10 Apr 2023
A stored XSS in Snyk Advisor (domain:snyk.io) allowed me to fabricate the health score granted for packages in my control, which I leveraged into making it seem as my "malicious" package is in fact healthy, popular and legitimate, which could have served an attacker to convince others to install an actual malicious npm package.
18 Nov 2022
Here's why our very own Snow JS, a browser security technology, should be integrated into the MetaMask browser extension. We explain the problem of supply chain attacks and how LavaMoat, a technology used by MetaMask, provides a layer of defense against such attacks. However, LavaMoat's protection is limited to the main realm, and Snow is proposed as a tool to extend this protection to all child realms. Snow aims to provide a second layer of security to enhance the app's defense against supply chain attacks.
28 Oct 2022
Realms are an old concept in the JavaScript ecosystem, but with the rise of supply chain types of attacks realms became a powerful tool for attackers to bypass well known browser runtime security tools. In order to address this concern, we first must understand - what is a realm in JavaScript?
01 Sep 2021
Abusing the Chromium Devtools Scope Pane can allow execution of Javascript by the devtools while the main thread is paused by the debugger. A walk through a very interesting discovery that JavaScript security researcher should very much be aware of.
18 Jul 2021
Today I share my "side project" for the past year, three browser javascript security libraries that aim to perform as tools for creating web apps that are more resilient to and limiting of unwanted code execution such as XSS and javascript supply chain attacks - This is my contribution attempt to the JavaScript security ecosystem!
02 Sep 2020
This is the story of how I found and helped Google patch a vulnerability in Chrome browser that could have allowed attackers to fully bypass CSP rules since Chrome 73 (March 2019), and how researching it taught me that today's CSP mechanism design is the reason no one uses CSP correctly and therefore many of the biggest websites in the world are exposed to this vulnerability.
14 Feb 2020
WhatsApp Vulnerabilities Disclosure - Open Redirect + CSP Bypass + Persistent XSS + FS read permissions + potential for RCE! A super critical vulnerability discovery and breakdown to learn from and be aware of. Here's how it looks like when a highly used b2c product leaves so many users so vulnerable to a number of client side vulnerabilities.
18 Dec 2019
Abusing SourceMappingURL feature can allow attackers to create one of the strongest Cross Browsers Javascript Anti Debugging techniques that was ever seen. In this post I walk through the discovery and explain why this finding is so powerful and important to be aware of.