Today, npm, Inc. announced its acquisition of the team and assets of ^Lift Security, including ^Lift’s work on the Node Security Platform. Adam Baldwin and his team have joined npm to work full time on keeping the npm Registry and npm applications safe, and to develop new products to help developers and their companies securely develop JavaScript.

We go way back

^Lift Security has been working with npm longer than npm, Inc. has been a company. ^Lift reviews npm’s own code to ensure it’s safe before npm takes it live, and conducts periodic security audits, including penetration …

Continue reading »

I recently came across a tutorial on ARM Reverse Engineering

However, this tutorial seems to recommend using a Raspberry Pi for following along with the tutorial. I decided I wanted to be able to work through the tutorial using a virtual machine, so I built a QEMU VM of the ARMEL architecture. This is the same architecture that the Raspberry Pi is based off of. I went with Debian for ARMEL because its the OS I'm most familiar with. After the operating system is installed, I install tools like GDB and GEF for debugging / reverse engineering …

Continue reading »

As a startup, where might your organization get the biggest bang for your buck when it comes to security?

Consider this controversial thought:

Your founders—CEOs, CTOs—are very likely your organization’s greatest security risk.

There are few things that better predict an organization’s likelihood of a massive security breach than founders' knowledge, priorities, and willingness to put in the effort to grasp the fundamentals of security.

In a way, most software vulnerabilities can be traced up the chain of authority. Founders make decisions every step of the way that will shape your future security posture. The security …

Continue reading »

This is the story of how I found and exploited XSS (content injection) in the pgAdmin4 1.3 desktop client. (Before I get too much further if you use pgAdmin 4 go update to 1.4 I'll wait)

The Spark

This all started the one day when I speculated that pgAdmin 4 was a web application, due to the fact that it zooms in and out like below when I’m trying to use it because part of my hand touches the ridiculously large touchpad on the new MBP. O_o

It took my subconscious about 24 hours to go from …

Continue reading »

Serverless functions are becoming a more and more popular way to deploy microservices. Given the advantage of not having to maintain your own infrastructure, effortless scaling, and the cost benefits of only paying for the time your code is actually running, it’s easy to see why.

For several of these reasons I’ve begun evaluating Google Cloud Functions for several of the smaller services in the nodesecurity platform. Google’s platform is still in beta, and as such is still going through some changes, but I did learn a few interesting things.

One of the most common limitations on …

Continue reading »


Slowloris is an HTTP connection exhaustion attack. The attack involves opening up a large number of HTTP connections from one computer and very slowly sending the request bytes over the connection. In effect, this causes the server to become unresponse and unable to process further requests if certain mitigations are not put in place. Generally slowloris only requires one attacking machine, instead of the multiple machines necessary in botnet DDoS style attacks.

Details about the attack and original implementation can be found here:

NodeJS Implementations

Recently I decided to take a look …

Continue reading »

In late 2015, I decided to start researching IP Cameras. I decided to try out the cheapest models available on, both because I thought those models would be more “fruitful” and because I was trying to do this research on a budget. It turns out that the security on these lower model IP Cameras is really bad.

I looked at five different IP Cameras and was able to gain root access on four of them within a few hours of starting to poke at them. All of the cameras I looked at cost between $30-$70, and can …

Continue reading »

Earlier this week Zach Grace published an article on one way that you could backdoor a Node.js Express application without touching disk. This jogged my memory of something I posted in our team’s chat this last week but never wrote about; how I would in memory backdoor an express application. It’s a bit different than how Zach approached it so I thought it would be good to expand upon his post sharing the knowledge.

My “vulnerable” proof of concept is below. It uses a fairly common pattern of putting routes in a separate file. The eval is …

Continue reading »

Denial of Service through Disk Space Exhaustion


Two popular WordPress plugins for disk caching are W3 Total Cache and WP Super Cache. These plugins allow pages and posts to be rendered to disk as html files and subsequently served off the filesystem instead of being generated from data driven sources on every web request.

Take for example a WordPress page route at /2017/01/30/hello-world. Once a user visits this page, the output HTML will be rendered on the file system in the wp-content directory, with a subdirectory structure that matches the route.

Disk Space Exhaustion

By appending …

Continue reading »

As recently announced the npm client supports installing packages from locations that are outside of the official npm registry (such as at HTTP urls). Due to a design flaw introduced in late 2014 the authentication bearer tokens used to authenticate the npm client with the registry were being sent along with all requests, not just to the official registry.

So, if you or one of the modules you use specified a dependency like the below example, your authentication token would be leaked to that location. Note this is not your password but a token representing that credential.

  "dependencies": {
    "fantastic-dependency": "http …
Continue reading »