Raul Onitza-Klugman & Kirill Efimov
Vulnerable VS Code extensions are now at your front door
#1about 5 minutes
The expanding role of developers in security
Digital transformation has shifted infrastructure and security responsibilities to developers, increasing their value as an attack target.
#2about 3 minutes
Integrating security earlier in the development lifecycle
Security testing has shifted left to integrate with agile development, making developers responsible for triaging issues like transitive dependency vulnerabilities.
#3about 6 minutes
Common attacks targeting software developers
Attackers compromise developers through methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.
#4about 5 minutes
Why VS Code extensions are a major attack surface
VS Code's massive popularity and its extensive, under-researched extension marketplace make it a prime target for compromising developers.
#5about 2 minutes
Building a pipeline to analyze VS Code extensions
A processing pipeline was built to download all marketplace extensions, extract their source, and run static and dynamic analysis to find vulnerabilities.
#6about 5 minutes
Exploiting path traversal in the Instant Markdown extension
The Instant Markdown extension runs a local web server with a path traversal vulnerability, allowing an attacker to access arbitrary files on the user's machine.
#7about 8 minutes
Bypassing browser security to attack local servers
A malicious website can exploit a local server by using an XSS vulnerability to bypass CORS and exfiltrate data from the victim's machine.
#8about 3 minutes
Demo: Stealing SSH keys via a vulnerable extension
This demonstration shows how visiting a malicious link triggers an exploit chain that steals a local SSH key through the vulnerable Instant Markdown extension.
#9about 5 minutes
Remote code execution in the LaTeX Workshop extension
The LaTeX Workshop extension was vulnerable to remote code execution through a WebSocket connection that could trigger a VS Code API to open local applications.
#10about 3 minutes
Impact, disclosure, and mitigation strategies
Vulnerable extensions can lead to full supply chain attacks, but responsible disclosure led to quick fixes, and developers can mitigate risk through extension hygiene.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
14:05 MIN
Why VS Code extensions are a prime target
Vue3 practical development
41:08 MIN
Impact and mitigation of extension vulnerabilities
Vue3 practical development
00:03 MIN
Why developers are a prime target for attackers
You click, you lose: a practical look at VSCode's security
27:19 MIN
Key takeaways on IDE and developer tool security
You click, you lose: a practical look at VSCode's security
14:43 MIN
Exfiltrating local files via a VS Code extension
Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
10:27 MIN
Risks of exposed network services in extensions
You click, you lose: a practical look at VSCode's security
08:22 MIN
How attackers exploit developers and packages
Vue3 practical development
1:32:03 MIN
Q&A on extensions, testing, and development tools
Let's build a VS Code extension for automated refactorings
Featured Partners
Related Videos
29:47You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste
44:11Vue3 practical development
Mikhail Kuznetcov
27:10Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
Sonya Moisset
30:54Cross Site Scripting is yesterday's news, isn't it?
Martina Kraus
29:50Real-World Security for Busy Developers
Kevin Lewis
37:36Walking into the era of Supply Chain Risks
Vandana Verma
28:41101 Typical Security Pitfalls
Alexander Pirker
1:58:59Stranger Danger: Your Java Attack Surface Just Got Bigger
Vandana Verma Sehgal
From learning to earning
Jobs that call for the skills explored in this talk.
Embedded Security Engineer - Schwachstellenanalyse | Car IT | Secure Coding
Prognum Automotive GmbH
Remote
C++