Include Security Research Blog

Dependency Confusion Vulnerabilities in Unity Game Development

April 30, 2021 — Jason Kielpinski

The Unity game engine has a package manager which allows packaged code and assets to be imported into a game, with dependencies automatically handled. Originally this was used only for Unity-produced packages, such as the GUI system. Later Unity began allowing private registries so that game studios can maintain their own internal packages. The IncludeSec research team found that the previous advice to Unity game developers to stand up their own package manager left them vulnerable to dependency confusion by default.

New School Hacks: Test Setup for Hacking Roku Channels Written in Brightscript

March 30, 2021March 30, 2021 — IncludeSec

We were recently asked by one of our clients (our day job at IncludeSec is hacking software of all types) to take a look at their Roku channel. For those unfamiliar Roku calls apps for their platform “channels”. We haven’t seen too many Roku channel security reviews and neither has the industry as there isn’t … Read more

Dependency Confusion: When Are Your npm Packages Vulnerable?

March 9, 2021February 18, 2021 — Nick Fox, Tech Review by Juan Picado (Verdaccio) and Jason Kielpinski

This post follows up on the recent blog post by Alex Birsan which highlighted serious problems with how some programming language package managers (npm, RubyGems, and Python’s pip) resolve and install dependencies. Alex described possible causes for pip and RubyGems, but the details regarding npm were a bit less clear so we sought to help … Read more

Custom Static Analysis Rules Showdown: Brakeman vs. Semgrep

February 18, 2021January 20, 2021 — by Jason Kielpinski (Tech Reviewers: Justin Collins, Erik Cabetas, Clint Gibler)

In application assessments you have to do the most effective work you can in the time period defined by the client to maximize the assurance you’re providing. At IncludeSec we’ve done a couple innovative things to improve the overall effectiveness of the work we do, and we’re always on the hunt for more ways to … Read more

Announcing RTSPhuzz — An RTSP Server Fuzzer

February 17, 2021June 15, 2020 — IncludeSec

There are many ways software is tested for faults, some of those faults end up originating from exploitable memory corruption situations and are labeled vulnerabilities. One popular method used to identify these types of faults in software is runtime fuzzing. When developing servers that implement an RFC defined protocol, dynamically mutating the inputs and messages … Read more