Security learnings from PortSwigger, infrastructure hardening, and cloud security
Ran SecLoop on Apache Superset and discovered a critical jsPDF vulnerability (CVE-2025-68428) - a Local File Inclusion/Path Traversal that allows arbitrary file reads in Node.js environments. Raised a PR to update jspdf from 3.x to 4.0.0 which fixes the vulnerable file system access.
Login forms can leak valid usernames through response differences. By comparing responses for valid vs invalid usernames (different error messages, response length, timing), attackers can enumerate users before brute-forcing passwords.
Some 2FA implementations only check if you've completed step 1, not if 2FA was verified. After logging in with credentials, directly navigating to /my-account can bypass the 2FA check entirely if session state isn't properly validated.
Password reset flows can be exploited if the token/username isn't properly tied to the session. By manipulating the username parameter in the reset request while using a valid token, you can reset another user's password.
Even subtle response differences reveal valid usernames. A period vs no period in error messages, slight HTML changes, or timing variations can be detected using Burp Intruder's grep match feature to find valid accounts.
Verbose error messages can leak framework versions, stack traces, and database details. Always check error responses for version numbers that could reveal known vulnerabilities.
Debug endpoints like /cgi-bin/phpinfo.php can expose SECRET_KEY, database credentials, and internal paths. Look for HTML comments linking to debug pages and check robots.txt.
Backup files (.bak, .old, ~) in hidden directories can expose hardcoded credentials. Check robots.txt for /backup directories and look for files like ProductTemplate.java.bak.
Using HTTP TRACE method can reveal custom headers added by proxies/load balancers like X-Custom-IP-Authorization. These headers can be spoofed to bypass IP-based authentication.
Exposed .git directories allow full repository reconstruction. Use tools like git-dumper to extract source code, commit history, and potentially sensitive configs from /.git/.
A rule allowing get on secrets/* in a namespace exposes all secrets. Wildcards in RBAC rules can grant unintended access. Be explicit about resource names when possible.
Base images like ubuntu:latest can have hundreds of CVEs. Use distroless or alpine images, pin versions, and scan with Trivy or Grype in CI/CD pipelines.
Environment variables in CI/CD logs can leak secrets. Use secret masking, avoid printing env vars in debug output, and prefer secret management tools over plain env vars.
Setting runAsNonRoot: true, readOnlyRootFilesystem: true, and allowPrivilegeEscalation: false in pod security context blocks common container escape vectors.
Instance Metadata Service v1 at 169.254.169.254 can be accessed via SSRF to steal IAM credentials. Enforce IMDSv2 which requires session tokens and PUT requests.