Articles

Don’t Get Too Comfortable: Hacking ComfyUI Through Custom Nodes

This research focuses on ComfyUI, a popular stable diffusion platform with over 1,300 custom node extensions available. Through real-world examples, we demonstrate how even seemingly minor vulnerabilities in custom nodes can lead to full server compromise and explore practical strategies for securing applications that rely on third-party plugin ecosystems to minimize these risks.

Securing a Java Spring Boot API from broken JSONObject serialization CVE-2023-5072

This article explains how a critical vulnerability (CVE-2023-5072) in JSONObject library can lead to denial-of-service attacks on Spring Boot Java applications and provides steps to mitigate the risk.

Remote Code Execution with Spring Boot 3.4.0 Properties

this article introduces two methods for leveraging Logback configuration to achieve Remote Code Execution (RCE) in Spring Boot applications. These techniques are effective on the latest version of Spring Boot, with the second approach requiring no additional dependencies.

How to avoid SSRF vulnerability in Go applications

In this article, learn how SSRF vulnerabilities manifest in Go applications, and how developers can implement effective security measures to protect their applications and data.

Python Pickle Poisoning and Backdooring Pth Files

Discover the security risks of Python's pickle module and learn how malicious code can exploit PyTorch .pth files. Explore practical examples, safeguards like safetensors, and tips for secure machine learning workflows.

Vulnerabilities in Deep Learning File Formats

While pickle is a common way to store neural network weights, it can be vulnerable to attacks if downloaded from untrusted sources. Safer alternatives like SafeTensors only store raw data and prevent malicious code execution.

Hijacking OAUTH flows via Cookie Tossing

Learn about Cookie Tossing attacks, a rarely explored technique to hijack OAuth flows and enable account takeovers at Identity Providers (IdPs). Discover its implications, real-world examples, and how to safeguard applications using the Host cookie prefix.

How to respond to a newly discovered vulnerability

Learn how to effectively respond to newly discovered vulnerabilities with a structured approach using the Vulnerability Management Cycle. Discover the importance of tools like Snyk for centralizing, analyzing, and remediating vulnerabilities across your software development lifecycle.

How does Snyk DCAIF Work under the hood?

Read our technical deep-dive into how Snyk's DCAIF works. To start, with Snyk's Deep Code AI Fix, simply register for a Snyk account here, enable DeepCode AI Fix in your Snyk settings, and start reliably auto-fixing vulnerabilities in seconds.

Improving your Java application with Records

Java Records revolutionizes the way you create data-centric classes in Java, offering a concise and secure approach. Embrace Java Records and unlock efficient and maintainable Java development.

Getting started with Practical Rego

Read this guide introducing Rego, a declarative policy language, for programmers familiar with imperative languages like Python or Java. It covers key concepts, common pitfalls, and best practices for writing effective Rego policies.

JavaScript Static Analysis with ESLint and Biome

Biome, a new tool in the JavaScript ecosystem, combines code formatting and quality linting. It offers speed and performance advantages over traditional tools like ESLint and Prettier, making it a compelling alternative. With its integration into development environments like VS Code and potential adoption by major projects, Biome is poised to reshape the way JavaScript developers approach code quality and formatting.

Oops I built a feature and created an Open Redirect Vulnerability in a Deno app

Build your first Deno web application with a step-by-step guide. Learn how to implement a redirect feature while avoiding common security pitfalls like open redirect vulnerabilities. Secure your Deno app with best practices and discover how to set up a Deno development environment in GitHub Codespaces.

How Snyk Helps with the OWASP Software Assurance Maturity Model

Read how the OWASP Software Assurance Maturity Model (SAMM) and Snyk can work together to provide an effective approach to measuring, managing, and improving your software security. Learn about the key benefits, practical implementation steps, and the specific tools offered by Snyk to support your organization's security journey.

Proxmox VE CVE-2024-21545 - Tricking the API into giving you the keys

Read about a critical vulnerability (CVE-2024-21545) in Proxmox VE that allows attackers to gain full control of the system. By exploiting a flaw in the API handling, attackers with limited permissions can steal sensitive files and forge session tokens for a complete system takeover.

Getting started with JavaScript static analysis

Static analysis tools are a must-have for JavaScript developers. They automatically scan your code for errors, security vulnerabilities, and formatting issues. This helps you write better code faster and improve your overall development process.

Decoding CVEs: A practical guide to assessing and mitigating security risks

Let's explore the world of Common Vulnerabilities and Exposures (CVEs) with step-by-step examples of evaluating if a CVE impacts your project and pragmatic strategies for effective mitigation. This guide will empower you to tackle security vulnerabilities head-on. Don't let CVE warnings go unnoticed — learn how to address them confidently and efficiently.

Top 10 npm power-user commands every JavaScript developer should know

Master essential npm commands to streamline your JavaScript development. Whether it's dependency management or security enhancements, you can boost efficiency and protect your projects. Learn how to leverage npm ls, npm why, npm run, and more to elevate your npm skills today.

How Snyk uncovers libuv CVE-2024-24806 SSRF vulnerabilities in the Node.js project

Node.js is a powerful and widely used runtime that allows developers to build scalable and high-performance applications using JavaScript. However, many developers might not realize that Node.js relies heavily on several third-party open-source components to function effectively. Key among these components are libuv, OpenSSL, and V8

How to prevent prototype pollution vulnerabilities in JavaScript

Safeguard your JavaScript applications from prototype pollution vulnerabilities. Learn how to prevent attackers from infiltrating object prototypes with malicious code, jeopardizing your data and application security. Read about effective strategies, leverage Snyk's potent tools, and shield your JavaScript projects from this critical threat.