pkg-1.0.0.tgz
File
github:evilpacket/beep-boop#beta
GitHub
Repository
Background

Attack Overview
npm cli GitHub
git clone evilpacket/beep-boop
github:evilpacket/beep-boop#beta

Attack Overview
npm cli GitHub
git clone evilpacket/beep-boop
redirect -> joemcpwnerson/beep-boop
github:evilpacket/beep-boop#beta

Attack Overview
npm cli GitHub
git clone evilpacket/beep-boop
redirect -> joemcpwnerson/beep-boop
Git clone joemcpwnerson/beep-boop
github:evilpacket/beep-boop#beta

Attack Overview
npm cli GitHub
git clone evilpacket/beep-boop
redirect -> joemcpwnerson/beep-boop
Git clone joemcpwnerson/beep-boop
Have a repo
github:evilpacket/beep-boop#beta

Vulnerable
Packages
https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/
754

Vulnerable
Packages
https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/
754
Download the list

Vulnerable
Package
Versions
https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/
6,530

deps
vs
devDeps
https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/
> 50%
⚠

Latest
Version
Vulnerable
https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/
~ 56%
⚠

Disclosure
TL;DR - I’m sorry for the emails
Special thanks to a bunch of pesky Hackers, Open Source
Maintainers, GitHub Security, and the webpack-cli maintainers…

T.hanks!
adam_baldwin
evilpacket
Questions?

In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets. Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.

Hunting for the secrets in a cloud forestSecuRing

Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun!

DNS hijacking using cloud providers – No verification neededFrans Rosén

This is my talk from OWASP Appsec EU and also Security Fest 2017. A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.

Debugging Your Plone Sitecdw9

Distributing UI Libraries: in a post Web-Component worldRachael L Moore

Modern UI Component libraries influenced by Web Components will rely more heavily on package management than last generation UI Frameworks. In this 15 minute session we'll introduce package management for web graphical user interfaces, talk about the best package contents for a UI component, and some tactics for making smooth releases. For video, skip to 57 minutes, 13 seconds (57:13), http://www.youtube.com/watch?v=BhP86d5IiM4&t=57m13s

OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP

This document summarizes Frans Rosén's presentation on attacking modern web technologies. It discusses vulnerabilities in AppCache that allowed files to be cached and executed across domains. It also describes issues with upload policies for cloud storage services like AWS S3 and Google Cloud that could allow overwriting or reading arbitrary files if not properly configured. Finally, it presents examples of how cross-site scripting could occur through improper validation of user-supplied data sent via postMessage between domains.

A story of the passive aggressive sysadmin of AEMFrans Rosén

# By Frans Rosén Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers. Then came security. Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts. # About speaker Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne. Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.

Building Open-Source React ComponentsZack Argyle

Building Open-source React ComponentsZack Argyle

Making it Work Offline: Current & Future Offline APIs for Web AppsNatasha Rooney

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén

Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.

CPANci: Continuous Integration for CPANMike Friedman

The document provides a brief history of testing on CPAN from 1987 to the present. It discusses the development of the Test Anything Protocol (TAP) and CPAN Testers for testing Perl modules. It then proposes the idea of CPANci, a continuous integration system for all of CPAN that would test each distribution in isolation on virtualized environments to avoid issues with CPAN Testers. The document outlines an approach using perlbrew and cpanminus to test each distribution on fresh Perl installations of different versions.

GateKeeper - bypass or not bypass?Csaba Fitzl

Gatekeeper only verifies executables run through the open command or by double clicking, not those run through other means like using terminal. While experiments 2-4 seemed to bypass Gatekeeper, they were actually expected behavior. Gatekeeper's goal is to prevent execution of downloaded applications only when users double click them. In Catalina, Gatekeeper also verifies executables run through exec and performs malware checks on every execution, closing the previous bypass methods. Plist files can still be executed regardless of quarantine attributes, allowing for potential remote code execution. Bringing your own virtual machine is another avenue to achieve malware goals without host access.

REST API Pentester's perspectiveSecuRing

Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker. I will show: how to find hidden API interfaces ways to detect available methods and parameters fuzzing and pentesting techniques for API calls typical problems I will share several interesting cases from public bug bounty reports and personal experience, for example: * how I got various credentials with one API call * how to cause DoS by running Garbage Collector from API

T3DD13 - Automated deployment for TYPO3 CMS (Workshop)Tobias Liebig

The document discusses plans and ideas for automating deployment of TYPO3 CMS websites. It proposes several extensions (EXT:coreapi, EXT:migrations, EXT:fixtures) and tools (TYPO3 Surf, t3xutils) to help make the deployment process more standardized and automated. The author outlines concepts for the extensions and tools, including tasks for migrating database schemas, exporting and importing database records as fixtures, and deploying content between TYPO3 instances. He seeks feedback on the ideas and plans to refine concepts, implement proofs of concept, and discuss the concepts with others.

21st Century CPAN Testing: CPANciMike Friedman

How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén

This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.

Só o Pentest não resolve!Anchises Moraes

A quantidade frequente de ataques bem sucedidos, fraudes e vazamentos de dados mostram que as empresas estão falhando em manter a segurança de seus sites, aplicações e bases de dados. Embora o "pentest" seja uma técnica muito comum de testar a segurança de um site, hoje temos a disposição um conjunto de ações que podem ser adotadas de forma complementar para testar e corrigir aplicações desde a sua concepção até a produção. amo conversar um pouco sobre as diferenças e vantagens de adotar práticas de testes de segurança, scan, pentest, vulnerability disclosure e bug bounty. Palestra realizada o Meetup OWASP São Paulo, 30/11/2018

Hunting for the secrets in a cloud forestSecuRing

This presentation discusses how access keys can leak from cloud services like AWS, Azure, and GCP. It outlines several ways keys may leak, such as from unsecured storage containers, compromised accounts, and web applications. The presentation then demonstrates a tool called DumpsterDiver that uses entropy analysis to hunt for private keys within files. Countermeasures discussed include access control, encryption, VPN access only, multi-factor authentication, regular data verification, and penetration testing. The goal is to show how keys can leak and discuss reliable prevention strategies.

OpenRestyを用いてイケイケなサービスを作る方法Sho Yoshida

Asynchronous WordPressAaron Brazell

The document discusses offloading hooked events in WordPress to increase page speed. It describes how every event in WordPress takes time to complete when loading a page. This can add overhead. It recommends using an asynchronous library called WP_Async to run events on the shutdown hook instead of during page loads. This allows long-running tasks to run asynchronously in the background without slowing down page loads. It provides an overview of how to use the library to create asynchronous tasks to improve WordPress performance.

Asynchronous WordPressAaron Brazell

LetSwift 2017 - 토스 iOS 앱의 개발/배포 환경Mintak Son

20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing

Composer - The missing package manager for PHPTareq Hasan

Badge Poser v3.0 - A DevOps JourneyFabio Cicerchia

Sharing the whole journey experience. Starting with the handover of the keys of the pandora box, wandering around the deep dark forest of uncertainty and instability of the rushed deployed systems. Trying to declutter and reach a stable stage where the order reigns over chaos, where the poor guy can finally sleep at night and the pager eventually goes silent for a while. At the end we'll be reaching the so-desired level of confidence to not be worried about experimenting, changing things and upgrading infrastructure.

Breaking bad habits with GitLab CIIvan Nemytchenko

1. The document discusses using GitLab CI to automate software development tasks like testing, packaging, and deployment. 2. It provides examples of configuring GitLab CI pipelines to run tests, package code as gzip and ISO files, and deploy artifacts to S3 storage and GitLab pages. 3. The document also covers more advanced topics like using environments to separate staging and production, enabling manual deployment for production, and automatically deploying feature branches to separate review environments.

MavenFabio Bonfante

DWX 2022 - DevSecOps mit GitHubMarc Müller

GitHub investierte sehr stark im Bereich Security und hat als weltweit grösste Open-Source-Plattform auch die ideale Basis, um Abhängigkeiten und Schwachstellen viel genutzter Bibliotheken zu analysieren und zu notifizieren. In öffentlichen wie auch in privaten Repositories in GitHub Enterprise Cloud und GitHub Enterprise Server stehen einem unter dem Betriff "GitHub Advanced Security" eine Vielzahl von Sicherheitsfunktionen zur Verfügung. Dieser Vortrag zeigt die Funktionsweise der Features Code Scanning, Secret Scanning und Dependency Review auf. GitHub Actions und Pull Requests runden die Werkzeugkiste für einen erfolgreichen DevSecOps-Prozess ab.

More Related Content

What's hot (19)

Building Open-Source React ComponentsZack Argyle

Building Open-source React ComponentsZack Argyle

Making it Work Offline: Current & Future Offline APIs for Web AppsNatasha Rooney

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén

CPANci: Continuous Integration for CPANMike Friedman

GateKeeper - bypass or not bypass?Csaba Fitzl

REST API Pentester's perspectiveSecuRing

T3DD13 - Automated deployment for TYPO3 CMS (Workshop)Tobias Liebig

21st Century CPAN Testing: CPANciMike Friedman

How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén

Só o Pentest não resolve!Anchises Moraes

Hunting for the secrets in a cloud forestSecuRing

OpenRestyを用いてイケイケなサービスを作る方法Sho Yoshida

Asynchronous WordPressAaron Brazell

LetSwift 2017 - 토스 iOS 앱의 개발/배포 환경Mintak Son

20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing

Composer - The missing package manager for PHPTareq Hasan

Badge Poser v3.0 - A DevOps JourneyFabio Cicerchia

Building Open-Source React ComponentsZack Argyle

Building Open-source React ComponentsZack Argyle

Making it Work Offline: Current & Future Offline APIs for Web AppsNatasha Rooney

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén

CPANci: Continuous Integration for CPANMike Friedman

GateKeeper - bypass or not bypass?Csaba Fitzl

REST API Pentester's perspectiveSecuRing

T3DD13 - Automated deployment for TYPO3 CMS (Workshop)Tobias Liebig

21st Century CPAN Testing: CPANciMike Friedman

How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén

Só o Pentest não resolve!Anchises Moraes

Hunting for the secrets in a cloud forestSecuRing

OpenRestyを用いてイケイケなサービスを作る方法Sho Yoshida

Asynchronous WordPressAaron Brazell

LetSwift 2017 - 토스 iOS 앱의 개발/배포 환경Mintak Son

20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing

Composer - The missing package manager for PHPTareq Hasan

Badge Poser v3.0 - A DevOps JourneyFabio Cicerchia

Similar to Attacking open source using abandoned resources (20)

Breaking bad habits with GitLab CIIvan Nemytchenko

MavenFabio Bonfante

DWX 2022 - DevSecOps mit GitHubMarc Müller

Developer in a digital crosshair, 2022 edition - Oh My H@ck!SecuRing

Attacks on third-party libraries and tools that are often used while developing software have become dramatically frequent. Among these attacks, one can find dependency confusion, issues in popular dev tools (Codecov, Homebrew, npm...), typosquatting, incidents (PHP, GitHub...), or malicious changes in popular dependencies (UAParser.js, coa, node-ipc...). I will share a lot of gripping real-life examples of such attacks, their causes and effects, and help you stay secure while developing software.

"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine

During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!

A Tour of npm-resourceHiroyuki Komagata

This document discusses the author's npm-resource package, which allows publishing Node packages to npm with password-based login. It provides an overview of npm-resource, noting that it uses npm info to check versions, npm install to handle inputs, and npm publish to handle outputs. The author also mentions tackling integration tests and links to the dcind project, which implements Docker Compose and the daemon in Docker. Code examples are provided but not shown.

composer_talk_20160209Bradley Wogsland

Composer allows PHP developers to declare and manage dependencies of PHP packages and libraries. It provides tools for installing, updating, and managing dependencies of PHP applications and packages. The document discusses how to use Composer to declare dependencies in a composer.json file, install dependencies, publish your own packages, and consume packages published by other developers. It highlights benefits like dependency management, autoloading, and keeping dependencies updated.

Using software modules welcome to hell!Baruch Sadogursky

Using software modules today is the default way of working for most systems and frameworks. With the advent of many software languages and OSS frameworks, new module systems are constantly created and new module ecosystems start to prevail. This trend is horizontal and covers operating system packages, language libraries and application modules (plugins). But while some module systems are nicer to use, others are repeating past mistakes and are a daily source for developer agony and pain. In this short talk I will present the \"lessons learned\" at JFrog, where we make software for managing software libraries and deal with many types of module systems. This talk will show what works and what doesn\'t work in a module system; what features can make a module ecosystem thrive or fail; and why, despite all downsides, modules are here to stay and conquer more space as the Cloud continues to grow.

3. backup file artifacts - mazin ahmedRashid Khatmey

The document discusses backup file artifacts (BFAs), which occur when code editors or version control systems create backup files that are sometimes left exposed publicly. This can disclose source code or sensitive information. The document introduces BFAC, a tool written in Python to detect BFAs through automated testing. BFAC checks for various types of BFA patterns and artifacts from version control systems. It aims to be more comprehensive than existing vulnerability scanners. The document also provides examples of real-world BFA findings and discusses mitigations, such as developer awareness and access rules.

Riding on rails3 with full stack of gemsAndy Wang

This document lists various Ruby on Rails plugins and tools across different categories such as authentication, authorization, views, administration, forms, searching, pagination, background processing, state machines, APIs, caching, deployment, scheduling, and testing. Each category lists relevant plugins with their GitHub links. The document also lists some websites for Rails resources. The document is copyrighted to Intridea Inc.

創科資訊四月小聚 - React Native Clonecat 101Kent Chen

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed

OpenTuesday: Agile Testautomatisierung und Continuous IntegrationDigicomp Academy AG

Getting root with benign app store apps vsecurityfestCsaba Fitzl

This document discusses macOS privilege escalation techniques using benign App Store apps. It describes how dylib hijacking can be used to gain root privileges by subverting the installation process and dropping files in privileged locations. It provides a demonstration using a "Crontab Creator" app to drop a cronjob that executes a script with root privileges. The document also discusses monitoring tools and how Apple addressed the vulnerability in later versions of macOS.

[Hackersuli][HUN]MacOS - Going Down the Rabbit Holehackersuli

Developer in a digital crosshair, 2023 edition - 4DevelopersSecuRing

Recent years show a significant increase in attacks against libraries, tools, and infrastructure used in application development, as well as directly against developers and software companies. From fake libraries and malicious changes to popular libraries or programming languages to vulnerabilities in CI/CD infrastructure components. During the presentation, you will discover a handful of interesting, fresh examples and attack techniques and, perhaps most importantly, learn how to work safely as a programmer. You will find out about typosquatting, dependency confusion, protestware and discover stories of attacks on PHP, Codecov, Homebrew, npm, Ruby Gems, or GitHub.

Developer in a digital crosshair, 2022 editionSecuRing

This presentation takes you through recent attacks aimed at software developers and software companies. First it starts with attacks on libraries you install or have installed (typosquatting, pushing malicious library updates due to maintainer's credential takeover, protestware), even your private ones (dependency confusion). Second it shows attack on tools which are used in software development (package managers). Third, there are examples of attacks onto developer's infrastructure (PHP programming language git sever, GitHub OAuth incident with Heroku and Travis-CI).

Continuous SecuritySysdig

Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose. In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How we can prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?

Reliable from-source builds (Qshare 28 Nov 2023).pdfRalf Gommers

High Performance WordPressvnsavage

The document discusses optimizing WordPress for high performance. It provides recommendations for services installation including Nginx, PHP-FPM, APC, MySQL, and Memcached. It also gives configuration details for Nginx, PHP-FPM, APC, MySQL, and caching. Benchmarks show a significant performance increase when applying optimizations like APC caching. The presentation concludes by discussing scaling to larger implementations using load balancers, caching servers, and a master-slave database setup.

Breaking bad habits with GitLab CIIvan Nemytchenko

MavenFabio Bonfante

DWX 2022 - DevSecOps mit GitHubMarc Müller

Developer in a digital crosshair, 2022 edition - Oh My H@ck!SecuRing

"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine

A Tour of npm-resourceHiroyuki Komagata

composer_talk_20160209Bradley Wogsland

Using software modules welcome to hell!Baruch Sadogursky

3. backup file artifacts - mazin ahmedRashid Khatmey

Riding on rails3 with full stack of gemsAndy Wang

創科資訊四月小聚 - React Native Clonecat 101Kent Chen

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed

OpenTuesday: Agile Testautomatisierung und Continuous IntegrationDigicomp Academy AG

Getting root with benign app store apps vsecurityfestCsaba Fitzl

[Hackersuli][HUN]MacOS - Going Down the Rabbit Holehackersuli

Developer in a digital crosshair, 2023 edition - 4DevelopersSecuRing

Developer in a digital crosshair, 2022 editionSecuRing

Continuous SecuritySysdig

Reliable from-source builds (Qshare 28 Nov 2023).pdfRalf Gommers

High Performance WordPressvnsavage

More from Adam Baldwin (14)

JavaScript Supply Chain SecurityAdam Baldwin

1) The document discusses software supply chain security and examples of known attacks, including typosquatting, project takeovers, account takeovers, and inserting malware or backdoors into dependencies. 2) It provides details on specific past attacks, such as those on the event-stream, eslint, and electron-native-notify packages, how they were carried out, and their goals. 3) The presentation recommends steps developers can take to help protect their software supply chains, such as carefully managing dependencies, setting up a SECURITY.md file, enabling GitHub security features, and using two-factor authentication.

Building a Threat Model & How npm Fits Into ItAdam Baldwin

This document discusses threat modeling as it relates to npm, the package manager for JavaScript. It provides an overview of how npm threat models by considering assets, attack surfaces, and threat actors. It then outlines some key risks to npm like compromised accounts, known vulnerabilities in packages, and malware. The document concludes by covering mitigations npm has implemented, such as two-factor authentication, auditing for vulnerabilities, package signing, and automated threat detection.

Hunting for malicious modules in npm - NodeSummitAdam Baldwin

Ever since the threat of an npm worm became public we've been thinking about how to detect malicious modules in our ecosystem and how to provide security teams auditing modules with tooling and intel to make informed decisions about module risk. We've built a system to analyze modules based on their installation behavior. This talk will discuss the results of this endeavor and share the interesting findings from this new and previously unexplored dataset and try to answer the question if a npm worm is lurking in the shadows.

Continuous Security - Thunderplains 2016Adam Baldwin

Continuous SecurityAdam Baldwin

- Continuous Security involves keeping vulnerabilities out of production code through thorough design, code reviews, testing and automation. It also requires actively monitoring production systems and engaging in ongoing security practices like internal bug hunting and penetration testing. Shifting organizational security culture is important as well, with support from leadership and a focus on building accountability, trust and enforcement over time.

Nodevember 2015Adam Baldwin

Node Security Experiments discusses security issues in the Node.js ecosystem. It covers topics like malicious modules hosted on NPM, insecure installation scripts, typosquatting vulnerabilities, password exposure, auditing packages for vulnerabilities, static analysis tools to detect security issues, and challenges of keeping up with the large number of packages. The document also mentions detecting and preventing specific security vulnerabilities, tools for auditing packages like NSP and Retire.js, potential bots in the ecosystem, and challenges with binary modules and exposing vulnerabilities in Node.js core.

The Art of Identifying Vulnerabilities - CascadiaFest 2015Adam Baldwin

The document discusses identifying vulnerabilities through understanding systems and code, thinking like an attacker, and following data flows from sources to sinks. It provides examples of testing a JavaScript milliseconds conversion utility by generating strings of increasing length to trigger a regular expression denial of service vulnerability in one of its sinks. The talk emphasizes gaining knowledge of nuances, thinking like an attacker to find unintended uses of systems, and persistent testing through curiosity to identify vulnerabilities.

Node Day - Node.js Security in the EnterpriseAdam Baldwin

This document discusses Node.js security in the enterprise. It covers communicating security priorities between technical and business teams, gathering intelligence on vulnerabilities, and implementing technical controls like linting, testing, shrinkwrapping dependencies, and retire.js to detect vulnerable modules. It emphasizes that enterprises are responsible for vetting all dependencies and that the greatest vulnerability is often developers, so peer review is important.

Node Security Project - LXJS 2013Adam Baldwin

The document discusses the Node Security Project and responsible security disclosures. It notes that while they had control over code linting and peer review, they lacked control over third party code and the npm delivery system. It suggests improvements like private issues/pull requests could help security research. The document advocates for better security education and resources through initiatives like NodeSchool.

Security First - Adam BaldwinAdam Baldwin

The document discusses security and building a security-first culture. It notes that security is difficult because software has many opinions and constraints. While no software is completely secure, individuals are responsible for security and should educate themselves on vulnerabilities, validate and sanitize inputs, use cryptography, and audit code. The document encourages teaching others about security and having conversations to improve security awareness.

JSConf 2013 Builders vs BreakersAdam Baldwin

This document discusses the Node Security Project, which aims to audit Node.js modules to find and help fix security issues. It was presented by Adam Baldwin who founded the project. The project will audit over 30,000 modules, fix any issues found, report them to the developers, and publish the results. Developers are encouraged to contribute by auditing modules, submitting pull requests for fixes, and otherwise helping to make the Node.js ecosystem more secure.

EV1LSHA - Misadventures in the land of LuaAdam Baldwin

Writing an (in)secure webapp in 3 easy stepsAdam Baldwin

The document summarizes a presentation on writing insecure web applications. It discusses common issues like insecure navigation, cross-site scripting due to lack of output encoding, and other security problems. It provides examples of these issues like navigation to malicious sites through hashbangs and XSS via unsanitized user input. The presentation recommends approaches to address these problems like using libraries for output encoding and implementing a content security policy. It also discusses other risks like cross-site request forgery, clickjacking, insecure cookie handling and more. The presentation aims to educate developers on security issues that allow writing insecure code.

Pony Pwning Djangocon 2010Adam Baldwin

This document summarizes a presentation on Django web application security given by Adam Baldwin. The presentation covered common security failures in Django projects including cross-site scripting due to improper validation of user input in templates, file uploads that do not check extensions or store files in protected directories, direct access to objects without authorization checks, and other issues. Baldwin emphasized avoiding security problems by following best practices like input validation, using middleware to set security headers, and not allowing privileged operations with HTTP GET.

JavaScript Supply Chain SecurityAdam Baldwin

Building a Threat Model & How npm Fits Into ItAdam Baldwin

Hunting for malicious modules in npm - NodeSummitAdam Baldwin

Continuous Security - Thunderplains 2016Adam Baldwin

Continuous SecurityAdam Baldwin

Nodevember 2015Adam Baldwin

The Art of Identifying Vulnerabilities - CascadiaFest 2015Adam Baldwin

Node Day - Node.js Security in the EnterpriseAdam Baldwin

Node Security Project - LXJS 2013Adam Baldwin

Security First - Adam BaldwinAdam Baldwin

JSConf 2013 Builders vs BreakersAdam Baldwin

EV1LSHA - Misadventures in the land of LuaAdam Baldwin

Writing an (in)secure webapp in 3 easy stepsAdam Baldwin

Pony Pwning Djangocon 2010Adam Baldwin

Recently uploaded (20)

Quantum Computing Quick Research Guide by Arthur MorganArthur Morgan

This is a Quick Research Guide (QRG). QRGs include the following: - A brief, high-level overview of the QRG topic. - A milestone timeline for the QRG topic. - Links to various free online resource materials to provide a deeper dive into the QRG topic. - Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic. QRGs planned for the series: - Artificial Intelligence QRG - Quantum Computing QRG - Big Data Analytics QRG - Spacecraft Guidance, Navigation & Control QRG (coming 2026) - UK Home Computing & The Birth of ARM QRG (coming 2027) Any questions or comments? - Please contact Arthur Morgan at [email protected]. 100% human made.

Web and Graphics Designing Training in RajpuraErginous Technology

Web & Graphics Designing Training at Erginous Technologies in Rajpura offers practical, hands-on learning for students, graduates, and professionals aiming for a creative career. The 6-week and 6-month industrial training programs blend creativity with technical skills to prepare you for real-world opportunities in design. The course covers Graphic Designing tools like Photoshop, Illustrator, and CorelDRAW, along with logo, banner, and branding design. In Web Designing, you’ll learn HTML5, CSS3, JavaScript basics, responsive design, Bootstrap, Figma, and Adobe XD. Erginous emphasizes 100% practical training, live projects, portfolio building, expert guidance, certification, and placement support. Graduates can explore roles like Web Designer, Graphic Designer, UI/UX Designer, or Freelancer. For more info, visit erginous.co.in , message us on Instagram at erginoustechnologies, or call directly at +91-89684-38190 . Start your journey toward a creative and successful design career today!

Cybersecurity Identity and Access Solutions using Azure ADVICTOR MAESTRE RAMIREZ

IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...organizerofv

Semantic Cultivators : The Critical Future Role to Enable AIartmondano

Mastering Advance Window Functions in SQL.pdfSpiral Mantra

Into The Box Conference Keynote Day 1 (ITB2025)Ortus Solutions, Corp

#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025BookNet Canada

Book industry standards are evolving rapidly. In the first part of this session, we’ll share an overview of key developments from 2024 and the early months of 2025. Then, BookNet’s resident standards expert, Tom Richardson, and CEO, Lauren Stewart, have a forward-looking conversation about what’s next. Link to recording, transcript, and accompanying resource: https://bnctechforum.ca/sessions/standardsgoals-for-2025-standards-certification-roundup/ Presented by BookNet Canada on May 6, 2025 with support from the Department of Canadian Heritage.

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In Francechb3

Are Cloud PBX Providers in India Reliable for Small Businesses (1).pdfTelecoms Supermarket

The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfAbi john

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55

HCL Nomad Web – Best Practices and Managing Multiuser Environmentspanagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-nomad-web-best-practices-and-managing-multiuser-environments/ HCL Nomad Web is heralded as the next generation of the HCL Notes client, offering numerous advantages such as eliminating the need for packaging, distribution, and installation. Nomad Web client upgrades will be installed “automatically” in the background. This significantly reduces the administrative footprint compared to traditional HCL Notes clients. However, troubleshooting issues in Nomad Web present unique challenges compared to the Notes client. Join Christoph and Marc as they demonstrate how to simplify the troubleshooting process in HCL Nomad Web, ensuring a smoother and more efficient user experience. In this webinar, we will explore effective strategies for diagnosing and resolving common problems in HCL Nomad Web, including - Accessing the console - Locating and interpreting log files - Accessing the data folder within the browser’s cache (using OPFS) - Understand the difference between single- and multi-user scenarios - Utilizing Client Clocking

Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul

Artificial intelligence is changing how businesses operate. Companies are using AI agents to automate tasks, reduce time spent on repetitive work, and focus more on high-value activities. Noah Loul, an AI strategist and entrepreneur, has helped dozens of companies streamline their operations using smart automation. He believes AI agents aren't just tools—they're workers that take on repeatable tasks so your human team can focus on what matters. If you want to reduce time waste and increase output, AI agents are the next move.

Cyber Awareness overview for 2025 month of securityriccardosl1

Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell

Splunk Security Update | Public Sector Summit Germany 2025Splunk

Generative Artificial Intelligence (GenAI) in BusinessDr. Tathagat Varma

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxAnoop Ashok