サーバーレスのセキュリティリスク - AWS Lambdaにおける脆弱性攻撃と対策 - GMO Flatt Security Blog
はじめに こんにちは、株式会社Flatt Security セキュリティエンジニアの森岡(@scgajge12)です。 本稿では、AWS Lambda で起こりうる脆弱性攻撃やリスク、セキュリティ対策を解説し、サーバーレスにおけるセキュリティリスクについて紹介します。 はじめに AWS Lambda について サーバーレスにおけるセキュリティリスク AWS Lambda で起こりうる脆弱性攻撃 Lambda での脆弱性攻撃によるリスク 脆弱性攻撃による更なるリスク OS Command Injection XML External Entity (XXE) Insecure Deserialization Server Side Request Forgery (SSRF) Remote Code Execution (RCE) AWS Lambda におけるセキュリティ対策 セキュリティ
はじめに 対象イベント 読み方、使い方 Remote Code Execution(RCE) 親ディレクトリ指定によるopen_basedirのバイパス PHP-FPMのTCPソケット接続によるopen_basedirとdisable_functionsのバイパス JavaのRuntime.execでシェルを実行 Cross-Site Scripting(XSS) nginx環境でHTTPステータスコードが操作できる場合にCSPヘッダーを無効化 GoogleのClosureLibraryサニタイザーのXSS脆弱性 WebのProxy機能を介したService Workerの登録 括弧を使わないXSS /記号を使用せずに遷移先URLを指定 SOME(Same Origin Method Execution)を利用してdocument.writeを順次実行 SQL Injection MySQ
はじめに サーバーサイドエンジニアの mokuo です。普段はカード決済やあとばらいチャージに関連する機能の開発や運用を行っております。 本記事でお話すること 日本の住所を都道府県、市区町村、丁目番地、それ以降などに分割する方法の検討から技術選定、実際に動いているコード(ほぼそのまま)をお見せします。 想定読者 サーバーサイドエンジニアを主な読者として想定しています。 日本の住所を分割する機能の実装方法を知りたい方 Deno*1や Hono*2 の採用事例、実装例を知りたい方 はじめに 本記事でお話すること 想定読者 🤔 背景と課題 🎯 住所分割の方針検討 ✂️ 住所分割方法: normalize-japanese-addresses に決定 🧩 npm ライブラリの組み込み: Hono + Deno に決定 🏠️ インフラ構成: ECS + EFS に決定 💪 2日で実装する
Another year passes. I was hoping to write more articles instead of just these end-of-the-year screeds, but I almost died in the spring semester, and it sucked up my time. Nevertheless, I will go through what I think are the major trends and happenings in databases over the last year. There were many exciting and unprecedented developments in the world of databases. Vibe coding entered the vernacu
GPT-5 の新パラメータとツール|npaka
以下の記事が面白かったので、簡単にまとめました。 ・GPT-5 New Params and Tools - OpenAI Cookbook 1. verbosity1-1. 概要「verbosity」は、出力トークン数を調節できます。 ・low : 簡潔なUX、簡潔な文章 ・medium (デフォルト) : バランスの取れた詳細 ・high : 詳細な情報。監査、教育、引き継ぎに最適 1-2. verbosityの効果の確認プロンプトを一定に保ったまま、「verbosity」を変更することで、効果を確認できます。 response = client.responses.create( model="gpt-5", input="人生、宇宙、そして万物に関する究極の問いに対する答えは何でしょうか?", text={ "verbosity": "low" } ) print(response
REST API Design Best Practices Handbook – How to Build a REST API with JavaScript, Node.js, and Express.js
By Jean-Marc Möckel I've created and consumed many API's over the past few years. During that time, I've come across good and bad practices and have experienced nasty situations when consuming and building API's. But there also have been great moments. There are helpful articles online which present many best practices, but many of them lack some practicality in my opinion. Knowing the theory with
GitHub - modelcontextprotocol/servers: Model Context Protocol Servers
Official integrations are maintained by companies building production ready MCP servers for their platforms. 21st.dev Magic - Create crafted UI components inspired by the best 21st.dev design engineers. 2slides - An MCP server that provides tools to convert content into slides/PPT/presentation or generate slides/PPT/presentation with user intention. ActionKit by Paragon - Connect to 130+ SaaS inte
How modern browsers work
Note: For those eager to dive deep into how browsers work, an excellent resource is Browser Engineering by Pavel Panchekha and Chris Harrelson (available at browser.engineering). Please do check it out. This article is an overview of how browsers work. Web developers often treat the browser as a black box that magically transforms HTML, CSS, and JavaScript into interactive web applications. In tru
How we built the Grafbase local development experience in Rust
How we built the Grafbase local development experience in Rust Grafbase provides an edge-native GraphQL platform that combines multiple data-sources into a single API and includes a serverless database, search, edge caching, preview environments and much more. Around May 2022 we started working on a local development experience, written in Rust, to mirror this functionality locally and allow you t
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
Weird Lexical Syntax
I just learned 42 programming languages this month to build a new syntax highlighter for llamafile. I feel like I'm up to my eyeballs in programming languages right now. Now that it's halloween, I thought I'd share some of the spookiest most surprising syntax I've seen. The languages I decided to support are Ada, Assembly, BASIC, C, C#, C++, COBOL, CSS, D, FORTH, FORTRAN, Go, Haskell, HTML, Java,
AST vs. Bytecode: Interpreters in the Age of Meta-Compilation
233 AST vs. Bytecode: Interpreters in the Age of Meta-Compilation OCTAVE LAROSE, University of Kent, UK SOPHIE KALEBA, University of Kent, UK HUMPHREY BURCHELL, University of Kent, UK STEFAN MARR, University of Kent, UK Thanks to partial evaluation and meta-tracing, it became practical to build language implementations that reach state-of-the-art peak performance by implementing only an interprete
Parsing SQL - Strumenta
The code for this tutorial is on GitHub: parsing-sql SQL is a language to handle data in a relational database. If you worked with data you have probably worked with SQL. In this article we will talk about parsing SQL. It is in the same league of HTML: maybe you never learned it formally but you kind of know how to use it. That is great because if you know SQL, you know how to handle data. However
KDL is a small, pleasant document language with XML-like node semantics that looks like you're invoking a bunch of CLI commands! It's meant to be used both as a serialization format and a configuration language, much like JSON, YAML, or XML. It looks like this: package { name my-pkg version "1.2.3" dependencies { // Nodes can have standalone values as well as // key/value pairs. lodash "^3.2.1" op
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
In this blog post we benchmark many Ruby versions and the latest Ruby Just-in-Time compilers (JITs) on the newest Ruby benchmark suite, yjit-bench. As a teaser, the geometric mean speedups compared to CRuby 3.1 on these 14 benchmarks are: MJIT 1.26x, YJIT 1.39x, JRuby 1.86x and TruffleRuby 6.23x. Read on to find more about the benchmarks and gain insights on these speedups. This blog post is also
ClamAV 1.0.0 LTS released
The ClamAV 1.0.0 feature release is now stable and available for download on ClamAV.net or through Docker Hub. ClamAV 1.0.0 includes the following improvements and changes. Major changesSupport for decrypting read-only OLE2-based XLS files that are encrypted with the default password. Use of the default password will now appear in the metadata JSON. GitHub pull request: https://github.com/Cisco-Ta
A new JavaScript backend was merged into GHC on November 30th, 2022! This means that the next release of GHC will be able to emit code that runs in web browsers without requiring any extra tools, enabling Haskell for both front-end and back-end web applications. In this post, we, the GHC DevX team at IOG, describe the challenges we faced bringing GHCJS to GHC, how we overcame those challenges, and
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
The Grug Brained Developer
The Grug Brained Developer A layman's guide to thinking like the self-aware smol brained Introduction this collection of thoughts on software development gathered by grug brain developer grug brain developer not so smart, but grug brain developer program many long year and learn some things although mostly still confused grug brain developer try collect learns into small, easily digestible and fun
Netflix Japan - Watch TV Shows Online, Watch Movies Online
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
By Jun He, Natallia Dzenisenka, Praneeth Yenugutala, Yingyi Zhang, and Anjali Norwood TL;DRWe are thrilled to announce that the Maestro source code is now open to the public! Please visit the Maestro GitHub repository to get started. If you find it useful, please give us a star. What is MaestroMaestro is a horizontally scalable workflow orchestrator designed to manage large-scale Data/ML workflows
Update 1.86.2: The update addresses these issues. Update 1.86.1: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the January 2024 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include: Per-window zoom levels - Adjust the zoom leve
ウィンター・オン・ファイヤー: ウクライナ、自由への闘いを観る | Netflix (ネットフリックス) 公式サイト
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
Introduction to Go 1.19 The latest Go release, version 1.19, arrives five months after Go 1.18. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Changes to the language There is only one small change to the language, a
Tier 4 Support § Support for these targets is entirely experimental. If this target is provided by LLVM, LLVM may have the target as an experimental target, which means that you need to use Zig-provided binaries for the target to be available, or build LLVM from source with special configure flags. zig targets will display the target if it is available. This target may be considered deprecated by
Shai Hulud Strikes Again (v2)Another wave of Shai-Hulud campaign has hit npm with more than 500 packages and 700+ versions affected. Update: November 26, 2025 PostHog has published a detailed post mortem describing how one of its GitHub Actions workflows was abused as an initial access vector for Shai Hulud v2. An attacker briefly opened a pull request that modified a script executed via pull_requ
research!rsc: Floating-Point Printing and Parsing Can Be Simple And Fast (Floating Point Formatting, Part 3)
Introduction A floating point number f has the form f=m·2e where m is called the mantissa and e is a signed integer exponent. We like to read numbers scaled by powers of ten, not two, so computers need algorithms to convert binary floating-point to and from decimal text. My 2011 post “Floating Point to Decimal Conversion is Easy” argued that these conversions can be simple as long as you don’t car
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
Go Conferenceは半年に1回行われるプログラミング言語Goに関するカンファレンスです。渋川氏は、タグを使ったGo開発について発表しました。全2回。前半は、Goにおける多種多様なライブラリとタグの処理方法について。 Goの特徴はタグによる関数の呼び出しのシンプル化渋川よしき氏:よろしくお願いします。それでは「Goの構造体とタグを極める」を発表します。 渋川と申します。株式会社本田技術研究所や株式会社ディー・エヌ・エーなどで働いて、今はフューチャー株式会社で仕事をしています。妻と子どもがいます。いろいろと本を書いたりしています。週末はインラインスケートを子どもたちとやっています。 これが今まで書いてきたGoの本です。『Real World HTTP』は韓国語バージョンも買えます。もう1ヶ国語を今翻訳中です。 当社では技術ブログにけっこう力を入れていて、最近勉強会で発表すると「『Go』
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
Proto Best Practices
Clients and servers are never updated at exactly the same time - even when you try to update them at the same time. One or the other may get rolled back. Don’t assume that you can make a breaking change and it’ll be okay because the client and server are in sync. Don’t Re-use a Tag NumberNever re-use a tag number. It messes up deserialization. Even if you think no one is using the field, don’t re-
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
Introduction to Go 1.19 The latest Go release, version 1.19, arrives five months after Go 1.18. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Changes to the language There is only one small change to the language, a
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
ギレルモ・デル・トロの驚異の部屋を観る | Netflix (ネットフリックス) 公式サイト
'); doc.close(); } if (!doc) throw Error('base not supported'); var baseTag = doc.createElement('base'); baseTag.href = base; doc.getElementsByTagName('head')[0].appendChild(baseTag); var anchor = doc.createElement('a'); anchor.href = url; return anchor.href; } finally { if (iframe) iframe.parentNode.removeChild(iframe); } }()); } // An inner object implementing URLUtils (either a native URL // ob
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
【2020年】CTF Web問題の攻撃手法まとめ - こんとろーるしーこんとろーるぶい
Hono + Deno で住所分割APIサーバーを2日で爆速実装する - inSmartBank
Databases in 2025: A Year in Review
大奥を観る | Netflix (ネットフリックス) 公式サイト
The KDL Document Language
Top 10 Movies on Netflix Right Now - Netflix Tudum
Benchmarking CRuby, MJIT, YJIT, JRuby and TruffleRuby
JavaScript backend merged into GHC | IOG Engineering
ドント・ルック・アップを観る | Netflix (ネットフリックス) 公式サイト
Maestro: Netflix’s Workflow Orchestrator
January 2024 (version 1.86)
Go 1.19 Release Notes - The Go Programming Language
0.10.0 Release Notes ⚡ The Zig Programming Language
Shai Hulud Strikes Again (v2) - Socket
ザ・プレイリストを観る | Netflix (ネットフリックス) 公式サイト
浅草キッドを観る | Netflix (ネットフリックス) 公式サイト
Javaとの違いはどこにある? “Go言語らしさ”が表れる「構造体タグ」 | ログミーBusiness
THE DAYS | Netflix (ネットフリックス) 公式サイト
Netflix Tudum - Go behind the streams
イカゲームを観る | Netflix (ネットフリックス) 公式サイト
Go 1.19 Release Notes - The Go Programming Language
アーケイン | Netflix (ネットフリックス) 公式サイト
陰謀論のオシゴト | Netflix (ネットフリックス) 公式サイト
イベリン: 彼が生きた証を観る | Netflix (ネットフリックス) 公式サイト