Latest blog posts

XML External Entity in Erlang and Elixir

Processing XML documents requires taking into account the possibility of an XML eXternal Entity injection attack (XXE).

The vulnerability arises when XML parser processes unverified data containing reference to an external entity.

XXE belongs to category A4 in OWASP Top 10 list of vulnerabilities.

In this publication, I will review how secure by default the popular XML parsers for Erlang and Elixir are.

XXE and OS command injections in Yaws

Yaws is a web server for dynamic-content web applications written in Erlang. The server includes several modules, typical for web servers. As a result of research, I found an XXE injection in a WebDAV module and OS command injection in a CGI module.

OS command injection in Rebar3

Rebar3 is a tool widely used for building applications in the Erlang world. It is quite dangerous. With the tool, you can get OS command execution in different ways and sometimes in ways not intended by developers.

Controversial certificate management using Step

DevOps methodology implies faster development and deployment cycle, increased reliability, and sometimes security. Many tools are appearing to occupy the security niche in DevOps.

Often there is a certificate management issue in the infrastructure administration that asks for automation.

Microsoft Office 365 email spoofing

Microsoft provides some email services for business customers. Advertisement page says «Securely run and grow your business».

Not belive!