Research

Gravitational engaged Doyensec to perform an in-depth security assessment of the Teleport and Gravity enteprise products. Quoting Gravitational's engineers: "This year, we had an opportunity to work with Doyensec, which provided the most thorough independent analysis of Gravity and Teleport to date."

Download the Teleport testing deliverable PDF file: Doyensec_Gravitational_Teleport_Report_Q22019_WithRetesting.pdf
Download the Gravity testing deliverable PDF file: Doyensec_Gravitational_Gravity_Report_Q22019_WithRetesting.pdf

Download the deliverable PDF file: Doyensec_SoloKeys_TestingReport_Q12020_v3.pdf

SoloKeys engaged Doyensec to perform a security assessment of the SoloKeys software components. The project commenced on January 20, 2020, and ended on January 31, 2020, requiring one security researcher. The audit resulted in three (3) findings of which one (1) was rated as high severity.

The final deliverable, Proof-of-Concept exploits and our instrumentation for AFL fuzzing have been publicly released.

Download the presentation PDF file: Villamil-Modern-Web-Security-Assertions.pdf

Modern web security is a mix of relatively recent frameworks, methods, languages, and abstractions. The age of injection bugs has come and gone. We are firmly in the age of assertions. This age is widely defined by business logic flaws. On a deeper level this age is governed by the security auditor's skill in creating and breaking assertions in the target. Assertions come from any source and they represent statements of security or functionality made by the target.

We'll talk about our experience auditing modern web applications over the last three years. We'll talk about the current state of web application security, how its evolved, and where its going. We give examples of assertions (big and small) created and broken during various security audits and the value this brought to the customer. Our goal is to introduce the age of assertions into the zeitgeist and provide auditors a more refined way of thinking beyond injection bugs.

Download the presentation PDF file: Covalence-2020-Carettoni-DemocratizingElectronSecurity.pdf

We love Electron.js so much, that we break it. Since 2017, we have audited dozens of Electron-based applications and witnessed a remarkable commitment to security. Back then, breaking the framework’s security mechanisms wasn’t too difficult. Fast forward to 2020, Electron.js is getting better, secure-by-default settings are slowly becoming the norm, vulnerability disclosure is handled with consolidated practices, and the dev community is gradually learning all common pitfalls.

It is better, but there is still a long road ahead. Responsibilities must be equally shared between core contributors and application developers. While the most effective way to bring security capabilities to everyone is to have them built into the framework, it is also important to have a community that considers security as a core value. Closing the web-native desktop gap is not trivial as we have to balance security with usability and framework flexibility.

In this talk we want to celebrate the progress made and discuss the technical challenges that both Electron.js maintainers and application developers are facing when building secure desktop applications. We will show common vulnerabilities and misconfigurations, discuss root causes and provide practical tips on how to mitigate existing attacks. If you care about Electron.js security, this talk is for you!

Download the presentation PDF file: Electronegativity_ArsenalBHUS2019.pdf

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.

This is the first and only tool capable of detecting potential weaknesses and implementation bugs when developing applications using Electron, as recommended in the official security guidelines of the Electron project. Software developers and security auditors can use this tool to create secure desktop applications using web technologies.

After being first introduced at Black Hat US 2017 (Electronegativity - A Study of Electron Security) and featured at Black Hat Asia 2019 (Preloading Insecurity In Your Electron), the tool was showcased for the first time ever at the Black Hat USA 2019 Arsenal where we demonstrated its potential by scanning well-known applications.

Download the presentation PDF file: Asia-19-Carettoni-Preloading-Insecurity-In-Your-Electron.pdf

Modern browsers are complicated systems. They enforce numerous security mechanisms to ensure isolation between sites, facilitate web security protections and preventing untrusted remote content to compromise the security of the host. When working with Electron (https://electronjs.org/), things get even more complicated.

The good news is that building secure Electron-based desktop applications is possible. Despite popular belief, the average Electron-based app is more secure than the average web application. The framework itself is getting better, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning all common pitfalls.

It's time to shift gears. In this presentation, we will discuss a relatively unexplored class of vulnerabilities that can turn a boring XSS into RCE. Even without a framework bug (e.g. nodeIntegration bypass), BrowserWindow preload introduces a new interesting attack surface to Electron-based applications.

Abusing Electron's internal IPC, loggers and other application components we will show how we can turn a Cross-Site Scripting vulnerability into a reliable exploitation mechanism to fully compromise popular desktop applications.

Download the presentation PDF file: A-Drone-Tale-by-Paolo-Stagno-SEC-T.pdf

Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on a daily basis. As a result of that, security has also become a crucial aspect when operating remote-controlled pilotless aircrafts. This talk provides a comprehensive overview of the security model and security issues affecting a popular consumer drone product: the DJI Phantom 3.

Download the presentation PDF file: us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf

Despite all predictions, native Desktop apps are back. After years porting stand-alone apps to the web, we are witnessing an inverse trend. Many companies have started providing native desktop apps built using the same technologies as their web counterparts. In this trend, Github's Electron has become a popular framework to build cross-platform desktop apps with JavaScript, HTML, and CSS. While it seems to be easy, embedding a webapp in a self-contained web environment (Chromium, Node.Js) introduces new security challenges. In this presentation, we will illustrate Electron's security model and describe current isolation mechanisms to prevent untrusted content from using Node.js primitives. Electron's IPC messaging, preloading and other internals will be comprehensively discussed. BrowserWindow and WebView security-relevant options will be also analyzed, together with design-level weaknesses and implementation bugs in Electron.

Download the whitepaper PDF file: us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf

This document introduces a checklist of security anti-patterns and must-have features to illustrate misconfigurations and vulnerabilities in Electron-based applications. Software developers and security auditors can benefit from this document as it provides a concise, yet comprehensive, summary of potential weaknesses and implementation bugs when developing applications using Electron.

Download the presentation PDF file: Application_Security_Recipes_for_Fast-Paced_Environments.pdf

Ensuring the security of web applications in continuous delivery environments is an open challenge for many organizations. In fast-paced environments (e.g. startups, agile SDLC shops, etc.), traditional application security practices can slow continuous delivery or simply not address security at all. Instead, a new approach based on security automation and tactical security testing is required to make sure that important components are tested before going live. In this presentation, I will illustrate a few examples on how Silicon Valley-based startups approach security testing while seeking the perfect balance between compliance, security and business productivity.