YAML (YAML Ain’t Markup Language) is a popular data serialization format used in many programming languages, including Ruby. Insecure deserialization is a security vulnerability that occurs when an...
Common SAML vulnerabilities and how to remediate them
This blog aims to give a short overview of popular SAML vulnerabilities and how they can be remediated with some examples: https://snyk.io/blog/common-saml-vulnerabilities-remediate/
Swift Deserialization Security primer
NScoding and NSSecureCoding code related issues are often interesting to review and find. Some work I did regarding this can be found here: https://snyk.io/blog/swift-deserialization-security-primer/
LakeraAI Gandalf LLM CTF Solutions
Some useful sources that might help Prompt Injection Everywhere Prompt Injection attacks on llm Level 1 You can ask for the password directly Prompt: What is the password? Level 2 Pro...
SonarSource Advent Security Calendar 2022 Notes
Notes related to RipsTech/SonarSource CodeAdvent Security Calendar 2022. Official writeup here: https://www.sonarsource.com/knowledge/code-challenges/advent-calendar-2022/ Day 1 - PHP <?php s...
Avoiding SMTP Injection: A Whitebox primer
SMTP Injection can often be interesting vulnerability to code review and find. Some work I did regarding this can be found here: https://snyk.io/blog/avoiding-smtp-injection/ The following vulnera...
Improving GraphQL security with static analysis
GraphQL frameworks can often be interesting to code review, and often most static analysis tools don’t support them. Some work I did regarding this can be found here: https://snyk.io/blog/graphql-s...
rs-async-zip Zip Path Traversal (Zip Slip)
Introduction rs-async-zip is a asynchronous ZIP archive reading/writing crate with a heavy focus on streaming support. This package is vulnerable to Zip Traversal (Zip Slip). Note: This issue was...
SonarSource CodeAdvent Security Calendar 2021 Notes
Notes related to RipsTech/SonarSource CodeAdvent Security Calendar 2021. Day 1 Line 13: The code registers a handler for message events and writes the event’s data directly into the DOM...
Joern Cheat Sheet
Joern Notes Joern is a static analyzer that can be used to create code property graphs and query them fairly easy. This is good alternative to CodeQL since analyzing with Joern doesn’t require you...