Vulnerability showcase

Security write-ups describing how hacks work are popular, because ethical hackers want to (and have to) keep learning. However, current write-ups consist mainly of text, with some code snippets. While the point is the vulnerable path through the code.

Therefore Codean launched a new initiative, Vulnerability Showcase, which offers a new write-up format presenting the codebase with the story next to it. Because we believe that explaining a hack from the codebase leads to a deep and holistic insight of the vulnerability.

We think it’s wonderful how knowledge is shared in the security world, therefore we gladly like to contribute.

How does it work?

For this format we use the Community Edition of Codean. There you have the whole codebase in front of you, and click step by step through the vulnerable path. That makes you see how the vulnerability works: from input field to mis-use, from source to sink.

Screenshot of the write-up for the vulnerability in a combination of several Node packages

Available write-ups

1. A vulnerability involving several Node packages (Feathers, Sequelize and Socket.IO). We discovered them last year, publishing 6 CVEs.

2. A command injection in the markasjunk plugin built into Roundcube.

3. A Socket.IO DoS vulnerability, discovered in house at Codean.

4. Remote Code Execution (RCE) using the Log4Shell vulnerability.

5. A DoS vulnerability we discovered in Feathers, which led to CVE-2023-37899.

6. A DoS vulnerability we discovered in Sail.js, which led to CVE-2023-38504.