hacking, bug bounty, appsec

Security Coding in Go. Input validation


Input validation is one of most important technique in secure coding. Deep dive into it for Go language.
Read more ⟶

Mitigating SSRF vulnerabilities in Go. A practical guide. Part 1


Server-Side Request Forgery (SSRF) vulnerabilities have been around for a long time, and they still pose a significant threat to web applications, so much so this kind of vulnerability has been included in OWASP TOP 10. This time I will explain how to mitigate SSRF vulnerability in Go applications.
Read more ⟶

Threat Modeling 101


What is Threat Modeling? First of all, it’s just thinking about threats. We all do it, every day 😃 How someone could break into my house? But wait a second. How do you know that you need to protect your house in the first place? Maybe you don’t have a house, or maybe you don’t have money right now to buy deterrents. Or maybe your family thinks you are a bit paranoid? 😕
Read more ⟶

External Authentication bypass in ingress-nginx


In October 2021 I was researched ingress-nginx for possibility to bypass external authentication using path traversal. It was origin story for other investigations regarding insecure usage of $request_uri which leaded to Apache APISIX CVE-2021-43557.
Read more ⟶

Hunting for buggy authentication/authorization services on github


To successful bypass access control using path traversal in $request_uri, you need to have buggy authentication/authorization service. Buggy in a way it’s not normalizing url/uri that is part of access control decision. Let me find more of those on github that are relying on X-Original-Url.
Read more ⟶

Bug bounty tips for nginx $request_uri path traversal bypass


In this article, I will extend topic by bug bounty tips for weaknesses in authentication/authorization implementation in relation to nginx’s $request_uri variable. APIs This vulnerability is for APIs. Best scenario are microservice deployed to Kubernetes and exposed by ingress controller.
Read more ⟶

Path traversal in authorization context in Kong and F5 NGINX


In this part I will research another ingress controller based on nginx: 🦍 kong. At the end of article I will mention in short F5 NGINX Ingress Controller. In kong there is no explicit feature called external authentication, but developers gave possibility to create it using plugins.
Read more ⟶

Path traversal in authorization context in Emissary


After checking Apache APISIX and Traefik, for path traversal in authZ context, now I will research Emissary ingress. In Emissary there is feature called Basic authentication, which is very similar to forward authentication discussed in Traefik.
Read more ⟶

Path traversal in authorization context in Traefik and HAProxy


In my previous post about Apache APISIX I have found path traversal in uri-blocker plugin. In this text I will focus on yet another ingress controller which is Traefik. It has feature called forward auth. At the end I will mention HAProxy ingress controller.
Read more ⟶

CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable


In this article I will present my research on insecure usage of $request_uri variable in Apache APISIX ingress controller. My work end up in submit of security vulnerability, which was positively confirmed and got CVE-2021-43557. At the end of article I will mention in short Skipper which I tested for same problem.
Read more ⟶