Joseph Beeton: Attacking Developer Environment Through Drive-by Localhost | assurance 2023

youtube.com 1 rok temu


There is simply a widespread belief that services that are only bound to localhost are not accessible from the outside planet this is unfortunately not always the case. Developers for convenience sake will run services they are developing configured in a little safe way compared to how they would (hopefully!) do in higher environments.

By compromising websites developers use, just injecting JS into adverts served on those sites or just a phishing attack that gets the developer to open a web browser on a compromised page, it is possible to scope out via non Pre-Flighted HTTP requests to those services bound to localhost, by exploiting common misconfigurations in Spring, or known vulnerabilities found by myself, including the late disclosed Critical Vulnerability in Quarkus ( https://www.contrastsecurity.com/security-influencers/localhost-attack-against-quarkus-developers-contrast-security ). I'll show during the talk, it is possible to make a RCE on the developer's device or on another services on their private network. How this class of attack works and what can be done to defend against it.

As developers have compose access to codebases, AWS keys, server creds etc., access to the developer's device gives an attacker a large deal of scope to pivot to another resources on the network, modify or just bargain the codebase.

https://confidence-conference.org/