# krash.dev > A personal blog by 0xCardinal on supply chain security, product & platform security, and interesting attack & defense strategies. This is a personal blog of [0xCardinal](https://kumarashwin.com), discussing topics such as supply chain security, product & platform security, alongside discussions on interesting attack & defense strategies. The full text of every post is available at https://krash.dev/llms-full.txt. ## Posts - [DNS Over HTTPS (DoH): What, Why, and How It Works](https://krash.dev/posts/dns-over-https/): Classic DNS leaks every site you visit in plaintext. DNS over HTTPS (DoH) wraps lookups in TLS on port 443 - what it fixes, how it works, and the tradeoffs. - [Securing MCP Servers: A Threat Modeling Guide for Security Engineers](https://krash.dev/posts/securing-mcp/): A practical guide to reviewing MCP servers at organizational scale: threat model, source and config review, severity calibration, supply-chain risks, and runtime controls. - [Before Your Code Runs: Python](https://krash.dev/posts/before-your-code-runs/python/): How Python's .pth files, sitecustomize, usercustomize, and PYTHONSTARTUP let code execute before your script even starts. - [Before Your Code Runs: Node.js](https://krash.dev/posts/before-your-code-runs/nodejs/): npm lifecycle scripts, NODE_OPTIONS injection, ESM loaders, and more. Every way Node.js runs code before your app starts. - [YubiKey OTP Best Practices](https://krash.dev/posts/yubikey-best-practices/): How to prevent accidental YubiKey OTP triggers and what to do when you leak one—plus YubiOTP vs TOTP in practice. - [Navigating the Ethereum Yellow Paper](https://krash.dev/posts/blockchain-security/navigating-ethereum-yellow-paper/): A pragmatic and approachable guide for technically-minded readers who want to understand the Ethereum Yellow Paper. Tips for reading, practical breakdowns, mental models, and lessons learned from struggling through the original document. - [Blockchain Architecture: Layers](https://krash.dev/posts/blockchain-security/blockchain-layers-and-types/): A detailed breakdown of blockchain layers, including Layer 1, Layer 2, rollups, and how architectural decisions affect blockchain performance and security. Explore consensus differences and practical analogies. - [Consensus: How Blockchains Agree](https://krash.dev/posts/blockchain-security/consensus/): A deep dive into how decentralized blockchains reach consensus—from block production to fork choice and finality. - [Blockchain Components](https://krash.dev/posts/blockchain-security/blockchain-components/): An in-depth breakdown of the core components that make up a modern blockchain system—covering blocks, transactions, accounts, consensus, node architecture, and more. - [Why Learn Blockchain & Blockchain Security?](https://krash.dev/posts/blockchain-security/why-blockchain-and-blockchain-security/): In the world of AI, I’m gonna go rebel and talk about Blockchains. Why? Because I’ve been learning and tinkering with it, and I thought it’d be fun to share. Honestly, this is as much for my own notes as it is for anyone reading. Blockchain isn’t as shiny as AI right now, but it’s still a big deal. Here’s the thing: blockchain is too important to ignore, but too risky to approach without understanding security. It’s not just a playground for developers writing smart contracts. Entrepreneurs building products, investors betting on tokens, policy makers drafting regulations, and security folks trying to protect users, they all have skin in the game. - [Production Grade Bash Scripts](https://krash.dev/posts/writing-production-grade-bash-script/): A deep dive into writing resilient, production-grade shell scripts, because sometimes your one-liner ends up running in prod. - [Reputation Farming in OSS: A Threat to Building Trust](https://krash.dev/posts/reputation-farming/): This issue complicates the open source and supply chain security space. For attacks like xz, such strategies can be used by attackers to build “fake” trust among fellow OSS community members. A few days ago, this discussion ignited in the OSSF Slack, which talked about the issue of credibility farming in several open source repositories. So, the issue revolves around GitHub (or equivalent platforms) accounts approving or commenting on old pull requests and issues that were already resolved or closed, where these meaningless contributions show up prominently on the user’s profile and activity feed, making their involvement seem more significant than it actually is, without closer look. - [Two Bits on the xz Vulnerability](https://krash.dev/posts/xz-vulnerability/): GitHub Repository xz (Suspended) Source Code https://git.tukaani.org/?p=xz.git Threat Actor Jia Tan (GitHub) CVE Number CVE-2024-3094 (CVSS 10.0) Vulnerability Type Remote Code Execution Attack Category Social Engineering, Supply Chain Attack What does xz module do?# XZ Utils is a set of free and open-source data compression utilities that provide high compression ratios and fast decompression. It primarily uses the LZMA compression algorithm , which is an algorithm for lossless data compression. - [Handling Deprecated Dependencies In Your Project](https://krash.dev/posts/handling-deprecated-dependencies/): Disclaimer: Just a heads up, while we’re diving into ways to tackle the problem of dependency depreciation, there’s no one-size-fits-all solution here. It’s a bit of a wild ride dealing with supply chain security and those pesky deprecated dependencies, so don’t expect a quick fix! The issue of using deprecated dependencies has persisted for quite some time, and it’s gaining increased attention. Many projects continue to incorporate deprecated dependencies. I was inspired to write this blog after coming across a LinkedIn post by Rory McCune and several other posts over the past few weeks. - [VS Code Security: Looking at the IDE from Security Lens](https://krash.dev/posts/attacking-vs-code/): While perusing StackOverflow's 2023 Developer Survey (yes, we developers have our own version of celebrity gossip), I couldn’t help but notice that our trusty VSCode is still riding high as the undisputed IDE champ. With a whopping 73% of the developer vote, it’s safe to say that VSCode has firmly planted its flag. But, like any superstar, it’s not immune to the spotlight’s glare, especially when it comes to security. And in this blog, we’ll explore the security aspects that every VSCode user should consider. - [Investigating Reported Vulnerabilities: A Closer Look!](https://krash.dev/posts/investigating-reported-vulnerability/): In vulnerability scanners or penetration testing reports, you might come across statements like “Service version x.y.z is vulnerable to CVE-YYYY-ABCD.” However, it’s essential to delve deeper to confirm the actual vulnerability. Let’s consider a real example: We received a vulnerability report indicating a vulnerability (CVE-2023-23916) in curl v7.74.0 within the Debian 11 environment. The CVE documentation mentions: Affected versions: curl 7.57.0 to and including 7.87.0 At first glance, it appears that v7.74.0 is indeed vulnerable. But is that really the case? - [Kubernetes Components](https://krash.dev/posts/kubernetes/kubernetes-components/): In this blog post, we are going to talk about different components used in Kubernetes and what purpose each component serve. We will be talking about the following - Pods Service Ingress ConfigMap Secret Deployment StatefulSet ReplicaSet DaemonSet Use-case that will be used througout the blog will be hosting a web application with application code and database in different pods. Before starting this blog, if you want to learn about the underlying concepts - Read “Kubernetes Concept ” - [My Experiments with Raspberry Pi Pico - Poor Man's Rubber Ducky](https://krash.dev/posts/rubber-ducky-using-pi-pico/): Mr. Robot Season 2 Episode 9 - “Rubber Duckie, You’re The One” - I was fascinated by this piece of technology when I first saw it many years ago. Then I looked it up on the internet to learn more about it, and it turned out to be HID, or Human Interface Device. It basically imitates users and executes code or performs actions in their place. Since the real rubber ducky was out of my budget, I looked for alternatives and discovered that similar behaviour to the rubber ducky can be achieved using a less expensive piece of hardware - the Raspberry Pi Pico (7$). - [Docker Security](https://krash.dev/posts/docker-security/): This blogs acts as a cheatsheet for securing and attacking docker. - [Zone Identifier - Is your file downloaded from the internet?](https://krash.dev/posts/zone-identifier/): This blogs helps you understand an important topic - Zone Identifiers. - [Understanding DKIM - Email Security Series](https://krash.dev/posts/email-security/dkim/): DKIM is a technological advancement in the field of email security. SPF prevents non-authorized servers from sending emails, but it does not prevent all attempts at spoofing. This is where our next level of security comes into play. DKIM or Domain Keys Identified Mail aids to the security of the email as it adds a digital signature to every outgoing message, allowing receiving servers to verify that the message came from your organization. It ensures that the content of the email remains untampered/compromised and can be trusted. - [Understanding SPF - Email Security Series](https://krash.dev/posts/email-security/spf/): Sender Policy Framework or SPF is an email authentication platform. It helps in specifying who is allowed to send emails from your domain. Making it harder for fraudsters to spoof sender information. Note RFC 7208 - https://datatracker.ietf.org/doc/html/rfc7208 SPF Records are used to specify the origin of the email to the world. It can be considered as a public list that specifies where an email is sent from. How does SPF records look like?# SPF is configured and managed as a TXT record inside the DNS server your domain uses. - [Linux - Command Line Struggles](https://krash.dev/posts/linux-commands/): This blog is a reference for the linux commands that I forget. The commands are mentioned according to different scenarios. - [gRPC: We are not RESTing Anymore](https://krash.dev/posts/grpc-concepts/): This blogs helps in understanding about gRPC framework used for creating secure and scalable APIs with many other features. - [How is XSS different from CSRF?](https://krash.dev/posts/xss-vs-csrf/): This blogs draws a contrast between the two client side vulnerabilities - Cross-site Scripting(XSS) and Cross-site Request Forgery(CSRF) - [Kubernetes Concept](https://krash.dev/posts/kubernetes/kubernetes-concept/): I have been wanting to learn about kubernetes k8s since long, and create this blog series. Here we are finally started (thanks to null cloud security study group ), so without wasting too much time let’s get started. I am learning this having a security mindset, to find common misconfigurations and understand the development process to understand the mitigation. K8s is a container orchestrator. Before diving too much into the depth let’s see what orchestrators/orchestrations are. - [Anonymous Challenge Write-Up: WinjaCTF c0c0n 2021](https://krash.dev/posts/winja-anonymous-challenge-writeup/): WinjaCTF at c0c0n [2021]: I developed an easy challenge - called “Anonymous” - the challenge was based upon browser forensics. TL;DR# Intended Way - Download the zip > Extract it > Navigate the Linux directory structure > To find a directory called .config > google-chrome > Default > Open the History File in SQL Browser > Search for URLs and upon up the URL to get a file with the name - formatted like flag. - [This is why you need a personal Collaborator Client!](https://krash.dev/posts/this-is-why-you-need-a-personal-collaborator-client/): If you have used Burp’s collaborator client for your Out-of-band testing, you know it’s awesome. Then why there is a need for a personal collaborator client? There are a few things that need to be addressed. Companies have started to blacklist burp collaborator’s domain, making it difficult for OOB vulnerabilities detection. (Read here) Collaborator client is not available for the community/free edition of BurpSuite. This brings the need for having a personal collaborator client, with no to minimal investments, that will help us in the detection of any out-of-band/blind vulnerabilities, and I have linked an amazing cheatsheet below that will guide in OOB Exploitation. So, let’s get started. Below are the things required for our recipe to cook: - [How does burp proxy work?](https://krash.dev/posts/how-does-burp-proxy-work/): What’s a proxy?# A proxy acts as a gateway between you and the internet. The internet traffic flow back and forth if a proxy is setup in the middle. So, what is the need of proxy? There are several reasons organizations and individuals use proxies: Control and monitor internet usage Proxy servers can give better speed and bandwidth by caching websites Proxy servers can also be setup along with VPNs to provide anonymity and better security There are different types of proxies, but a specific type of proxy that we are going to talk about in this blog is interception proxy. - [NULLCON 2021 Training: DEVSECOPS](https://krash.dev/posts/nullcon-2021-training-devsecops/): You don’t need money to buy expensive things, sometimes hard work pays off. And yes nullcon trainings are still expensive for me xD and I am grateful that I got this chance to attend one. One year ago, I was going through the nullcon training schedule, and trying to understand the structure, and how much I can learn from it, because it was too expensive for me to get the actual training. Cut to March 1st , 2021, where I was attending a nullcon Training called – “DEVSECOPS – AUTOMATING SECURITY IN DEVOPS by Rohit Salecha”, not only as an attendee but also as a moderator for the event, because I was the one of the employees at Payatu. - [Exam Experience: CEH v10](https://krash.dev/posts/passed-cehv10-practical/): July 6th, 2020: It all started with this mail. I received a scholarship for CEH Practical (applied two times xD) and I had to pay $99 to take the exam. I guess it was worth it. Battling with college and other stuff, I used to think I am not ready yet and kept on postponing it until 6th of November, 2020. I finally took the exam and passed it easily, and now that I look back, I could have done it then as well, but yeah. - [Bug Bounty Summit CTF Writeup](https://krash.dev/posts/bug-bounty-summit-ctf-writeup/): The CTF is live on Hacker101 as Grayhatcon CTF – Hacker101 CTF The CTF was built upon real vulnerabilities found during bug bounties. It had four flags – 250 points each. Objective - Hackerone’s Username and Password database has been leaked and put on an auction. Our task was to delete the auction listing before anyone buys it. We were given an IP, which resolved to a web application. On performing some basic information gathering, I found out some stuff. - [Hacking Is Not Black & White](https://krash.dev/posts/hacking-is-not-black-and-white/): This is related to a talk given by me and pre & post-event activities, that were conducted at Developer Circles, Pune and Bengaluru. It all started with DEFCON 2020 Red Team Village CTF, my team and I reached the Top 50 and it was just amazing for all of us. It was an enriching experience, solving challenges from a wide range of categories and learning new stuff in the process. One section of the CTF dealt with Malware Analysis and I was fascinated by this domain of security and have been learning about it. ## Series - [Blockchain Security](https://krash.dev/series/blockchain-security/) (5 posts) - [Before Your Code Runs](https://krash.dev/series/before-your-code-runs/) (2 posts) - [Email Security](https://krash.dev/series/email-security/) (2 posts) - [Learn Kubernetes](https://krash.dev/series/learn-kubernetes/) (2 posts) ## Optional - [Tags](https://krash.dev/tags/) - [Categories](https://krash.dev/categories/) - [RSS feed](https://krash.dev/rss.xml)