Attacking Language Server JSON RPC
While auditing a VSCode Extension Language Server I noticed something interesting. This turned into the research question “can we attack the extension from the browser?“. After a bit of preliminary research I decided to do it again on stream, and eventually made this video. This is how security research can look like.
What is a Server?
What is a Protocol?
GitLab RCE
Live Stream:
My Font (advertisement):
Chapters:
00:00 - Why Security Research?
01:23 - What is a Language Server?
02:53 - Setup Example Code
04:00 - RCE in VSCode Extension?
05:25 - The Language Server Code
06:29 - Researching Communication
11:13 - Can a Browser Attack the VSCode Extension?
13:54 - Research Results
15:40 - Ad n’ Outro
=[ ❤️ Support ]=
→ per Video:
→ per Month:
2nd Channel:
=[ 🐕 Social ]=
→ Twitter:
→ Streaming:
→ TikTok: @liveoverflow_
→ Instagram:
→ Blog:
→ Subreddit:
→ Facebook:
22 часа назад 00:03:26 1
23 часа назад 00:00:00 1
4 дня назад 00:03:24 1
4 дня назад 01:01:03 1
5 дней назад 00:03:46 1
5 дней назад 00:02:04 9
5 дней назад 02:00:43 1
6 дней назад 00:01:09 1
7 дней назад 00:03:40 1
1 неделя назад 00:03:11 1
1 неделя назад 00:02:29 1
1 неделя назад 00:00:00 1
1 неделя назад 00:22:35 1
1 неделя назад 00:06:31 1
1 неделя назад 00:03:37 1
1 неделя назад 00:04:18 1
2 недели назад 00:23:47 1
2 недели назад 00:03:25 1
2 недели назад 00:23:00 1
2 недели назад 00:19:51 1
2 недели назад 00:13:40 1
3 недели назад 00:22:36 1
3 недели назад 01:02:39 1
3 недели назад 00:25:31 1
