Year: 2017

  • Looting GraphQL Endpoints for Fun and Profit

    In one of the previous posts about the state of modern web applications security I mentioned GraphQL – a new technology for building APIs developed by Facebook. GraphQL is rapidly gaining popularity, more and more services switch to this technology, both web and mobile applications. Some of the GraphQL users are: GitHub, Shopify, Pintereset, HackerOne…

  • Arbitrary File Reading in Next.js < 2.4.1

    Next.js is a quite popular (>13k stars on GitHub) framework for server-rendered React applications. It includes a NodeJS server which allows to render HTML pages dynamically. While digging into server’s code, a list of internal routes drew my attention: defineRoutes() { const routes = { /* … */ '/_next/:path+': async(req, res, params) => { const…

  • Database Firewall from Scratch

    Slides from our talk with Denis Kolegov at PHDays 7 “Database Firewall from Scratch” (+ bonus).

  • PostMessage Security in Chrome Extensions

    Slides from my talk at OWASP London Meetup on the 30th of March, 2017. Video CRX PostMessage Scanner source code

  • Universal (Isomorphic) Web Applications Security

    Nowadays you do not write things in jQuery. You use node.js, webpack, React, Redux, websockets, babel and a ton of other packages to help you create a basic ToDo web application. With frontend technologies developing rapidly, isomorphic (or to be correct universal) web applications are a big thing now. In a nutshell, it means that…