A personal mini blog about infosec and life
Recently, YouTube reminded me of a piece I used to listen to: https://www.youtube.com/watch?v=2zcTKhohtJg.
This video includes the Minuet and Badinerie movements of Bach's Suite No. 2 in B minor. I became familiar with these pieces, specifically the Badinerie from the old 1993 "Bonus" PC game I played when I was younger. It turns out that my partner knows this game as well, so it was nostalgic and fun.
(🎮) I also play Little Nightmares II. It's a game where the character is small (young?) and weak, in a world full of nightmares and finds another little companion along the journey. I've never encountered a game in this genre with graphics, puzzles, and surroundings as creative and unique as this one (or maybe I just don't play a lot 🙃). They have surely succeeded in delivering the feeling of being weak and vulnerable in a world full of threats and surprises, along with self-belief and the feeling of being able to survive.
(🎥) Additionally, randomly chosen, I watched the South Korean sci-fi TV series The Silent Sea which is one of the best TV series I've ever watched.
New Things I learned
(🔬) EJS is a templating engine usually used with Node.js. When used with Express, EJS can be susceptible to SSTI vulnerability when we can control the template rendering process. Since Express.js enables extended query string parsing by default (e.g. filter[status]=active&filter[age][gte]=30), it allows us to control the options passed to EJS render() function.
References:
(🔬) A cool blog post about a vulnerability chain involving Clickjacking that led to $4133.7 from Google. It was nice to see the process of exploitation and the persistence when things didn't work as expected: https://x.com/rebane2001/status/1836653696639271329
(🔬🐍) In Python, if we can send a string that will be formatted or control the format template, we can execute arbitrary code and read internal data. Two examples:
References:
(🔬💉🛢️) If there is a nosql injection in MongoDB and it uses aggregation, we can interact with data from other collections. We can use '$lookup' and '$unionWith'. How can we know there is aggregation when there is no source code? As mentioned in the article in the references: "In MongoDB, the aggregate method always expects an array of aggregation stages as its first argument. Therefore, look for JSON arrays as a parameter. The “$match” and “$lookup” operators in a JSON request can also indicate the use of the aggregate method". References:
(📗) I didn't think about it before, but I learned from the book "Real-World Bug Hunting" that even if HttpOnly attribute is set, in situations where there is XSS and also misconfiguration such as /phpinfo.php (which reflects the cookies) we can steal them anyway.
Weekly Thoughts and Updates
(📄) My first CVE was published 🎉 https://www.cve.org/CVERecord?id=CVE-2024-44807
A few notes on this:
I didn't think it would be this easy to receive or publish a CVE. The internet is full of products and software, and every little vulnerability in them can be a CVE. It made me think that aside from helping the world of being more secure, unless the CVE is critical, interesting or complicated, the achievement feels slightly less significant to me now.
Thumbs up for D-ZERO (the vendor) for being very professional and efficient. Actually I interacted with several entities during this process, and while I'm not sure if this is typical, the Japanese handling process is very efficient. I wonder if it's related to trust. In the past, I contacted companies from different countries around the world and it's not uncommon for them to ignore the message.
(📄) Handling the CVE process because of this CVE publication (and because of another one I really wish to publish), made me think about going through various random CVEs. Since they usually have public references (as part of the requirement for CVE publication), I can read, learn from them and gain inspiration for vulnerabilities.
It also increased my interest in doing code review for open source software and seeing if I find anything.
(🐛) A week ago I contacted the vendor of the product I found a high-critical vulnerability in, but still no reply from them, I'll wait another week and contact them again. Meanwhile I'm trying to see if any of the vulnerable companies using this product has VDP or BPP.
(🐋) I've finished the Docker course and now I'm preparing for the certification test.
(🔨) Got an idea for a tool that identifies the framework/programming language/etc. of web apps using different methods. I put it in my To Do/backlog list, and I will later check this idea..
Comments