awesome-google-vrp-writeups icon indicating copy to clipboard operation
awesome-google-vrp-writeups copied to clipboard

Published 20 hours ago verified publisher icon xdavidhu

Update writeups.csv

Open onmywaytoheaven opened this issue 1 year ago • 3 comments
trafficstars

Hey, could you please merge my pull request?

onmywaytoheaven avatar Aug 17 '24 08:08 onmywaytoheaven

Interesting attack although an API should not be running untrusted code it would seem more useful to block usage of eval to prevent code execution in the first place. Of course this could be an edge case where the API endpoint is not sensitive, yay defense in depth.

NDevTK avatar Aug 17 '24 12:08 NDevTK

Thanks for the feedback @NDevTK !

You are absolutely right that APIs shouldn’t be running untrusted code. In Apigee, the code executed in a JavaCallout policy is isolated using JDK security features, as detailed here. Similarly, code in a JavaScript policy is sandboxed through the mechanisms provided by the Rhino JavaScript engine as I described in the blog post.

The tricky part and what makes this interesting is when an object is passed from Java to JavaScript. If that object tries to perform an action that would normally violate permissions in the JavaCallout policy (and thus throw a security exception), it can still be executed within the JavaScript policy, bypassing those restrictions

onmywaytoheaven avatar Aug 17 '24 13:08 onmywaytoheaven

Nice find :)

NDevTK avatar Aug 17 '24 14:08 NDevTK

Cool bugs!

staz0t avatar Aug 27 '24 04:08 staz0t