Hello again,
It’s been a while since I took the time to put a thing on here. I thought I try and give a short update on what I’ve been up to the last few months.
After having spent a stressful set of months filled with a tight schedule of a chain of audits back to back, I took a short vacation to attempt and recharge my batteries.
I’m pretty bad at distancing myself from work, and I don’t like touching grass all that much either. So instead of recharging my batteries, I’ve once again decided to dive into an exploratory research project. If you’re unaware, back in 2022 I spent roughly three months diving into the WordPress plugin ecosystem to find some hard hitting vulnerabilities. You can read that post here.
So… instead of recharging my batteries, I of course got bored and decided to look for a research project instead. Just a few weeks before my vacation started we were tasked with auditing custom built Atlassian plugins, this was an ideal excuse to dive deeper into the Atlassian plugin ecosystem. For one, I wanted to improve my understanding of the plugin structure, their capabilities and shortcomings 1.
The result of our research was posted in a two part series, which you can read
here and here.
It’s been pretty fun learning about the ecosystem, how plugins work in detail
and toying around with bite-sized web apps to analyze. Another great aspect of
learning about the ecosystem and looking at plugins is that I’m improving my
web application security skills (doing that for work) and at the same time,
helping devs secure their god awful plugins in the process!
Most of the relevant technical details are located in the two part blog series, so please read those if you’re interested! Unfortunately, the disclosure process felt like an absolute shitshow 2, which I may or may not write about in the future after having regained the energy to do so.
Anyway.
Work has picked up yet again, and it’s back to auditing more things!
’til next time, hopefully soon.