All good things eventually come to an end. All poorly maintained but fun projects tend to as well. After 4 years I’m going to shut down xss.io. Its last day will be September 30th.

xss.io was built to serve my needs for extended penetration tests and as a proof of concept for a talk I gave at DEFCON 20 demonstrating the usefulness of such a technique. It met this goal.

I open sourced it a while back, you can find the code here.

Here are some stats from xss.io’s run: - 338 people logged in and ...

Continue reading »

We all know that security is hard. But it’s often hard in an advanced-math kind of way: cryptography, encryption, hashing algorithms, cipher suites, elliptic curves, and all the rest are challenging subjects that are not easy to understand.

By contrast, our topic for today - internationalization - is hard in a messy-reality kind of way. Internationalization (often called “i18n” for short because who wants to keep typing those 18 letters between the “i” and the “n”?) involves some exceedingly complicated matters, including:

  • thousands of human languages
  • dozens of scripts (Latin, Cyrillic, Arabic, Kanji, Runic, etc.) used to write those languages
  • 1 ...
Continue reading »

As of right now there really isn't a great source for all things node security news, and we want to change that.

Starting May 20, we're going to start sending out a security newsletter — a Node Security Newsletter that will get dispatched every two weeks.

But we want to collaborate on curating that news with you. We need your suggestions, hacks, most helpful advisories, etc. – all of the things that you feel would be the best gathering of valuable info for us to share across the Node community.

Sign up to get on the Node Security Newsletter mailing ...

Continue reading »

A Brief Review

For many, this section will be a review, so feel free to skip ahead. However, since we are dealing with some features of the JavaScript language that most of us don't use every day, I'm going to go ahead and give a brief refresher so the rest of this makes sense.

Object oriented programming in JavaScript can be a little bit unconventional. Typically, private methods and variables are expressed as locally declared variables, while public methods and variables are expressed as properties attached to the this object, which is an object that refers to current ...

Continue reading »

A little under a year ago, I began using an application called MailPilot. MailPilot is an email client built around the concept of inbox zero and is available for both iOS and OSX.

Being someone in the security field, I frequently send and receive emails that contain exploit vectors.

A few months into using MailPilot, I had sent an email that had a Cross-Site Scripting vector in it which caused my inbox to render strangely. Of course I had to tinker with it, and ended up getting code execution through simple content injection within the context of the applications NSWebView ...

Continue reading »

Over the years I've been frequently asked how I find the things I do when testing a web application. I've also had to teach a number of people the art and have found it difficult to explain it sometimes. The various stages can overlap and sometimes merge together making it entirely unclear how to proceed.

I've done my best here to distill the points I tend to reiterate over and over down to list of steps for those I teach; I believe they will help you find vulnerabilities in your apps as well.

What Does the App ...

Continue reading »

Team ^lift is kicking off a busy spring season with a quick trip through Cali and over to Portugal.

Last week Adam Baldwin, &yet CSO and ^lift security team lead, stopped by PayPal to share some security insights.

This week, he and security specialist David Dias, head to SINFO in beautiful Lisbon, Portugal. On Wednesday, Adam will be speaking on his personal experiences from his lifelong career in security. Find him or David there to chat ...

Continue reading »

Transport Layer Security (TLS) is one of the primary technologies for improving security over the Internet, since it is used to encrypt TCP traffic between a client such as a web browser or mobile app and a server such as a Node.js application. A variant called Datagram TLS (DTLS) is also used to encrypt UDP traffic, such as the media streams we handle in our Talky videochat service.

When vulnerabilities are found in TLS code, it's a big deal (remember Heartbleed?). Beyond code implementations are the recommendations of the TLS standard itself, codified most recently in version 1 ...

Continue reading »

Today we're announcing a pre-release beta of requireSafe.

The story for requireSafe started many years ago, back in the node 0.4 days when we were helping &yet secure products they were building for clients and themselves.

What became apparent very quickly is that these applications were built using many modules, authored by other people, each created with varying degrees of developer proficiency and dedication to manage those projects.

We had the experience to audit these dependencies, but doing so was amazingly time consuming; we needed help.

We formed the Node Security Project to start evangelizing good security practices ...

Continue reading »

Earlier this week a package called rimrafall was published to npm. This package had a preinstall hook that executed the command rm -rf /*. It was created on 01/26/2015 at 15:28 and immediately posted to Hacker News and then it was unpublished from the registry by npm at 17:06 -- giving it a lifespan of less than two hours.

The goal behind this example was to raise awareness of potential insecurities with how npm installs packages, and to highlight the necessary steps that are required to mitigate a rogue package from doing harm.

There are a couple of ...

Continue reading »