Showing 13 - 21 of 21 posts
SocketSleuth: Improving security testing for WebSocket applications
Today, we are proud to announce the beta version of SocketSleuth, our new Burp Suite extension for performing security testing against WebSocket-based applications. SocketSleuth was created out of our security research group to aid in our security research against applications that leverage WebSockets for communication.
Gitpod remote code execution 0-day vulnerability via WebSockets
In this post, we present the first findings from our current research into Cloud Development Environments (CDEs) — which allowed a full account takeover through visiting a link, exploiting a commonly misunderstood vulnerability (WebSocket Hijacking), and leveraging a practical SameSite cookie bypass.
Phony PyPi package imitates known developer
A recent interesting finding in the Python Package Index (PyPi) attempted to imitate a known open source developer through identity spoofing. Upon further analysis, the team uncovered that the package, raw-tool, was attempting to hide malicious behavior using base64 encoding, reaching out to malicious servers, and executing obfuscated code. In this post, we’re going to take a deeper look at that vulnerability, but first let’s take a look at how our researchers discovered it.
Deep dive into Visual Studio Code extension security vulnerabilities
Snyk has found severe vulnerabilities in popular VS Code extensions, enabling attackers to compromise local machines as well as build and deployment systems through a developer’s IDE. Learn how they work and how to protect your code.
Exploring intent-based Android security vulnerabilities on Google Play
Intents are used by internal components to communicate with each other as well as to access exported components of other applications, which opens the door for malicious attacks. In this post, we’ll explore intent-based Android security vulnerabilities to see why and how they work.