Vickie Li

ShiftLeft Blog - Medium

Spring unauthenticated RCE via classLoader manipulationPhoto by Emile Perron on UnsplashA critical zero-day vulnerability in the Spring framework was recently reported to Spring’s maintainer, VMWare. The vulnerability is an unauthenticated remote code execution vulnerability that affects Spring MVC and Spring WebFlux applications. You can find the CVE here: https://tanzu.vmware.com/security/cve-2022-22965.What is affected?The ... Read More

The most common vulnerabilities to look out for in Angular and React applications: template injection, XSSI, authentication bypass, and more.Photo by Lautaro Andreani on UnsplashSecuring applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these ... Read More

Passionate about securing software? Become an AppSec Ambassador!Photo by Emmanuel Ikwuegbu on UnsplashInterested in helping developers write secure code from the start? ShiftLeft has launched a program to support you in the mission of helping your community write secure code.We will be financially supporting conference speakers, content creators, and infosec influencers. Read ... Read More

25 vulnerabilities to look out for in Node JS applications: Directory traversal, prototype pollution, XSSI, and more…Photo by Greg Rakozy on UnsplashSecuring applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these components to secure, ... Read More

OWASP leader Vandana’s tips for navigating your career in infosecOur guest today, Vandana, holds a lot of impressive titles. She is the Chair of the OWASP Global Board of Directors, and she also leads multiple infosec Diversity Initiatives like InfosecGirls.But how did she get from an infosec newbie to the leader ... Read More

Getting to know a critical vulnerability that affects Java, Python, and other common programming languages.Photo by Jiawei Zhao on UnsplashAs a penetration tester, there are few vulnerabilities that fascinate me more than insecure deserialization.Insecure deserialization bugs are very critical vulnerabilities: an insecure deserialization bug will often result in remote code execution, ... Read More

27 vulnerabilities to look out for in Python applications: Arbitrary file writes, directory traversal, deserialization, and more…Photo by Hitesh Choudhary on UnsplashSecuring applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these components to secure, ... Read More

Discussing environmental and social issues in infosec with ESG researcher Chloé MessdaghiEvery single business, including the ones in cybersecurity, is intertwined with social issues and concerns.Chloé Messdaghi is a strategy consultant and ESG researcher who provides Environmental, Social, and Governance consulting to businesses. Today, I sit down with Chloé to ... Read More

Lesson learned, and what we can expect going forwardPhoto by Math on UnsplashBy now you’ve probably already heard of the name “Log4j”.What happenedLate November this year, a Chinese researcher named Chen Zhaojun privately disclosed to Log4j maintainers that version 2 of Log4j contains a critical vulnerability that allows unauthenticated remote code execution (RCE) ... Read More

Unauthenticated RCE in critical Java logging utility Log4jOn 9 December 2021, Apache disclosed that the Log4j 2 utility contains a critical vulnerability that allows unauthenticated remote code execution (RCE), a serious issue that impacts a large number of applications.This post is coauthored by Chetan Conikee, Fabian Yamaguchi, and Katie Horne.What is affected?Log4j ... Read More