Mikhail Kuznetcov

Vue3 practical development

Is your IDE a backdoor for attackers? We found critical vulnerabilities in VS Code extensions with millions of installs.

Vue3 practical development
#1about 4 minutes

The expanding security responsibilities of developers

Digital transformation and cloud adoption have shifted infrastructure and configuration management to developers, significantly expanding their security scope beyond just application code.

#2about 2 minutes

Shifting security testing left in the development lifecycle

Integrating security tools like static analysis and software composition analysis early in the development process reduces costs and keeps pace with agile iterations.

#3about 2 minutes

The hidden risks of transitive dependencies

A significant portion of vulnerabilities are introduced through transitive dependencies, which developers are often unaware of but must now manage.

#4about 6 minutes

How attackers exploit developers and packages

Attackers compromise developers using methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.

#5about 5 minutes

Why VS Code extensions are a prime target

The popularity of VS Code and its vast, often open-source, extension marketplace create a large and under-researched attack surface for compromising developers.

#6about 2 minutes

Building a pipeline for automated extension analysis

A custom pipeline was built to download, extract, and run static and dynamic analysis on all extensions from the VS Code marketplace.

#7about 5 minutes

Exploiting path traversal in the Instant Markdown extension

The Instant Markdown extension contained a path traversal vulnerability in its local web server, allowing an attacker to read arbitrary files from the user's machine.

#8about 11 minutes

Bypassing browser security to exploit local servers

An attacker can bypass browser CORS policy by tricking a user into downloading a malicious file and then using a path traversal vulnerability to trigger XSS on localhost, enabling file exfiltration.

#9about 5 minutes

Remote code execution in the LaTeX Workshop extension

The LaTeX Workshop extension allowed remote code execution by exploiting an insecure API call through its WebSocket server after brute-forcing the server port.

#10about 3 minutes

Impact and mitigation of extension vulnerabilities

Developers can mitigate risks by using popular, maintained extensions, while maintainers should follow security best practices and promptly fix disclosed vulnerabilities.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Why VS Code extensions are a major attack surface
14:05 MIN

Why VS Code extensions are a major attack surface

Vulnerable VS Code extensions are now at your front door

Exploring the core technologies behind Vue 3 reactivity
03:41 MIN

Exploring the core technologies behind Vue 3 reactivity

Under The Hood of Vue 3 Reactivity

Q&A on extensions, testing, and development tools
1:32:03 MIN

Q&A on extensions, testing, and development tools

Let's build a VS Code extension for automated refactorings

The motivation behind Nuxt 3 and the UnJS ecosystem
02:29 MIN

The motivation behind Nuxt 3 and the UnJS ecosystem

Modern Web Development with Nuxt3

Enhancing the developer experience with modern tooling
23:37 MIN

Enhancing the developer experience with modern tooling

Modern Web Development with Nuxt3

Building a pipeline to analyze VS Code extensions
19:08 MIN

Building a pipeline to analyze VS Code extensions

Vulnerable VS Code extensions are now at your front door

Key takeaways on IDE and developer tool security
27:19 MIN

Key takeaways on IDE and developer tool security

You click, you lose: a practical look at VSCode's security

Impact, disclosure, and mitigation strategies
41:08 MIN

Impact, disclosure, and mitigation strategies

Vulnerable VS Code extensions are now at your front door

Featured Partners

Related Videos

See all videos
Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Under The Hood of Vue 3 Reactivity49:00

Under The Hood of Vue 3 Reactivity

Marc Backes

Modern Web Development with Nuxt341:43

Modern Web Development with Nuxt3

Alexander Lichter

Building Better with Nuxt 341:22

Building Better with Nuxt 3

Daniel Roe

Nuxt.js - Just Vue 3 and a bit of magic?26:32

Nuxt.js - Just Vue 3 and a bit of magic?

Alexander Lichter

Under The Hood Of Vue 3 Reactivity54:44

Under The Hood Of Vue 3 Reactivity

Marc Backes

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

From learning to earning

Jobs that call for the skills explored in this talk.

Angular Developer

Angular Developer

Picnic Technologies B.V.
Amsterdam, Netherlands

Intermediate
Senior
RxJS
Angular
TypeScript