Doyensec :: Build with Security

Publication

deliverable

04/12/2021

Security Auditing of Teleport (Q4 2020)

04/12/2021

GoTeleport engaged Doyensec to perform an in-depth security assessment of the Teleport product. The full technical deliverable for this engagement is now available.

Download the Teleport testing deliverable: teleport-audit-q4-2020.pdf

Code

regexploit

03/11/2021

Regexploit

03/11/2021

Regexploit - a tool to find regular expressions which are vulnerable to ReDoS. Many default regular expression parsers have unbounded worst-case complexity. Regex matching may be quick when presented with a matching input string. However, certain non-matching input strings can make the regular expression matcher go into crazy backtracking loops and take ages to process. This can cause denial of service, as the CPU will be stuck trying to match the regex.

This tool is designed to:
• find regular expressions which are vulnerable to ReDoS
• give an example malicious string which will cause catastrophic backtracking

Download the latest release from Regexploit's Github releases page

Blog

post

03/11/2021

Regexploit: DoS-able Regular Expressions

03/11/2021

In this blog post, we’re releasing a new tool to analyse regular expressions and hunt for ReDoS vulnerabilities. Our heuristic has been proven to be extremely effective, as demonstrated by many vulnerabilities discovered across popular NPM, Python and Ruby dependencies.

Read the full story on our blog: https://blog.doyensec.com/2021/03/11/regexploit.html

Advisory

CVE-2021-xxxx

03/11/2021

Regular Expression Denial of Service (ReDoS) in various open-source packages

03/11/2021

During our research on ReDoS, Doyensec reported several vulnerabilities:

• CVE-2020-5243: uap-core affecting uap-python, uap-ruby, etc. (User-Agent header parsing)
• CVE-2020-8492: cpython’s urllib.request (WWW-Authenticate header parsing)
• CVE-2021-21236: CairoSVG (SVG parsing)
• CVE-2021-21240: httplib2 (WWW-Authenticate header parsing)
• CVE-2021-25292: python-pillow (PDF parsing)
• CVE-2021-26813: python-markdown2 (Markdown parsing)
• CVE-2021-27290: npm/ssri (SRI parsing)
• CVE-2021-27291: pygments lexers for ADL, CADL, Ceylon, Evoque, Factor, Logos, Matlab, Octave, ODIN, Scilab & Varnish VCL (Syntax highlighting)
• CVE-2021-27292: ua-parser-js (User-Agent header parsing)
• CVE-2021-27293: RestSharp (JSON deserialisation in a .NET C# package)
• bpo-38804: cpython’s http.cookiejar (Set-Cookie header parsing)
• SimpleCrawler (archived) (HTML parsing)
• Plus many more unpublished bugs in a handful of pypi, npm, ruby and nuget packages. We will update this list on Regexploit's Github page.

Blog

post

02/16/2021

Electron APIs Misuse: An Attacker’s First Choice

02/16/2021

ElectronJs is getting more secure every day. Context isolation and other security settings are planned to become enabled by default with the upcoming release of Electron 12 stable, seemingly ending the somewhat deserved reputation of a systemically insecure framework.

From an attacker’s perspective, Electron-specific APIs are very often the easiest path to gain remote code execution, read or write access to the host’s filesystem, or leak sensitive user’s data. Malicious JavaScript running in the renderer can often subvert the application using such primitives.

Read the full story on our blog: https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html

Advisory

CVE-2021-21288

02/15/2021

Server-Side Request Forgery (SSRF) Vulnerability in CarrierWave's Remote File Upload Feature

02/15/2021

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files for Rails, Sinatra and other Ruby-based web frameworks. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This vulnerability was fixed in versions 1.3.2 and 2.1.1.

Link to the public Github Advisory: GHSA-fwcm-636p-68r5

Advisory

CVE-2021-3377

02/01/2021

Cross-Site Scripting (XSS) in ansi_up v4

02/01/2021

The npm package ansi_up converts ANSI escape codes (used by terminal emulators to, for example, set text color) into HTML. Since ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, extra HTML attributes and javascript code can be injected into the returned HTML. This can be used in a Cross-Site Scripting (XSS) attack. This vulnerability was fixed in v5.0.0.

Download the advisory PDF file: Doyensec_Advisory_ansi_up4_XSS.pdf

Advisory

CVE-2020-24025

01/11/2021

node-sass Missing Certificate Validation Vulnerability

01/11/2021

During a customer engagement, Doyensec discovered a Certificate Validation vulnerability affecting the node-sass package, used for the Node.js bindings to libsass. Because of an optional flag misconfiguration, libsass binaries fetched from the official github.com CDN may be tampered in-transit. Versions 2.0.0 to 4.14.1 are affected.

Blog

post

12/10/2020

Novel Abuses On Wi-Fi Direct Mobile File Transfers

12/10/2020

Doyensec researched mobile P2P Wi-Fi protocols and their obscure file-sharing implementations. As a result, an overlooked problem common to every Android vendor-provided solution was identified.

Read the full story on our blog: https://blog.doyensec.com/2020/12/10/novel-abuses-wifi-direct-mobile-file-transfers.html

Blog

post

11/19/2020

InQL Scanner v3 Release

11/19/2020

A new major release of InQL, our GraphQL security testing tool, is out! This release includes a Cycles Detector, Request Timer, Precise Query Generation and many bug fixes.

Blog

post

09/09/2020

Fuzzing JavaScript Engines with Fuzzilli

09/09/2020

As part of our fuzzing initiatives, we worked on a few techniques to target popular JavaScript engines (JSE). Our research resulted in a contribution to the well known fuzzer "Fuzzilli". By integrating Fuzzilli with JerryScript, Doyensec was able to identify multiple security vulnerabilities over the course of just four weeks.

Read more on our latest blog post: https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html

Blog

post

08/20/2020

CSRF Protection Bypass in Play Framework

08/20/2020

This blog post illustrates a vulnerability affecting the Play Framework that we discovered during a client engagement. This issue allows a complete Cross-Site Request Forgery (CSRF) protection bypass under specific configurations.

Advisory

CVE-2020-12480

08/10/2020

Play Framework below 2.8.2/2.7.5 CSRF Protection Bypass

08/10/2020

During a customer engagement, Doyensec discovered a CSRF Protection Bypass vulnerability affecting the Play Framework. If a black list is used, the result is that a malicious user may be able to perform a CSRF attack on the Play application.

Publication

resource

06/17/2020

Awesome Electron.js hacking & pentesting resources

06/17/2020

A frequently-updated repository with presentations, bug write-ups, and all kinds of content to help during Electron security testing and hacking.

You can find it over at doyensec/awesome-electronjs-hacking.

Blog

post

06/11/2020

InQL Scanner v2 is out!

06/11/2020

A new version of InQL, our GraphQL security testing tool, is out! This release includes a new stand-alone UI, which integrates an embedded GraphiQL server and many other features.

Blog

post

05/14/2020

Fuzzing TLS Certificates From Their ASN.1 Grammar

05/14/2020

We are building a flexible ASN.1 grammar-based fuzzer for testing TLS certificate parsers. In this blog post, we introduce our research and provide references for security practitioners that are interested in the topic.

Find more details at https://blog.doyensec.com/2020/05/14/asn1fuzz.html

Blog

post

04/30/2020

Researching Polymorphic Images for XSS on Google Scholar

04/30/2020

Google Scholar was found to be vulnerable to multiple stored XSS using an exotic technique involving polymorphic images. In this blog post, we explain the bug found and all the possible ways to create and leverage polymorphic images for XSS through a survey of how popular image manipulation libraries in web apps behave when presented with a polymorphic image.

Find more details at https://blog.doyensec.com/2020/04/30/polymorphic-images-for-xss.html

Publication

slides

04/23/2020

InQL: GraphQL security testing made easy!
GitHub Security Virtual Meetup (April 23, 2020)

04/23/2020

Download the presentation PDF file: Doyensec_InQL_AB_Github.pdf

Given the rising popularity of GraphQL in web applications, Andrea Brancaleoni presented a turbo-talk on GraphQL security and the use of InQL to augment manual security testing.

Blog

post

04/08/2020

LibreSSL and OSS-Fuzz

04/08/2020

A different pick on bounty programs. Discover how to participate in securing free and open source software, while leveraging your blue team skills. In one of our early research projects we ported libressl to OSS-fuzz, a Google sponsored fuzzer infrastructure for open source projects.

Find more details at https://blog.doyensec.com/2020/04/08/libressl-fuzzer.html

Advisory

CVE-2020-5284

03/27/2020

Next.JS below 9.3.2 Path Traversal

03/27/2020

During a customer engagement, Doyensec discovered a path traversal vulnerability affecting the Next.js framework. Attackers could craft special requests to access files in the dist directory (.next), leading to the disclosure of source code and application's secrets. This issue affects Next.js below 9.3.2, when executed using next start

Release note: https://github.com/zeit/next.js/releases/tag/v9.3.2

Code

InQL

03/26/2020

A Burp Extension for GraphQL Security Testing

03/26/2020

InQL Scanner is security testing tool to facilitate GraphQL technology security auditing efforts. The tool can be used as a stand-alone script, or as a Burp Suite extension.

Download the latest release from InQL's Github releases page

Blog

post

03/16/2020

Don't Clone That Repo: Visual Studio Code^2 Execution

03/16/2020

Doyensec discovered a Code Execution vulnerability in Microsoft Visual Studio Code Python Extension (16.5M+ installations at the time of writing).

Find more details and the Proof of Concept in our blogpost: https://blog.doyensec.com/2020/03/16/vscode_codeexec.html

Advisory

CVE-2019-17636

03/10/2020

Eclipse Theia Arbitrary File Read

03/10/2020

In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.

Original Theia Bug Tracker issue: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747
PR of the fix: https://github.com/eclipse-theia/theia/pull/7205

Advisory

CVE-2020-9402

03/04/2020

Django SQL Injection Via Tolerance Parameter in GIS Functions and Aggregates

03/04/2020

During a targeted security research effort on the Django Framework, Doyensec discovered that GIS functions and aggregates on Oracle were subject to a SQL injection, using a suitably crafted tolerance parameter.

Publication

deliverable

03/02/2020

Security Auditing of Gravitational's Teleport and Gravity

03/02/2020

Gravitational engaged Doyensec to perform an in-depth security assessment of the Teleport and Gravity enteprise products. Quoting Gravitational's engineers: "This year, we had an opportunity to work with Doyensec, which provided the most thorough independent analysis of Gravity and Teleport to date."

Download the Teleport testing deliverable PDF file: Doyensec_Gravitational_Teleport_Report_Q22019_WithRetesting.pdf
Download the Gravity testing deliverable PDF file: Doyensec_Gravitational_Gravity_Report_Q22019_WithRetesting.pdf

Blog

post

02/24/2020

Signature Validation Bypass Leading to RCE In Electron-Updater

02/24/2020

This blog post illustrates a vulnerability we discovered in the popular electron-builder package: a signature validation bypass in the auto-update mechanism could be abused to push malicious updates and execute arbitrary code on the victims' machine. In this blog post, we explain the details of the vulnerability and demonstrate why such fail-open designs are inherently dangerous for security.

Link: https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html

Code

burp-rest-api

02/24/2020

burp-rest-api

05/11/2018

burp-rest-api is a REST/JSON API to the Burp Suite security tool. Since the first commit back in 2016, burp-rest-api has been the default tool for BurpSuite-powered web scanning automation. Many security professionals and organizations have relied on this extension to orchestrate the work of Burp Spider and Scanner. Starting in June 2018, Doyensec joined VMware in the development and support of the growing burp-rest-api community.

Download the source and binary from burp-rest-api's Github page

Code

electronegativity

01/24/2019

Electronegativity

01/24/2019

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications. Electronegativity is the first-of-its-kind tool that helps software developers and security auditors to detect and mitigate potential weaknesses in Electron applications; it is now the baseline for every Electron app’s security review for many professionals and organizations.

Download the source and binary from electronegativity's Github page

Code

hopper theme

08/08/2017

Hopper Disassembler Doyensec Theme

08/08/2017

Doyensec theme for the Hopper Disassembler - chill and functional for long RE nights.

Download Doyensec.hopperTheme and import the file through the Preferences menu.

Code

training

02/02/2017

Developing Burp Suite Extensions: Training Material

02/02/2017

We have open-sourced the repository containing the templates and code for the training "Developing Burp Suite Extensions - From Manual Testing to Security Automation".

The repository is accessible at https://github.com/doyensec/burpdeveltraining

Publication

deliverable

02/19/2020

Security Auditing of the Solo Firmware

02/19/2020

Download the deliverable PDF file: Doyensec_SoloKeys_TestingReport_Q12020_v3.pdf

SoloKeys engaged Doyensec to perform a security assessment of the SoloKeys software components. The project commenced on January 20, 2020, and ended on January 31, 2020, requiring one security researcher. The audit resulted in three (3) findings of which one (1) was rated as high severity.

The final deliverable, Proof-of-Concept exploits and our instrumentation for AFL fuzzing have been publicly released.

Blog

post

02/03/2020

Heap Overflow in F-Secure Internet Gatekeeper

02/03/2020

This blog post illustrates a vulnerability we discovered in the F-Secure Internet Gatekeeper application. It shows how a simple mistake can lead to an exploitable unauthenticated remote code execution vulnerability.

Link: https://blog.doyensec.com/2020/02/03/heap-exploit.html

Publication

slides

01/24/2020

Modern Web Security: The Art of Creating and Breaking Assertions
AppSec California 2020 (Santa Monica)

01/24/2020

Download the presentation PDF file: Villamil-Modern-Web-Security-Assertions.pdf

Modern web security is a mix of relatively recent frameworks, methods, languages, and abstractions. The age of injection bugs has come and gone. We are firmly in the age of assertions. This age is widely defined by business logic flaws. On a deeper level this age is governed by the security auditor's skill in creating and breaking assertions in the target. Assertions come from any source and they represent statements of security or functionality made by the target.

We'll talk about our experience auditing modern web applications over the last three years. We'll talk about the current state of web application security, how its evolved, and where its going. We give examples of assertions (big and small) created and broken during various security audits and the value this brought to the customer. Our goal is to introduce the age of assertions into the zeitgeist and provide auditors a more refined way of thinking beyond injection bugs.

Publication

slides

01/24/2020

Democratizing Electron.js Security
Covalence 2020 (San Francisco)

01/24/2020

Download the presentation PDF file: Covalence-2020-Carettoni-DemocratizingElectronSecurity.pdf

We love Electron.js so much, that we break it. Since 2017, we have audited dozens of Electron-based applications and witnessed a remarkable commitment to security. Back then, breaking the framework’s security mechanisms wasn’t too difficult. Fast forward to 2020, Electron.js is getting better, secure-by-default settings are slowly becoming the norm, vulnerability disclosure is handled with consolidated practices, and the dev community is gradually learning all common pitfalls.

It is better, but there is still a long road ahead. Responsibilities must be equally shared between core contributors and application developers. While the most effective way to bring security capabilities to everyone is to have them built into the framework, it is also important to have a community that considers security as a core value. Closing the web-native desktop gap is not trivial as we have to balance security with usability and framework flexibility.

In this talk we want to celebrate the progress made and discuss the technical challenges that both Electron.js maintainers and application developers are facing when building secure desktop applications. We will show common vulnerabilities and misconfigurations, discuss root causes and provide practical tips on how to mitigate existing attacks. If you care about Electron.js security, this talk is for you!

Advisory

cve-2019-xxxx

08/13/2019

Matomo - Cookie Signature Bypass Through PHP Type Confusion

08/13/2019

The "Cookie" handling class, responsible for validating the signature of a cookie value through the "extractSignedContent" function, is vulnerable to PHP Type Confusion.

Matomo Github's PR: https://github.com/matomo-org/matomo/pull/14760

Blog

post

08/22/2019

Modern Android Password Managers and FLAG_SECURE Misuse

08/22/2019

Doyensec discovered that an old Android vulnerability involving the `FLAG_SECURE` setting still affected popular mobile password managers for Android (1Password, Keeper, Dashlane, et al).

The article showcases the vulnerabilities found and explains the common underlying problem.

Link: https://blog.doyensec.com/2019/08/22/modern-password-managers-flag-secure.html

Publication

slides

08/07/2019

Electronegativity: Identify Misconfigurations and Security Anti-Patterns in Electron Applications

08/07/2019

Download the presentation PDF file: Electronegativity_ArsenalBHUS2019.pdf

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.

This is the first and only tool capable of detecting potential weaknesses and implementation bugs when developing applications using Electron, as recommended in the official security guidelines of the Electron project. Software developers and security auditors can use this tool to create secure desktop applications using web technologies.

After being first introduced at Black Hat US 2017 (Electronegativity - A Study of Electron Security) and featured at Black Hat Asia 2019 (Preloading Insecurity In Your Electron), the tool was showcased for the first time ever at the Black Hat USA 2019 Arsenal where we demonstrated its potential by scanning well-known applications.

Blog

post

08/01/2019

Lessons in auditing cryptocurrency wallets, systems, and infrastructures

08/01/2019

In the past three years, Doyensec has been providing security testing services for some of the global brands in the cryptocurrency world. We have audited desktop and mobile wallets, exchanges web interfaces, custody systems, and backbone infrastructure components.

We have seen many things done right, but also discovered many design and implementation vulnerabilities. Failure is a great lesson in security and can always be turned into positive teaching for the future. Learning from past mistakes is the key to create better systems.

Link: https://blog.doyensec.com/2019/08/01/common-crypto-bugs.html

Blog

post

07/22/2019

Jackson gadgets - Anatomy of a vulnerability (CVE-2019-12384)

07/22/2019

In this article, we explore a Jackson deserialization bug (CVE-2019-12384) discovered during one of our engagements. In particular, we illustrate how an attacker may leverage this deserialization vulnerability to trigger Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) using a new technique that relies on the popular JDBC/H2 library.

Link: https://blog.doyensec.com/2019/07/22/jackson-gadgets.html

Blog

post

06/11/2019

Electronegativity 1.3.0 released!

06/11/2019

After the first public release of Electronegativity, we had a great response from the community and the tool quickly became the baseline for every Electron app’s security review for many professionals and organizations. This pushed us forward, improving Electronegativity and expanding our research in the field. Today we are proud to release version 1.3.0 with many new improvements and security checks for your Electron applications.

Link: https://blog.doyensec.com/2019/06/11/electronegativity-1.3.html

Blog

post

04/24/2019

On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)

04/24/2019

During one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entry-point to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path traversal exploitation.
This blog post discusses our results, the “bug” discovered in the library itself and the implication of such an issue in a popular piece of software - Metasploit.

Link: https://blog.doyensec.com/2019/04/24/rubyzip-bug.html

Blog

post

04/03/2019

Subverting Electron Apps via Insecure Preload

04/03/2019

We’re back from BlackHat Asia 2019 where we introduced a relatively unexplored class of vulnerabilities affecting Electron-based applications.
Despite popular belief, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning common pitfalls. Isolation is now widely deployed across all top Electron applications and so turning XSS into RCE isn’t child’s play anymore.

Link: https://blog.doyensec.com/2019/04/03/subverting-electron-apps-via-insecure-preload.html

Blog

post

01/24/2019

Electronegativity is finally out!

01/24/2019

We’re excited to announce the public release of Electronegativity, an opensource tool capable of identifying misconfigurations and security anti-patterns in Electron-based applications.
Electronegativity is the first-of-its-kind tool that can help software developers and security auditors to detect and mitigate potential weaknesses in Electron applications.

Link: https://blog.doyensec.com/2019/01/24/electronegativity.html

Blog

post

11/05/2018

Introducing burp-rest-api v2

11/05/2018

Since the first commit back in 2016, burp-rest-api has been the default tool for BurpSuite-powered web scanning automation. Many security professionals and organizations have relied on this extension to orchestrate the work of Burp Spider and Scanner.
Today, we’re proud to announce a new major release of the tool: burp-rest-api v2.0.1.
Starting in June 2018, Doyensec joined VMware in the development and support of the growing burp-rest-api community. After several years of experience in big tech companies and startups, we understand the need for security automation to improve efficacy and efficiency during software security activities. Unfortunately internal security tools are rarely open-sourced, and still, too many companies are reinventing the wheel. We believe that working together on foundational components, such as burp-rest-api, represents the future of security automation as it empowers companies of any size to build customized solutions.

Link: https://blog.doyensec.com/2018/11/05/burp-rest-api-v2.html

Blog

post

07/19/2018

Instrumenting Electron Apps for Security Testing

07/19/2018

With the increasing popularity of the Electron Framework, we have created this post to summarize a few techniques which can be used to instrument an Electron-based application, change its behavior, and perform in-depth security assessments.

Link: https://blog.doyensec.com/2018/07/19/instrumenting-electron-app.html

Blog

post

05/24/2018

Electron Windows Protocol Handler MITM/RCE

05/24/2018

As part of an engagement for one of our clients, we analyzed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.
Under certain circumstances this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. Electron apps designed to run on Windows that register themselves as the default handler for a protocol and do not prepend dash-dash in the registry entry are affected.
We reported the issue to the Electron core team (via security@electronjs.org) on May 14, 2018 and received immediate notification that they were already working on a patch. The issue was also reported by Google’s Nicolas Ruff a few days earlier.

Link: https://blog.doyensec.com/2018/05/24/electron-win-protocol-handler-bug-bypass.html

Blog

post

05/17/2018

GraphQL - Security Overview and Testing Tips

05/17/2018

With the increasing popularity of GraphQL technology, in this blog post we are summarizing some documentation and tips about common security mistakes.

Link: https://blog.doyensec.com/2018/05/17/graphql-security-overview.html

Blog

post

11/15/2017

Staring into the Spotlight

11/15/2017

Spotlight is the all pervasive seeing eye of the OSX userland. It drinks from a spout of file events sprayed out of the kernel and neatly indexes such things for later use. It is an amalgamation of binaries and libraries, all neatly fitted together just to give a user oversight of their box. It presents interesting attack surface and this blog post is an explanation of how some of it works.

Link: https://blog.doyensec.com/2017/11/15/osx-spotlight.html

Blog

post

08/03/2017

Modern Alchemy: Turning XSS into RCE

08/03/2017

At the recent Black Hat Briefings 2017, Doyensec’s co-founder Luca Carettoni presented a new research on Electron security. After a quick overview of Electron’s security model, we disclosed design weaknesses and implementation bugs that can be leveraged to compromise any Electron-based application. In particular, we discussed a bypass that would allow reliable Remote Code Execution (RCE) when rendering untrusted content (for example via Cross-Site Scripting) even with framework-level protections in place.
In this blog post, we would like to provide insight into the bug (CVE-2017-12581) and remediations.

Link: https://blog.doyensec.com/2017/08/03/electron-framework-security.html

Publication

slides

04/02/2019

Preloading Insecurity In Your Electron
Black Hat Asia 2019 (Singapore)

04/02/2019

Download the presentation PDF file: Asia-19-Carettoni-Preloading-Insecurity-In-Your-Electron.pdf

Modern browsers are complicated systems. They enforce numerous security mechanisms to ensure isolation between sites, facilitate web security protections and preventing untrusted remote content to compromise the security of the host. When working with Electron (https://electronjs.org/), things get even more complicated.

The good news is that building secure Electron-based desktop applications is possible. Despite popular belief, the average Electron-based app is more secure than the average web application. The framework itself is getting better, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning all common pitfalls.

It's time to shift gears. In this presentation, we will discuss a relatively unexplored class of vulnerabilities that can turn a boring XSS into RCE. Even without a framework bug (e.g. nodeIntegration bypass), BrowserWindow preload introduces a new interesting attack surface to Electron-based applications.

Abusing Electron's internal IPC, loggers and other application components we will show how we can turn a Cross-Site Scripting vulnerability into a reliable exploitation mechanism to fully compromise popular desktop applications.

Advisory

cve-2018-18604

10/23/2018

Saml_idp - AssertionConsumerServiceURL Allows Account Takeover/Information Leakage

10/23/2018

A vulnerability affects the /saml/auth endpoint of the saml_idp Ruby library (<= v0.7.2) during the processing of SAML requests. The AssertionConsumerServiceURL field is not properly validated. An attacker can abuse this issue to leak the full SAML response or even perform account takeover.

saml-idp Github's PR: https://github.com/saml-idp/saml_idp/pull/102

Publication

slides

09/13/2018

A Drone Tale, All Your Drones Are Belong To Us
SEC-T 2018 (Stockholm, Sweden)

09/13/2018

Download the presentation PDF file: A-Drone-Tale-by-Paolo-Stagno-SEC-T.pdf

Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on a daily basis. As a result of that, security has also become a crucial aspect when operating remote-controlled pilotless aircrafts. This talk provides a comprehensive overview of the security model and security issues affecting a popular consumer drone product: the DJI Phantom 3.

Advisory

cve-2018-1000006

05/24/2018

Electron Windows Protocol Handler MITM/RCE

05/24/2018

As part of an engagement for one of our clients, Doyensec analyzed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.

Under certain circumstances this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. Electron apps designed to run on Windows that register themselves as the default handler for a protocol and do not prepend dash-dash in the registry entry are affected.

More details in our blog post: https://blog.doyensec.com/2018/05/24/electron-win-protocol-handler-bug-bypass.html

Advisory

cve-2017-13850

10/31/2017

macOS Font Importer Information Disclosure

10/31/2017

Doyensec researchers discovered a bug in Apple's macOS Font Importer. Parsing a malicious font file will result in memory corruption and information leakage.

Apple's original advisory: https://support.apple.com/en-us/HT208221

Advisory

cve-2017-13820

10/31/2017

macOS ATS Information Disclosure

10/31/2017

Doyensec researchers discovered a bug in Apple's macOS ATS. Parsing a malicious font file will result in memory corruption and information leakage.

Apple's original advisory: https://support.apple.com/en-us/HT208144

Advisory

cve-2017-12621

09/27/2017

Apache Commons Jelly XML External Entity (XXE)

09/27/2017

An XXE vulnerability was identified in Apache Commons Jelly by Doyensec researchers. During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks.

Apache Commons' original advisory: http://commons.apache.org/proper/commons-jelly/security-reports.html#CVE-2017-12621

Advisory

cve-2017-xxxx

09/12/2017

QNAP QTS 4.3.3 arbitrary file retrieval (as root)

09/12/2017

An arbitrary file retrieval vulnerability was identified in QNAP QTS 4.3.3 File Manager. This functionality can be abused to download arbitrary files from the NAS filesystem as root, leading to system compromise.

Download the advisory PDF file: Doyensec_Advisory_QNAPQTS4.3_FileRetrieval.pdf

Publication

slides

07/27/2017

Electronegativity - A Study of Electron Security
Black Hat USA 2017 (Las Vegas, Nevada)

07/27/2017

Download the presentation PDF file: us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf

Despite all predictions, native Desktop apps are back. After years porting stand-alone apps to the web, we are witnessing an inverse trend. Many companies have started providing native desktop apps built using the same technologies as their web counterparts. In this trend, Github's Electron has become a popular framework to build cross-platform desktop apps with JavaScript, HTML, and CSS. While it seems to be easy, embedding a webapp in a self-contained web environment (Chromium, Node.Js) introduces new security challenges. In this presentation, we will illustrate Electron's security model and describe current isolation mechanisms to prevent untrusted content from using Node.js primitives. Electron's IPC messaging, preloading and other internals will be comprehensively discussed. BrowserWindow and WebView security-relevant options will be also analyzed, together with design-level weaknesses and implementation bugs in Electron.

Publication

whitepaper

07/27/2017

Electron Security Checklist - A guide for developers and auditors
Black Hat USA 2017 (Las Vegas, Nevada)

07/27/2017

Download the whitepaper PDF file: us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf

This document introduces a checklist of security anti-patterns and must-have features to illustrate misconfigurations and vulnerabilities in Electron-based applications. Software developers and security auditors can benefit from this document as it provides a concise, yet comprehensive, summary of potential weaknesses and implementation bugs when developing applications using Electron.

Advisory

cve-2017-2379

04/11/2017

macOS, iOS, tvOS, watchOS CarbonCore Buffer Overflow

04/11/2017

A memory corruption vulnerability was identified in a core component of Apple's font parsing - CarbonCore. This issue could allow an attacker to execute code during the parsing of a malicious Datafork TrueType font.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Advisory

cve-2017-2435

04/11/2017

macOS, iOS, tvOS, watchOS CoreText Corrupted Loop Index

04/11/2017

A memory corruption vulnerability was identified in a core component of Apple's font parsing - CoreText. Through a malicious True Type Collection (ttc) font file, CoreText will enter a loop unintentionally referencing out of bounds memory.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Advisory

cve-2017-2439

04/11/2017

macOS, iOS, tvOS, watchOS FontParser Infoleak

04/11/2017

An information leakage vulnerability (out-of-bounds read) was discovered in Apple's FontParser, which could allow an attacker to disclose the process memory. This issue could facilitate further exploitation.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Advisory

cve-2017-2450

04/11/2017

macOS, iOS, tvOS, watchOS CoreText Infoleak

04/11/2017

An information leakage vulnerability (out-of-bounds read) was discovered in Apple's CoreText, which could allow an attacker to disclose the process memory. This issue could facilitate further exploitation.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Publication

slides

03/30/2017

Application security recipes for fast paced environments
Computerworld SEMAFOR 2017 (Warsaw, Poland)

03/30/2017

Download the presentation PDF file: Application_Security_Recipes_for_Fast-Paced_Environments.pdf

Ensuring the security of web applications in continuous delivery environments is an open challenge for many organizations. In fast-paced environments (e.g. startups, agile SDLC shops, etc.), traditional application security practices can slow continuous delivery or simply not address security at all. Instead, a new approach based on security automation and tactical security testing is required to make sure that important components are tested before going live. In this presentation, I will illustrate a few examples on how Silicon Valley-based startups approach security testing while seeking the perfect balance between compliance, security and business productivity.

Code

ajpfuzzer

02/27/2017

A command-line fuzzer for the Apache JServ Protocol (ajp13)

02/27/2017

AJPFuzzer is a rudimental fuzzer for the Apache JServ Protocol, also known as 'ajp13'. Built on top of libajp13, the tool allows you to create and send AJP messages using an easy-to-use command line interface. AJPFuzzer can craft properly formatted AJP13 messages (all message types) as well as mutations (e.g. bit flipping, messages with type mismatch, etc.), which facilitates security testing efforts targeting AJP-based services like web servers AJP modules, J2EE containers, and many others.

Download the source and binary from AJPFuzzer's Github page

Code

libajp13

02/27/2017

A complete AJPv1.3 Java library

02/27/2017

libajp13 is a fully featured open source library implementing the Apache JServ Protocol version 1.3 (ajp13), based on the Apache Protocol Reference. Thanks to libajp13, it is now possible to craft properly formatted AJP binary packets with a single line of code.

Download the source and binary from libajp13's Github page