With more and more code generated by humans and AI, keeping track of its security remains a top priority. This doesn't get easier as developers have to deal with a constantly increasing variety of frameworks, technologies, and configurations. At the same time, attackers aren't sleeping and find new ways to carry out their attacks, steal sensitive data, and deploy malware.
To help deal with all this code and complexity, we at Sonar are continuously improving our static code analyzers to help developers keep the upper hand. Our research team supports this by scanning for vulnerabilities in popular open-source software, auditing the findings, and pushing further with manual research.
We use the insights gained from our research to improve Sonar’s security analyzers, helping our users identify vulnerabilities and weaknesses in their code before they reach production. When we find security issues, we responsibly disclose them to the vendors to protect the community and users of the respective applications. We also publish our findings as blog posts and talks to help developers and security teams learn about these vulnerabilities, their impact, and how to fix them.
Let’s have a look at our research highlights for the year 2024!
Conferences and Talks
To keep up with the latest security research and share our knowledge, we enjoy attending security conferences around the world. It is always a pleasure to meet fellow researchers, discuss novel topics, and get inspired by others.
We were honored to share the results of our research at renowned conferences in 2024, including the following:
DEF CON 32
Hexacon 2024
- Video: Exploiting File Writes in Hardened Environments by Stefan Schiller
- Blog: Why Code Security Matters - Even in Hardened Environments
TROOPERS24
Insomni'hack 2024
- Diving Into JumpServer: The Public Key Unlocking Your Whole Network - Oskar Zeino-Mahmalat
- Beating The Sanitizer: Why You Should Add MXSS To Your Toolbox - Paul Gerste & Yaniv Nizry
Awards
After being nominated consecutively for the past three years, we were excited to be nominated once again for the Pwnie Awards 2024! These awards have a long history and honor exceptional achievements in security research. This year, the Pwnie Awards moved away from Black Hat USA and were held at DEF CON.
We were nominated in the Most Underhyped Research category for Dangerous Import: SourceForge Patches Critical Code Vulnerability, a vulnerability in Apache Allura, the software powering SourceForge. Although we did not win the award, the nomination was a great honor for us again, and we congratulate all winners!
However, we did win the Jenkins Security MVP award! It was awarded for two vulnerabilities we reported in Jenkins that would have allowed attackers to steal files or execute code on a vulnerable Jenkins server. The Jenkins team also mentioned that our advisory and collaboration were exemplary, which is always great to hear!
Trends and Discovered Vulnerabilities
When choosing an open-source application for vulnerability research, we prefer active and widely deployed projects. This way, we maximize the impact of our findings to benefit many users at once. Although these are usually big and complex projects, and hence harder to analyze with traditional SAST techniques, these are also excellent realistic benchmarks for analyzers. This also means that finding something will be a challenge because more community members and professionals will have looked at the code already.
We are excited that in 2024, our team found and reported critical vulnerabilities in some of the most popular applications across different domains and major programming languages:
Developer Tools
We continued our mission to secure developer tools, which we started three years ago. This time, we focused on CI/CD platforms and code forges. These are critical systems for everyone who writes code, as code is often a company's most valuable asset.
Jenkins is an open-source automation server used by millions of developers. We found a Path Traversal vulnerability that allowed attackers to leak sensitive information and, in some cases, even execute code.
SourceForge is a long-standing code hosting platform powered by Apache Allura. We found a vulnerability that allowed reading files via file URLs, which attackers could have abused to fully compromise SourceForge.
Gogs is a self-hosting alternative to SourceForge or GitHub written in Go. While investigating its code, we found multiple Argument Injection vulnerabilities that allow attackers to compromise a Gogs instance.
Front-End Security
Regardless of the back-end technology stack, every web application has a front end that runs in a web browser. This means that front-end security topics are very relevant and widely applicable. In 2024, we put a focus on finding such bugs, educating developers on their dangers, and researching novel techniques.
Charset Sniffing Attacks are a new class of attacks we discovered this year. HTTP content types are well understood, but what about their charsets? In our blog post, we show two novel techniques that involve forcing the browser to use a specific charset to bypass existing mitigations and achieve XSS.
HTML Sanitization is vital to the security of many web applications. However, it is prone to subtleties that make it easy to understand but hard to master. In a blog post accompanying our talk at OWASP Global AppSec SF, we explain why server-side HTML sanitization is doomed to fail.
Cross-Origin Resource Sharing (CORS) has been around the web for some time, but continue to see CORS misconfigurations cause trouble. With Whistle, we found a case of origin reflection that led to code execution on the victim's machine.
Email continues to be an important part of everyone's communication, especially in the professional world. After focussing on privacy-oriented mailers in the previous year, we returned to look at classic webmailers again in 2024. From Cross-Site Scripting, over code execution on the server, to taking over a mail client, we showed that email security continues to be a concern.
Roundcube is a popular webmail solution used by companies, universities, and more. We discovered bugs in Roundcube's HTML sanitizer which led to XSS vulnerabilities. Attackers could have leveraged these to steal emails or impersonate victims.
Mailcow is an easy-to-use email solution with various features, including a web mailer and an admin panel. We discovered that an admin's session could be compromised just by viewing a malicious email due to an XSS vulnerability. Attackers could have combined this with a Path Traversal bug to execute arbitrary code on the server, allowing persistent access to all email traffic on a vulnerable Mailcow instance.
Mailspring is an open-source email client that users can run as a native application on their machine. Since it is based on Electron, it is prone to many of the same vulnerabilities as its webmail cousins. In our research, we found an XSS issue that not only allowed an attacker to steal emails but also execute code on the victim's machine!
CMS & Management Software
Companies need to manage all their information and assets, from content to tickets to customers. That's why we continued to examine different kinds of management software that hold business-critical information.
Joomla is a big name in the CMS space and has been around for decades. We found a vulnerability that allows XSS attacks on Joomla, but the bug actually resided in the code of the underlying programming language, PHP!
osTicket is an open-source helpdesk software that, by design, allows anyone to create tickets. We found an XSS vulnerability that attackers could have abused by opening a malicious ticket in order to leak sensitive internal data.
Erxes is an experience management solution that is open source and consists of several micro-services. With the help of SonarQube, we detected multiple vulnerabilities that could have allowed attackers to take over a vulnerable instance.
What's next?
Looking back at 2024, we are proud of what we achieved and excited to start the next year. Our pipeline is already filled with some great research that we will publish once disclosure is finished. To stay up-to-date, you can follow our research team on Twitter/X or Mastodon.
On behalf of Sonar, we wish you a happy new year and a safe start to 2025!