Write-ups

Note: The objective of this research or any similar researches is to improve the nodejs ecosystem security level. Recently i was working on a related project using one of the most popular Nodejs templating engines Embedded JavaScript templates - EJS In my weekend i started to have a look around to see if the library is vulnerable to server side template injection. Since the library is open source we can have a whitebox approach and look at the source code....

In this post, we will explain how Shieldfy detected an SSRF ( Server-side request forgery ) vulnerability in Uppy, one of the popular packages in NPM, diving into the technical details of the vulnerability, exploitation and the fix. Uppy is a sleek, modular JavaScript file uploader that integrates seamlessly with any application. It’s fast, easy to use and lets you worry about more important problems than building a file uploader. Uppy has more than 130,000 downloads a month....

Hi everybody I don’t post much write-ups online because most of the work done privately and under NDA. But this time i decided to publish this (anonymously after website owner agreed ) because too many developers insists that you can’t exploit complicated SQL , or non result SQL (example: count(*) sql). Note: You can automate everything in this article using SQLMap, but i choose to exploit it manually to explain under the hood proccess....