Tecnología y otros placeres

Bienvenido a este pequeño lugar de internet donde recopilo todos los articulos y publicaciones que he ido realizando estos años y algunas cosas nuevas.

Todas las entradas


Oct 22, 2024

Celebrating the successful completion of the Express.js security audit conducted by Ada Logics and facilitated by OSTIF.

Read more

Oct 18, 2024

Let's explore the world of Common Vulnerabilities and Exposures (CVEs) with step-by-step examples of evaluating if a CVE impacts your project and pragmatic strategies for effective mitigation. This guide will empower you to tackle security vulnerabilities head-on. Don't let CVE warnings go unnoticed — learn how to address them confidently and efficiently.

Read more

Oct 15, 2024

Sep 29, 2024

Security releases for Express, body-parser, send, serve-static, and path-to-regexp have been published. We recommend that all users upgrade as soon as possible.

Read more

Oct 27, 2023

In this POC, we will be using a simple configuration file to enable/disable features based on the version of the application. This is a simple example of how to use feature flags and canary releases with Electron.

Read more

Sep 18, 2023

I authored the Nodejs v20.7.0 official release notes

Read more

Sep 4, 2023

I co-authored the Nodejs v20.6.0 official release notes

Read more

Aug 18, 2023

This repository contains a set of scripts to monitor the integrity of the Node.js binaries hosted in nodejs.org and iojs.org.

Read more

Aug 8, 2023

This project is a proof of concept to demonstrate how to optimize media content stored in Azure Blob Storage.

Read more

Aug 8, 2023

I contributed to this article for the opensource.guides

Read more

Aug 3, 2023

Proof of Concept - how to use custom debian/ubuntu packages with Azure IOT Device Update

Read more

Aug 1, 2023

This version of the tutorial is based on the original tutorial by Jesús Corrius, but has been updated to use the .NET 7.0

Read more

Aug 1, 2023

This POC is a continuation from the Packaging a .NET Core Service for Ubuntu. In this case, I followed the guide Creating a private Debian package repository by Jesús Corrius

Read more

Jul 6, 2023

This project creates a news feed using Node.js. It uses the GitHub API to fetch the relevant information from issues, releases, and then it generates an RSS feed with the latest news.

Read more

Jul 3, 2023

Get Your Javascript on Board: Learn how to Dockerize your next IOT project with Johnny-five.

Read more

Jun 18, 2023

Proof of concept project aimed at enabling the automatic synchronization of Markdown files with Confluence pages.

Read more

Mar 23, 2023

Create a Github Action that monitors the status of Jenkins and generates Markdown reports for your inventory. It also alerts you when the nodes are not functioning properly.

Read more

Feb 6, 2023

Secure Your Secrets with Blackbox: A Guide to Using Blackbox in Your GitHub Actions Pipelines

Read more

Feb 6, 2023

This proof of concept uses some components from the Digital Twins Definition Language (DTDL) ontology for Smart Cities to build two simple products to illustrate the ontology's capabilities, including extensive testing to validate the model's integrity and evolution over time.

Read more

Feb 6, 2023

This project is a proof of concept that will demonstrate the potential of AThis proof of concept uses some components from the Digital Twins Definition Language (DTDL) to build and maintain a simple product.

Read more

Jan 24, 2023

This project is a proof of concept that will demonstrate the potential of Azure IOT Hub for onboarding IOT devices to the cloud with minimal disruption to existing business logic by separating communication to the cloud and the device's current business logic. It offers a simple and extensible out-of-the-box architecture with some basic features using the Azure IOT Official SDK for Node.js.

Read more

Jan 22, 2023

The OpenSSF Scorecard is a great tool for evaluating the security of your project, and we plan to implement it in Node.js by 2023.

Read more

Jan 19, 2023

I created this POC to demonstrate the potential of combining JSON Schemas and Semantic Versioning (Semver) for Internet of Things (IoT) and Event-driven architectures.

Read more

Nov 21, 2022

I created this POC to showcase how to visualize the Node.js Machines inventory and perform a cyclical ping to collect network metrics with a full dockerize environment and a fancy dashboard.

Read more

Nov 21, 2022

I co-authored the document. This document was created aiming to provide context on what will/will not be considered a vulnerability in Node.js, targeting Security Researchers, as well as serve as a guide for application security operations in support of development teams building on top of the Node.js platform.

Read more

Oct 27, 2022

I co-authored the guide. This guides intends to extend the current threat model and provide extensive guidelines on how to secure a Node.js application.

Read more

Jul 27, 2020

I created this POC to showcase how to use Docker, K6, Grafana and Node.js to load test API endpoints with fake data and Authentication.

Read more

Apr 8, 2020

To be very clear: this header does not protect you from XSS attacks much. It protects against a very particular kind of XSS, and other mitigation measures are far better.

Read more

Apr 8, 2020

The Attack is focused on the user input like crafted urls with malicious payload

Read more

Apr 8, 2020

The Classic "Billion Laughs" attack explained

Read more

Apr 8, 2020

The Referer HTTP header is typically set by web browsers to tell a server where it’s coming from. For example, if you click a link on example.com/index.html that takes you to wikipedia.org, Wikipedia’s servers will see Referer: example.com.

Read more

Apr 8, 2020

It's a technical attack that requires a great understanding of JS internals like `__proto__`, `prototype`, deep|shadow copy...

Read more

Apr 8, 2020

Adobe Flash and Adobe Acrobat can load content from your domain even from other sites (in other words, cross-domain).

Read more

Apr 8, 2020

This attack is very specific to the Nodejs ecosystem and it was discovered in 2019 by Liran Tal.

Read more

Apr 8, 2020

By default, old versions of Internet Explorer will allow you to open those HTML files in the context of your site, which means that an untrusted HTML page could start doing bad things in the context of your pages.

Read more

Apr 8, 2020

As we are not forcing the HTTPS traffic to be keep using HTTPS. The users can use the HTTP (vanilla) protocol to access our site.

Read more

Apr 8, 2020

There are some corner cases that the HTTP Specification doesn't cover like HTTP Parameter Pollution or HTTP.

Read more

Apr 8, 2020

If you include Express on your stack, I highly recommend to extend the HTTP Headers definitions using the middleware Helmet

Read more

Apr 8, 2020

As an example you can see almost 1 million servers with the X-Powered-By: Express active in Shodan queries

Read more

Apr 8, 2020

The X-Frame-Options header tells browsers to prevent your webpage from being put in an iframe. When browsers load iframes, they’ll check the value of the X-Frame-Options header and abort loading if it’s not allowed.

Read more

Apr 8, 2020

Web browsers have lots of different features, from vibration to fullscreen to microphone access. While some of these can be useful, you may not wish to use all of them, and you may not want any third-party scripts you include to use them either.

Read more

Apr 8, 2020

Expect-CT is an HTTP header that allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed.

Read more

Apr 8, 2020

In the past sometimes the ETag was misconfigured by default using built string and not hashes, like in CVE-2003-1418 that leads to information leaks

Read more

Apr 8, 2020

This MIME sniffing can be an attack vector. A user could upload an image with the .jpg file extension but its contents are actually HTML.

Read more

Apr 8, 2020

Browsers can start these DNS requests before the user even clicks a link or loads a resource from somewhere. This improves performance when the user clicks the link, but has privacy implications for users.

Read more

Apr 8, 2020

This attack can be mitigated by using a different and personalized token in each request. In nodejs, the csurf library is highly recommended.

Read more

Apr 8, 2020

Most modern browsers support a header called `Content-Security-Policy`, which is effectively a whitelist of things allowed to be on your page. You can whitelist JavaScript, CSS, images, plugins, and much more. Things are opt-in, so you’re saying “this stuff is allowed” instead of “this stuff is not allowed”

Read more

Apr 8, 2020

Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain

Read more

Apr 8, 2020

In Nodejs there was a bug in the Buffer core library that was reported in 2016 and was fixed in Nodejs already

Read more

Mar 19, 2020

A backdoor in our code that can perform OS injection is one of the most scary scenarios ever. Currently, npm has more than 1.2M of public packages available. For the last 3 years, our dependencies have become the perfect target for cybercriminals.

Read more

Feb 17, 2020

I created this POC to showcase how to do a database migration using Docker, MongoDB, testing...

Read more

Feb 6, 2020

A new Node.js security release was published earlier today, 6th of February, 2020 which fixes one Critical severity and two High severity issues. This release also includes stricter HTTP parsing.

Read more

Jul 16, 2019

I created this POC to showcase how to use Localstack with Node.js and Terraform

Read more

Apr 24, 2017

Pequeña reflexión sobre los retos a los que nos enfrentamos los artesanos que trabajamos en el ecosistema de Node.js y JavaScript a la hora de lidiar con la asincronía.

Leer más

Feb 26, 2017

¿Por que es tan difícil reclutar developers? y sobretodo… ¿por que no retenemos ese talento en nuestras empresas?.

Leer más

Oct 25, 2015

¡Usemos Firebase y Arduino para seguir la cotización del Bitcoin en Tiempo real!

Leer más

Oct 18, 2015

Como hacer un reloj binario decimal usando JavaScript, Arduino, una pantalla LCD y una matriz de leds

Leer más

Jun 21, 2015

Versión extendida del clasico piedra, papel, tijeras con Arduino y siguiendo los pasos de la serie Big Bang Theory

Leer más

May 17, 2015

Conectemos EduBasica Shield a Nodejs para aprender electrónica y róbotica de una forma fácil

Leer más

Mar 22, 2015

Aunque las Google Cardboard son geniales, siempre pense que sería más interesante un modelo alternativo DIY de tela y plástico reciclado

Leer más

Jan 26, 2015

Hora de sacar el polvo de nuestras raspis y meter un bot en Google Hangouts que nos haga la vida más fácil

Leer más