Articles

Streamline your static analysis triage with SARIF Explorer

| jofra

I created a SARIF Explorer, a VSCode extension that allows you to triage static analysis results more effectively and with more enjoyment. You can install it through the VSCode marketplace and find its code in our vscode-sarif-explorer repo.


Secure your Apollo GraphQL server with Semgrep

| jofra

In this post, I’ll show you how I used Semgrep’s taint mode to write small and accurate Semgrep rules that detect CSRF and CORS misconfigurations in Apollo GraphQL servers. Try them out with semgrep --config p/trailofbits!


Escaping well-configured VSCode extensions for profit (part 2)

| jofra

In this post, I’ll demonstrate how I bypassed a Webview’s localResourceRoots by exploiting small URL parsing differences between the browser and other VSCode logic and an over-reliance on the browser to do path normalization. This bypass allows an attacker with JavaScript execution inside a Webview to read files anywhere in the system, including those outside the localResourceRoots. Microsoft assigned this bug CVE-2022-41042 and awarded us a bounty of $7,500 (about $2,500 per minute of bug finding).


Escaping misconfigured VSCode extensions (part 1)

| jofra

In this two-part blog, I’ll cover how I found and disclosed three vulnerabilities in VSCode extensions and one vulnerability in VSCode itself (a security mitigation bypass assigned CVE-2022-41042 and awarded a $7,500 bounty).


Using CodeQL to help exploit a linux kernel UAF

| jofra

In this article I will describe how I used CodeQL to look for kernel structures that are kmalloc’ed and contain function pointers to help exploit a use-after-free in the linux kernel.


Using Binary Ninja to find format string vulns in Binary Ninja

| jofra

In this article I describe a plugin I developed to find format string vulnerabilities using binary ninja. It was published on Paged Out!’s issue #1, winning Best Security/RE article and presented in São Paulo, Brasil at Hackers to Hackers Conference 2019