Team Research blog
The Include Security team takes a foray into the world of audio production equipment in our latest blog post. We look under the hood of a professional-grade audio mixer to explore its security profile, consider how its functionality could be leveraged by an attacker in a real world setting, and develop a proof-of-concept exploit to demonstrate quick n’ easy privilege escalation.
In this post we consider how to think about the attack surface of applications leveraging LLMs and how that impacts the scoping process when assessing those applications. We discuss why scoping matters, important points to consider when mapping out the LLM-associated attack surface, and conclude with architectural tips for developers implementing LLMs within their applications.
Include Security’s latest blog post covers Cross-Site WebSocket Hijacking and how modern browser security features do (or don’t) protect users. We discuss Total Cookie Protection in Firefox, Private Network Access in Chrome, and review the SameSite attribute’s role in CSWH attacks. The post includes a few brief case studies based on situations encountered during real world testing, in addition to a simple test site that can be hosted by readers to explore each of the vulnerability conditions.
In our team’s latest blog post, we build a few examples that showcase ways in which memory corruption vulnerabilities could manifest in Delphi code despite being included in a list of “memory safe” languages within a paper published by the NSA. We cover how compiler flags and dangerous system library routines could affect memory safety while demonstrating Delphi stack/heap-based overflow examples and conclude with a few tips for developers to avoid introducing memory vulnerabilities in their Delphi code.
Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. We cover officially documented, or at least previously discussed, code functionality that could unexpectedly introduce vulnerabilities. Well-documented behavior is not always what it appears!