Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Apache Druid is a real-time analytic database. Druid is used for data visibility and high concurrency needs. This streams data from applications like Kafka, AWS Kinesis and other tools. It has a rich set of APIs via HTTP and JDBC for loading, managing and querying data.

Druid offers the ability to execute JavaScript at the server without restrictions. Out of an obvious security concern, this is not enabled by default. However, what if this functionality could be tricked into being used?

Druid uses Jackson for parsing JSON data. When adding a decorator to the function name, it signifies that Jackson will call this function when going over the JavaScriptDimFilter object. Within this function, most of the parameters are marked with the JasonProperty modification. This results in the field com.fasterxml.jackson.databind.deser.CreatorProperty being added to the field.

However, not all of them have this setting. Whenever something is created with this setting turned off, the com.fasterxml.jackson.databind.deser.CreatorProperty will be named "". Because an attacker can supply the creator property as "", we can control the settings.

When the parsing of the JavaScript type is done, the 'name' property is resolved to "" (empty string) is the config of the object. By adding in our own empty string, we can inject our own configuration file! With our injected configuration file, we can turn on JavaScript for this call. Boom, popping a shell!