Posts

When you want to debug an application in an environment which is hard to replicate locally and/or you cannot install additional software on the machine it is running on, remotely connecting a debugger might be a good option to find out what’s going (wr)on(g). Let’s have a look how we can remote debug a NodeJS application. I will use VSCodium as the debugging client, but there are certainly other options that work equally fine (you could even use the built-in minimal debugger with node inspect host:port). ...

TL;DR Want to monitor your websites or get notified when your cron jobs or scheduled tasks are not running when they are supposed to run? Check out https://allgood.systems. For quite some time I was planning to build some piece of software that notifies me when a web app goes down, returns unexpected results, or changes content. In addition – since it’s often hard to keep track of all the background jobs that are running – I needed and wanted something that informs me when my services stop (!) doing what they are supposed to do in regular intervals (which is often detected much later and in turns makes recovery/clean-up much harder). ...

Writing data to the output buffer before deciding that the response to the current HTTP request should actually be a redirect (for example when an unauthenticated user is not allowed to access some content) is an issue not exclusive to PHP but a relatively easy mistake to make in this environment. After not having been exposed to PHP in quite a while I recently did a security assessment of a PHP application again. During the test this exact issue popped up again, so I want to give a short description on how and why this can lead to information leaks. ...

A couple of months ago I looked more deeply into the “Import Records” functionality in FileMaker, especially the XML parsing, and was wondering if any XXE vulnerability may exist and how one could exploit this in technically interesting ways. The vulnerability is/was indeed there and can lead to local file disclosure and server side request forgery in various components of the FileMaker platform. The following is a description of the vulnerability including potential exploitation paths. ...

I was working with a fairly simple Dockerfile, defining an entrypoint and always got a “not found” error when trying to run the container. My Dockerfile looked something like this: FROM python:3.9-alpine [...] WORKDIR /app COPY . /app RUN ["chmod", "+x", "./entrypoint.sh"] ENTRYPOINT ['./entrypoint.sh'] Building the image worked without issues, but running the container was giving me the mentioned error: $ docker build -t what/ever:latest [...] $ docker run --rm what/ever:latest /bin/sh: [./entrypoint.sh]: not found I made sure that my entrypoint.sh file actually existed by overriding the entrypoint and inspecting the container: ...