Mikhail Kuznetcov
Nov 23, 2021

Vue3 practical development

Is your IDE a backdoor for attackers? We found critical vulnerabilities in VS Code extensions with millions of installs.

Mikhail Kuznetcov - Vue3 practical development
#1about 4 minutes

The expanding security responsibilities of developers

Digital transformation and cloud adoption have shifted infrastructure and configuration management to developers, significantly expanding their security scope beyond just application code.

#2about 2 minutes

Shifting security testing left in the development lifecycle

Integrating security tools like static analysis and software composition analysis early in the development process reduces costs and keeps pace with agile iterations.

#3about 2 minutes

The hidden risks of transitive dependencies

A significant portion of vulnerabilities are introduced through transitive dependencies, which developers are often unaware of but must now manage.

#4about 6 minutes

How attackers exploit developers and packages

Attackers compromise developers using methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.

#5about 5 minutes

Why VS Code extensions are a prime target

The popularity of VS Code and its vast, often open-source, extension marketplace create a large and under-researched attack surface for compromising developers.

#6about 2 minutes

Building a pipeline for automated extension analysis

A custom pipeline was built to download, extract, and run static and dynamic analysis on all extensions from the VS Code marketplace.

#7about 5 minutes

Exploiting path traversal in the Instant Markdown extension

The Instant Markdown extension contained a path traversal vulnerability in its local web server, allowing an attacker to read arbitrary files from the user's machine.

#8about 11 minutes

Bypassing browser security to exploit local servers

An attacker can bypass browser CORS policy by tricking a user into downloading a malicious file and then using a path traversal vulnerability to trigger XSS on localhost, enabling file exfiltration.

#9about 5 minutes

Remote code execution in the LaTeX Workshop extension

The LaTeX Workshop extension allowed remote code execution by exploiting an insecure API call through its WebSocket server after brute-forcing the server port.

#10about 3 minutes

Impact and mitigation of extension vulnerabilities

Developers can mitigate risks by using popular, maintained extensions, while maintainers should follow security best practices and promptly fix disclosed vulnerabilities.

Related jobs
Jobs that call for the skills explored in this talk.
yesterday
SAP Developer IT HR (m/w/d)
Deichmann SE
Essen, Germany
Intermediate
14 days ago
Softwareentwickler / Anwendungsentwickler (m/w/d) m/w/d
Personalwerk GmbH
Junior
Intermediate
14 days ago
Backend Developer Java (m/w/d)
Sopra Steria Custom Software Solutions GmbH
München, Germany
Senior

Related Videos

Unleash your web skills on native!00:00
Rowdy Rabouw — 5 years ago
Unleash your web skills on native!
JavaScriptHTMLCSSAndroidAngularReactVue.jsiOSReact NativeIonic
How to Stop Choosing JavaScript Frameworks and Start Living00:00
Sasha Shynkevich — 5 years ago
How to Stop Choosing JavaScript Frameworks and Start Living
JavaScriptNode.jsDartAngularReactVue.jsEmber.jsjQueryIonicSvelte
Web development best practices in 202100:00
Laurie Voss — 4 years ago
Web development best practices in 2021
JavaScriptHTMLTypeScriptAngularReactVue.jsWordPressNuxt.jsNext.js