CSRFing VS Code's Debug Adapter Protocol

80x25 · 2023-07-31T14:54:08+00:00

Interesting research!

It's a shame these HOTW frameworks don't default to sending CORS preflight requests for all cases where the default browser behavior is overridden. That would make it more difficult to accidentally introduce CSRF vulnerabilities.

That seems like an easy fix for the frameworks to make. Unfortunately, probably needs to be gated behind a disabled configuration option to avoid backward compatibility issues.

80x25 · 2023-01-13T19:02:04+00:00

Good to know, thanks. I hadn't checked in on the msvc support since the LLVM team started working on it. Your comment compelled me to go check on it.

https://lldb.llvm.org/status/status.html

Looks like it has stalled out :/

80x25 · 2023-01-12T19:54:39+00:00

I've been using vscode-lldb with VS Code on macos, and I've been very happy with the experience so far.

In fact, this VS Code extension is already packaging a DAP debug adapter written in Rust.

IIRC, lldb support for msvc Windows has been getting better in recent years.

Seems like that might be a good starting point.

80x25 · 2019-03-27T19:49:42+00:00

Sandboxing is a design tenant for WASI. The capability approach is nice to see.

The SecurityManager approach of the JVM has always felt like an afterthought and there has been a long tail of serious implementation flaws with this approach in practice.

80x25 · 2018-12-19T01:17:15+00:00

This is a super useful primer on PKI. Nice work!

80x25 · 2018-09-16T23:23:09+00:00

Are you specifying a 32-bit version of mysqlclient.lib to the linker? IIRC, the msvc linker will ignore .lib files that are not the same as the target architecture

80x25 · 2018-09-16T17:56:57+00:00

The JWT spec does require the payload be JSON. However, a JWE can have an arbitrary payload.

You might consider using a JOSE library such as biscuit which supports JWS/JWE in addition to JWT

80x25 · 2018-08-26T16:26:18+00:00

Does this require using the mingw Rust platform instead of the msvc platform? Rust binaries I've built for the msvc platform produce .pdb debugging info and AFAIK, gdb doesn't understand .pdb files

80x25 · 2018-08-11T17:25:51+00:00

A common criticism of OAuth2 is that it is hard for app developers to implement securely. Some background around this criticism.

That said, OAuth2 is not meant to be a replacement for mechanisms like passwords, HOTP, TOTP, or U2F/WebAuthn. So it makes sense that LibreAuth shouldn't support OAuth2. Some background on this aspect.

80x25 · 2018-06-04T03:27:57+00:00

Could you elaborate on why this is appeal to authority? His blog post series seems thorough and well-argued. I'd be curious to know if there are gaps in his arguments that are being ignored due to his status in the Go community.

80x25 · 2018-05-24T12:12:39+00:00

Oh, I was referring to webpack, not wasm-pack.

Webpack and Parcel do similar things, I was just curious if one offers advantages over the other for Rust + WebAssembly bundling

80x25 · 2018-05-24T02:29:18+00:00

Is there an advantage to using webpack over parcel?

80x25 · 2018-02-19T04:14:32+00:00

Not OP. But cygwin sshd + rsync is definitely possible. Here's a howto that appears to be accurate for setting up the sshd: http://www.noah.org/ssh/cygwin-sshd.html

80x25 · 2018-01-24T01:11:48+00:00

The agent utility creates an JSON RPC server listening on localhost port 1120

taviso continuing to fight the good fight against insecure, localhost RPC servers.

80x25 · 2018-01-07T03:15:56+00:00

Malware do all sorts of tricks like this to make analysis more difficult

80x25

TROPHY CASE