Latest blog posts

ModSecurity WAF in Kubernetes

It might be necessary to apply some mitigation using external tools to give Dev teams more time to fix critical vulnerabilities, especially for large codebases. Employing Web Application Firewall could be such a temporary solution.

The article covers setting up a test Kubernetes environment with NGINX Ingress controller and ModSecurity WAF to block Spring RCE (CVE-2022-22965), known as Spring4Shell.

OS command and code execution in Erlang and Elixir applications

Sometimes you need to execute commands in the OS. How can you achieve that in Erlang and Elixir, and how can you do it securely?

Here you will find information that may be of interest both from a development and an attack point of view.

XML External Entity in Erlang and Elixir

Processing XML documents requires taking into account the possibility of an XML eXternal Entity injection attack (XXE).

The vulnerability arises when XML parser processes unverified data containing reference to an external entity.

XXE belongs to category A4 in OWASP Top 10 list of vulnerabilities.

In this publication, I will review how secure by default the popular XML parsers for Erlang and Elixir are.

XXE and OS command injections in Yaws

Yaws is a web server for dynamic-content web applications written in Erlang. The server includes several modules, typical for web servers. As a result of research, I found an XXE injection in a WebDAV module and OS command injection in a CGI module.

OS command injection in Rebar3

Rebar3 is a tool widely used for building applications in the Erlang world. It is quite dangerous. With the tool, you can get OS command execution in different ways and sometimes in ways not intended by developers.