Its long been a classic to abuse accidentally exposed file-descriptors through `/proc/self/fds` to break out of sandboxes, so its kinda fun to see a similar sort of bug impacting Docker. and enabling a container break-out either at run-time or during build time.
Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.
This vulnerability impacts kubernetes setups using NGINX as the ingress controller via [ingress-nginx](https://github.com/kubernetes/ingress-nginx). At first I wanted to blame this one on block-listing when they should have used an allow-list, but its not quite that, but it is basically just a missed edge-case that allows for code execution.
Orca Security presents a privilege escalation method in Azure environments, its nothing to crazy, but atleast worth taking note of.the first concept to understand are Azure Storage Account keys, when you first create a storage account, by default Azure generates a couple 512-bit storage account access keys that can be used to access the account...
A look at how logging attacker controlled data can be problematic in Azure Pipelines to potentially gain code execution and access to sensitive environment variables.
At its core, we have a simple mistake that can be made pretty easily on all of the cloud platforms though this post focuses in on Azure App Services and Azure Functions.Being able to easily add authentication to your apps on either is nice, but they can easily be misconfigured...
A bit of research on leaking access tokens from OAuth2/OIDC flows, in all cases you already need a cross-site scripting vulnerability to exist on the host recieving the callback, it does present an interesting case of escalating two often unimportant issues, a self-XSS and a Login CSRF, into an account takeover though.
Cool, yet simple finding from the DataDog security team where calls to an undocument `iamadmin` service would also not appear in CloudTrail logs but could reproduce the functionality of several standard IAM service methods.
A cool bug that can inject a new user with controlled SSH key into a compute instance and the request doing this can be reached via a GET request with no anti-CSRF token.
This blogpost is essentially using a previous sandbox escape they discovered against Backstage, which is Spotify's incubated solution for managing infrastructure and microservices and such.Backstage includes software templates, which can contain ` message` parameter that gets rendered in Nunjucks (a JS templating engine)...