Loading…
Saturday April 5, 2025 11:00am - 11:25am EDT
Ever wonder if path traversal bugs are a thing of the past? In this talk, we'll see how one advisory led me to discover multiple vulnerabilities across various open-source projects. I'll walk through how I tested both unprotected and “defended” systems, collaborated with maintainers on fixes, sometimes even writing them, and uncovered issues with weak sanitizers. Expect practical tips, lessons learned, and ideas for better security reporting so you can spot and fix path traversal flaws before they become major issues.

Formatting for the talk would be as follows:
1. Why Path Traversal Still Matters: Brief look at ongoing threats and OSS security gaps.
2. Discovering Real Vulnerabilities: Quick case studies of path traversal bugs in popular open-source software that I found and also helped fix them. (Fix>>Find)
3. Lessons from “Defended” Systems: How built-in sanitizers failed and how bypasses were found in more OSS projects.
4. Fuzzing & Patching: A snapshot of methods used to break sanitizers and collaborate on fixes.
5. Gaps in Reporting: Barriers to disclosure and the need for better security features.
6. Practical Takeaways: Actionable tips for developers, maintainers, and the community. Wrap-Up & Q&A Final insights and open discussion.

The idea is to give a comprehensive talk. Idea -> Goal -> Searching for Vulns -> Identification -> Patching and future work -> Bypassing some fixes. These CVEs where I HAVE also authored the fix will let me explain both sides of the coin (dev + security)

1. https://nvd.nist.gov/vuln/detail/CVE-2024-39918 in an OSS tool https://www.npmjs.com/package/@jmondi/url-to-png
2. CVE-2024-XXXXX (No CVE yet, the idea is to let devs apply for CVEs): https://github.com/miroslavpejic85/mirotalksfu/
3. https://nvd.nist.gov/vuln/detail/CVE-2024-43797: in OSS https://github.com/advplyr/audiobookshelf/
4. https://nvd.nist.gov/vuln/detail/CVE-2024-47769 in OSS https://github.com/idurar/idurar-erp-crm/
5. https://nvd.nist.gov/vuln/detail/CVE-2024-56198 in OSS https://github.com/cabraviva/path-sanitizer
6. Awaiting PR to be merged
7. Awaiting PR to be merged
8. Awaiting PR to be merged (with scope for more) Each bug has a public exploit, a public fix and public discussion with devs.

Note: This is an ongoing independent research (not affiliated with my job, workplace), and my first time presenting my research. All the findings in this talk are my own findings in the past year. In case this talk gets accepted and by the time I am for presentation, I might have more insights and CVEs (currently 6 and counting).CVEs are not important, but the variety is, which is what I have been trying to achieve.


Speakers
avatar for Nishant Jain

Nishant Jain

Application Security Lead, Loom (now part of Atlassian)
I currently lead the Application Security at Loom (now part of Atlassian). I’ve also been a member of security teams at Tinder and MakeMyTrip. Previously, I pursued my passion for security through bug bounties, discovering and reporting vulnerabilities via HackerOne programs. While... Read More →
Saturday April 5, 2025 11:00am - 11:25am EDT
Track 2, 5 Wayside Rd 5 Wayside Rd, Burlington, MA 01803, USA

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Share Modal

Share this link via

Or copy link