Latest blog posts

OS command and code execution in Erlang and Elixir applications

Sometimes you need to execute commands in the OS. How can you achieve that in Erlang and Elixir, and how can you do it securely?

Here you will find information that may be of interest both from a development and an attack point of view.

XML External Entity in Erlang and Elixir

Processing XML documents requires taking into account the possibility of an XML eXternal Entity injection attack (XXE).

The vulnerability arises when XML parser processes unverified data containing reference to an external entity.

XXE belongs to category A4 in OWASP Top 10 list of vulnerabilities.

In this publication, I will review how secure by default the popular XML parsers for Erlang and Elixir are.

XXE and OS command injections in Yaws

Yaws is a web server for dynamic-content web applications written in Erlang. The server includes several modules, typical for web servers. As a result of research, I found an XXE injection in a WebDAV module and OS command injection in a CGI module.

OS command injection in Rebar3

Rebar3 is a tool widely used for building applications in the Erlang world. It is quite dangerous. With the tool, you can get OS command execution in different ways and sometimes in ways not intended by developers.

Controversial certificate management using Step

DevOps methodology implies faster development and deployment cycle, increased reliability, and sometimes security. Many tools are appearing to occupy the security niche in DevOps.

Often there is a certificate management issue in the infrastructure administration that asks for automation.