Articles
I created a SARIF Explorer, a VSCode extension that allows you to triage static analysis results more effectively and with more enjoyment. You can install it through the VSCode marketplace and find its code in our vscode-sarif-explorer repo.
In this post, I’ll show you how I used Semgrep’s taint mode to write small and accurate Semgrep rules that detect CSRF and CORS misconfigurations in Apollo GraphQL servers. Try them out with semgrep --config p/trailofbits!
In this post, I’ll demonstrate how I bypassed a Webview’s localResourceRoots by exploiting small URL parsing differences between the browser and other VSCode logic and an over-reliance on the browser to do path normalization. This bypass allows an attacker with JavaScript execution inside a Webview to read files anywhere in the system, including those outside the localResourceRoots. Microsoft assigned this bug CVE-2022-41042 and awarded us a bounty of $7,500 (about $2,500 per minute of bug finding).
In this two-part blog, I’ll cover how I found and disclosed three vulnerabilities in VSCode extensions and one vulnerability in VSCode itself (a security mitigation bypass assigned CVE-2022-41042 and awarded a $7,500 bounty).
In this article I will describe how I used CodeQL to look for kernel structures that are kmalloc’ed and contain function pointers to help exploit a use-after-free in the linux kernel.
In this article I describe a plugin I developed to find format string vulnerabilities using binary ninja. It was published on Paged Out!’s issue #1, winning Best Security/RE article and presented in São Paulo, Brasil at Hackers to Hackers Conference 2019