Attacking Language Server JSON RPC

Channel:

LiveOverflow

Subscribers:

921,000

Published on March 11, 2023 5:06:38 PM ● Video Link: https://www.youtube.com/watch?v=DFAdG9o0sTw

Duration: 16:31

52,962 views

2,980

While auditing a VSCode Extension + Language Server I noticed something interesting. This turned into the research question "can we attack the extension from the browser?". After a bit of preliminary research I decided to do it again on stream, and eventually made this video. This is how security research can look like.

What is a Server? https://www.youtube.com/watch?v=VXmvM2QtuMU
What is a Protocol? https://www.youtube.com/watch?v=d-zn-wv4Di8
GitLab 11.4.7 RCE https://www.youtube.com/watch?v=LrLJuyAdoAg

Live Stream: https://www.youtube.com/watch?v=jc7S6TtLK_c

My Font (advertisement): https://shop.liveoverflow.com/

Interested in more videos like this? https://www.youtube.com/playlist?list=PLhixgUqwRTjzSTVPNZduVzMY1yebFrA9m

Chapters:
00:00 - Why Security Research?
01:23 - What is a Language Server?
02:53 - Setup Example Code
04:00 - RCE in VSCode Extension?
05:25 - The Language Server Code
06:29 - Researching Communication
11:13 - Can a Browser Attack the VSCode Extension?
13:54 - Research Results
15:40 - Ad n' Outro

=[ ❤️ Support ]=

→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

2nd Channel: https://www.youtube.com/LiveUnderflow

=[ 🐕 Social ]=

→ Twitter: https://twitter.com/LiveOverflow/
→ Streaming: https://twitch.tvLiveOverflow/
→ TikTok: https://www.tiktok.com/@liveoverflow_
→ Instagram: https://instagram.com/LiveOverflow/
→ Blog: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/