Attacking Language Server JSON RPC

preview_player
Показать описание
While auditing a VSCode Extension + Language Server I noticed something interesting. This turned into the research question "can we attack the extension from the browser?". After a bit of preliminary research I decided to do it again on stream, and eventually made this video. This is how security research can look like.

Chapters:
00:00 - Why Security Research?
01:23 - What is a Language Server?
02:53 - Setup Example Code
04:00 - RCE in VSCode Extension?
05:25 - The Language Server Code
06:29 - Researching Communication
11:13 - Can a Browser Attack the VSCode Extension?
13:54 - Research Results
15:40 - Ad n' Outro

=[ ❤️ Support ]=

=[ 🐕 Social ]=

  1. LiveOverflow
  2. Live Overflow
  3. liveoverflow
  4. hacking tutorial
  5. how to hack
  6. exploit tutorial
Рекомендации по теме
Attacking Language Server 0:16:31

Attacking Language Server JSON RPC

Debug Ethereum JSON 0:05:24

Debug Ethereum JSON RPC Calls in ONE CLICK with Alchemy Composer

Language Server Protocol 0:16:15

Language Server Protocol to accelerate your development and IntelliSense

New to Linux? 0:06:22

New to Linux? Need Help Understanding Shell Commands?

Attacking LLM - 0:13:23

Attacking LLM - Prompt Injection

RPC Vs Simple 0:05:03

RPC Vs Simple Procedure Call - Georgia Tech - Advanced Operating Systems

#HITBCyberWeek D2T2 - 0:53:33

#HITBCyberWeek D2T2 - Reimplementing Local RPC In .Net - James Forshaw

Hands-On Session: Get 0:55:27

Hands-On Session: Get to Know Suricata Language Server with Eric Leblond

Demo of XML-RPC 0:04:28

Demo of XML-RPC and JSON-RPC

Building a REST+RPC 0:42:43

Building a REST+RPC API in 30 minutes

Mastering API Design: 0:22:06

Mastering API Design: Understanding REST and RPC

Fuzzing Heap Layout 0:09:51

Fuzzing Heap Layout to Overflow Function Pointers | Ep. 11

Siemens S7-1500 PLC 0:08:41

Siemens S7-1500 PLC JSON RPC Web API - Integrating Control Systems to Higher Level Systems with HTTP

Remote Procedural Call 0:05:37

Remote Procedural Call via XML-RPC in 5 minutes

GraphQL Explained in 0:02:22

GraphQL Explained in 100 Seconds

Demystifying Geth by 0:58:45

Demystifying Geth by Tracing the Path of a JSON-RPC method | Kelvin Fichter

CppCon 2019: Noel 0:05:21

CppCon 2019: Noel Tchidjo “Simple RPC server for database access”

Deep Dive into 0:45:42

Deep Dive into gRPC

gRPC and Go: 0:42:28

gRPC and Go: Developing Efficient and Type-Safe Services - Clinton Kitson, {code}

Bitcoin JSON-RPC Tutorial 0:06:33

Bitcoin JSON-RPC Tutorial 7 - Wallet Notify

Hunting Vulnerabilities of 0:33:27

Hunting Vulnerabilities of gRPC Protocol Armed Mobile/IoT Applications

How to Make 0:04:27

How to Make 2500 HTTP Requests in 2 Seconds with Async & Await

Computer Networking (Deepdive) 0:14:52

Computer Networking (Deepdive)

xmlrpc.php vulnerability || 0:01:42

xmlrpc.php vulnerability || Bug bounty poc

Комментарии
Автор

There's no failed research, just fruitless attempts. And I learned a bit about the language server protocol too

Dominik-K
Автор

This reminds me of a project I was involved in for the past couple of weeks. Review of source code, really did a deep dive into it. Thousands of class files, going from broad architecture all the way to functional implementation. The final verdict? "Looks good, ship it"

Just because you try really hard to find a vuln doesn't always mean there is one to find.

MechMK
Автор

that was awesome, ty
showed me that research is not always/ doesn't need to always be fruitful, and now thinking about it I feel much better 😁

sadDota
Автор

It isn't even fruitless. You checked it, found no vulnerabilities, gained knowledge about VsCode Extensions.
Nice work! 👍

geraldschittenhelm
Автор

Great work - I don't regard the *research* as a failure; merely one avenue for exploitation is not seemingly possible - and that itself is a good result to communicate or at least know about.

logiciananimal
Автор

It would be cool to do such content more often in live and upload recordings to the second channel.
A good reminder that a research is when you fail significantly more times than you succeed

alexanderdell
Автор

Learning what fails is often as important as learning what succeeds.

znxster
Автор

I love this video, it was great way of showing even failed research can teach us a lot.

tajsec
Автор

In the on screen text at around 7:30 you wrote the word mess twice!

Amazing video though, incredibly informative and deep information :) I appreciate your work!

somesalmon
Автор

Great and very realistic showcase about how (security) research goes. Good job!

AndreasWilfer
Автор

im currently writing vscode language support for my own language, so this is very interessting

till
Автор

This channel and your content is very helpful in understanding how to go about security research and finding bugs. I have one question though : Are there any tools to identify how client applications communicate with servers without looking at the code ?(Or if the client app code is not available )

sirishakotikalapudi
Автор

14:13 Could you write the second message in the body of the first message? The first message's HTTP body would be:

123

{malicious-request}

strager_
Автор

Wow, you just blew my mind with the solution to the problem at 13:20! 😃
I even paused to try and come up with my own idea, but didn't realize such a simple trick is enough...

Isti
Автор

This is not the first video of this channel about language servers. The video "Google Paid Me to Talk About a Security Issue!
" it is explained how a language server with hacker controlled code can be used to execute code.

testtest-xzec
Автор

I’m thinking about making a similar video in documentary format

RealCyberCrime
Автор

Thank you for posting this type of process! Learned a lot, and hopefully will be able to do research myself one day, thanks for all the quality content.

Idkwtmmythandle
Автор

It's pretty cool to learn how the protocol works

dunste
Автор

You tried Chrome for pipelining, but several other browsers still have it. Also, wouldn't multiplexing work just as well?

anon_y_mousse
Автор

Oh this sparked my interest in vscode extensions. Definitely on my list of things to play around with some time.

notapplicable