Doyensec :: Build with Security

Blog

post

11/15/2022

Let's speak AJP - Apache JServ Protocol

11/15/2022

In this blog post, Doyensec's researcher Mohamed Ouad explores the Apache JServ Protocol version 1.3, and the infamous Ghostcat (CVE-2020-1938) vulnerability.

https://blog.doyensec.com/2022/11/15/learning-ajp.html

Blog

post

10/27/2022

Visual Studio Code Jupyter Notebook RCE (CVE-2021-26437)

10/27/2022

In this blog post, we explore how to exploit CVE-2021-26437 (Visual Studio Code .ipynb Jupyter Notebook XSS) to achieve remote code execution in VScode. A detailed technical description of the issue, together with a set of exploitation techniques and the full exploit are provided given that the issue has been patched for over one year.

https://blog.doyensec.com/2022/10/27/jupytervscode.html

Publication

slides

10/22/2022

Web Security in 2022 - New Techniques, New Vulnerabilities and other Updates

10/22/2022

Download the presentation PDF file: NoHat2022_Carettoni.pdf

At Doyensec, we have a traditional monthly event called "Best Bugs". Our security engineers and researchers showcase the most interesting security vulnerabilities that they have either discovered or helped exploit. For us this is a unique opportunity to share knowledge among team members, but there is more. Over the years, we realized how these bugs represent the current state of web application security. The progressive shift to SecDevOps and tech stacks that are secure-by-default have significantly changed the type of vulnerabilities and misconfigurations that affect mainstream web applications. Classic injection vulnerabilities are long gone in hard targets, and the new frontier of vulnerability research involves logical bugs, prototype pollution, API path traversal, broken state machines, second-order injections, misuse of libraries, inconsistencies between the application and the cloud infrastructure and many other modern approaches. In this presentation, we will showcase several of those bugs with the goal of both teaching individual techniques and vulnerabilities, as well as showing trends from the last couple of years.

Blog

post

10/19/2022

The Danger of Falling to System Role in AWS SDK Client

10/19/2022

CloudSec Tidbits is a blogpost series showcasing interesting bugs found by Doyensec during cloud security testing activities. Each blogpost will discuss a specific vulnerability resulting from an insecure combination of web and cloud related technologies. Every article will include an Infrastructure as Code (IaC) laboratory that can be easily deployed to experiment with the described vulnerability.

- Episode 1 (post): https://blog.doyensec.com/2022/10/18/cloudsectidbit-dataimport.html
- Episode 1 (code): https://github.com/doyensec/cloudsec-tidbits/tree/main/lab-dataimport

Blog

post

10/11/2022

On Bypassing eBPF Security Monitoring

10/11/2022

There are many security solutions available today that rely on the Extended Berkeley Packet Filter (eBPF) features of the Linux kernel to monitor kernel functions. Nowadays, eBFP-based programs are used for DDoS mitigations, intrusion detection, container security, and general observability. We audited one particular implementation, but eventually extended our research to techniques that can be generally applied to other targets while attempting to bypass any security monitoring solution based on eBPF: https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html

Blog

post

10/06/2022

Comparing Semgrep and CodeQL

10/06/2022

We've put R2c’s Semgrep in a head-to-head test with GitHub’s CodeQL. Here are our results: https://blog.doyensec.com/2022/10/06/semgrep-codeql.html

Blog

post

09/27/2022

Diving Into Electron Web API Permissions

09/27/2022

Learn how various Electron API permissions could allow apps to spy on their users and what developers can do to protect them.

Read the full details on our research blog post: https://blog.doyensec.com/2022/09/27/electron-api-default-permissions.html

Advisory

CVE-2022-36531

09/21/2022

TypeORM Prototype Pollution Leading To SQL Injection

09/21/2022

TypeORM is one of the most widespread ORM solutions, with more than a million weekly downloads. During one of our engagements, we discovered a critical vulnerability that involves prototype pollution and leads to SQL injection. Interestingly, this security bug turned out to be a regression.

Advisory with full technical details: Doyensec_Advisory_TypeORM_Q32022

Publication

deliverable

09/20/2022

Apollo Router Security Audit Report (Q2 2022)

09/20/2022

Apollo GraphQL is the leader in open source and commercial GraphQL technologies. In May 2022, they engaged Doyensec to perform a security assessment of the Apollo Router, an OSS routing runtime for Apollo Federation.

The full technical deliverable for this engagement is now available: Doyensec_Apollo_Report_Q22022_v4_AfterRetest.pdf

Advisory

CVE-2022-xxxx

08/16/2022

Multiple Denial of Service (DoS) Vulnerabilities in GoProxy, Smokescreen libraries

08/16/2022

GoProxy is a popular HTTP proxy library for Go, used as a dependency in many pieces of software. While auditing a Stripe-maintained fork of the libray (stripe/goproxy), we identified several Denial Of Service (DoS) vulnerabilities that could severely affect its availability. The issue also affected another widespread security-sensitive library, stripe/smokescreen, used to mitigate Server-Side Request Forgery (SSRF) attacks.

Advisory with full technical details: Doyensec_Advisory_SmokescreenGoProxy_Q12022.pdf

Advisory

CVE-2022-xxxx

08/13/2022

DOM Cross-Site Scripting affecting IE11 in Apollo Router/Server

08/13/2022

The default landing page contained HTML to display a sample curl command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from window.location.href. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router/Server could cause execution of attacker-controlled JavaScript.

Apollo Server advisory: GHSA-2fvv-qxrq-7jq6

Apollo Router advisory: GHSA-p5q6-hhww-f999

Advisory

CVE-2022-27311

08/13/2022

Server-Side Request Forgery (SSRF) in RubyGems' Gibbon

08/13/2022

We're now releasing the full technical details of a Server-Side Request Forgery (SSRF) vulnerability affecting Gibbon - a wrapper for MailChimp API 3.0 and Export API. By leveraging this vulnerability an attacker can gain information about the local system, internal network, and potentially machines in neighbor networks. The ability to issue arbitrary requests to internal endpoints may also cause unwanted interactions with internal systems.

Our advisory: Doyensec_Advisory_Gibbon_Q12022.pdf

Github advisory: GHSA-vx9g-377x-xwxq

Advisory

CVE-2022-xxxx

08/12/2022

DOM Cross-Site Scripting Via postMessage in AnnounceKit

08/12/2022

Given the end of the embargo, we're releasing the technical details of a DOM-based Cross-Site Scripting (XSS) vulnerability affecting AnnounceKit that was discovered by one of our senior researchers during a client's engagement.

Our advisory: Doyensec_Advisory_AnnounceKit_Q12022.pdf

Blog

post

07/21/2022

Dependency Confusion Detection Tool

07/21/2022

This research focused on creating an all-around tool (named Confuser) to test and exploit potential Dependency Confusion vulnerabilities in the wild. The tool allows scanning packages.json files, generating and publishing payloads to the NPM repository, and finally aggregating the callbacks from vulnerable targets. To validate the effectiveness, we looked for potential Dependency Injection vulnerabilities in top ElectronJS applications.

Article: https://blog.doyensec.com/2022/07/21/dependency-confusion.html

Tool: https://github.com/doyensec/confuser

Publication

deliverable

07/16/2022

Teleport Platform Features Security Audit Report (Q3 2021)

07/16/2022

GoTeleport engaged Doyensec to perform a security assessment of several new Teleport platform features, including Advanced Access Workflows, Slack and Mattermost Plugins, and the Terraform Provider.

The full technical deliverable for this engagement is now available: teleport-features-audit-q3-2021.pdf

Advisory

CVE-2022-xxxx

07/12/2022

Arbitrary File Read/Write in Kafka Connect Default Configurations

07/12/2022

Kafka Connect is a tool for reliably streaming data between Apache Kafka and other data systems. Once Kafka Connect is initialized, with any supported connector property configuration in standalone or distributed mode, port 8083 serves the REST API to the Kafka Connect cluster. By default, the API is accessible in an unauthenticated manner unless authentication is specifically configured. A default instantiation of the Kafka Connect cluster would allow an attacker to configure an environment with the FileStreamSource connector and then read files directly from the Connect server, with the same user privileges and context as the Connect process itself. Similarly, the FileStreamSink connector could also be leveraged to perform arbitrary file writes to the file system in its default unauthenticated state.

Link to the public PDF advisory: Doyensec_Advisory_KafkaConnect_FileReadWrite.pdf

Advisory

CVE-2022-28946
CVE-2022-33082

07/12/2022

Denial of Service Vulnerabilities in Open Policy Agent

07/12/2022

During a client engagement we decided to spend a few hours to evaluate the overall security posture of the Open Policy Agent (OPA).

OPA is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. OPA is a graduated project in the Cloud Native Computing Foundation (CNCF). Leveraging advanced fuzzing techniques, we identified two Denial of Services vulnerabilities affecting the "Every" expression and CompileModules. Both issues trigger an out-of-range memory access, and do not seem exploitable for remote command execution.

Link to the Incorrect Parsing Of "Every" Expression advisory: resources/Doyensec_Advisory_OPA_Q32022_1.pdf
Link to the Incorrect Interface Conversion Via CompileModules advisory: resources/Doyensec_Advisory_OPA_Q32022_2.pdf

Blog

post

06/09/2022

Apache Pinot SQLi & RCE Cheat Sheet

06/09/2022

This article will help pentesters use their familiarity with classic database systems such as Postgres and MariaDB, and apply it to Apache Pinot. In this post, we will show how a classic SQL-injection (SQLi) bug in a Pinot-backed API can be escalated to Remote Code Execution (RCE) and then discuss post-exploitation.

Article: https://blog.doyensec.com/2022/06/09/apache-pinot-sqli-rce.html

Publication

deliverable

06/25/2022

Teleport Platform Features Security Audit Report (Q4 2021)

06/25/2022

GoTeleport engaged Doyensec to perform a security assessment of several new Teleport platform features, including BPF-based Restricted Session, Simplified Node Joining for AWS, Account Life-cycle: Recovery and Cancellation, Hardware security module (HSM) support, and ThalesIgnite's crypto11 library for PKCS#11.

The full technical deliverable for this engagement is now available: teleport-features-audit-q4-2021.pdf

Blog

post

04/26/2022

Introduction to VirtualBox security research

04/26/2022

This article introduces VirtualBox vulnerability research and explains how to build a coverage-based fuzzer, focusing on the emulated network device drivers. We provide all the necessary steps and code required to instrument and debug the latest stable version of VirtualBox.

Article: https://blog.doyensec.com/2022/04/26/vbox-fuzzing.html

Code: https://github.com/doyensec/vbox-fuzz

Publication

deliverable

11/10/2021

Security Auditing Summary of Basecamp's HEY (Q3 2020)

11/10/2021

Basecamp engaged us to perform a broad application review of HEY. The project consisted of a manual application security assessment against HEY’s web platform and its APIs, mobile (Android, iOS) and desktop (ElectronJS-based) applications. The security audit summary (SAS) for this engagement is now available.

The findings include a number of information exposure vulnerabilities, insecure design, and security misconfiguration issues found across the three HEY clients and the main API service, in addition to several medium severity findings affecting the multi-factor authentication mechanism (2FA bypass), the Gopher caching service (Server Side Request Forgery, Stored Cross-Site Scripting) and the Android mobile application (Insecure File Content Provider). We also demonstrate how chaining three vulnerabilities discovered during this engagement would allow an attacker to compromise the user’s workstation when using HEY for Desktop.

Download the HEY audit summary deliverable: Doyensec_Basecamp_HEY_PlatformTesting_Q32020_SAS.pdf

Blog

post

05/20/2021

GraphQL CSRF: that single GraphQL issue that you keep missing

05/20/2021

GraphQL is getting more popular every day. Despite that, it is not immune to Cross-Site Request Forgery attacks. We spent the last few weeks testing a variety of GraphQL frameworks and applications to understand how widespread this issue is.

Read the full story on our blog: https://blog.doyensec.com/2021/05/20/graphql-csrf.html

Publication

deliverable

05/11/2021

Security Auditing of Teleport Cloud (Q1 2021)

05/11/2021

GoTeleport engaged Doyensec to perform an in-depth security assessment of the Teleport Cloud platform. From their technical blog post:

“Doyensec has demonstrated that their teams’ skill and attention to detail in attacking our infrastructure are unmatched.”

The full technical deliverable for this engagement is now available.

Download the Teleport Cloud testing deliverable: teleport-cloud-audit-q1-2021.pdf

Advisory

CVE-2021-xxxx

04/27/2021

Multiple Privilege Escalation Vulnerabilities in Pritunl VPN client

04/27/2021

Pritunl-client-electron is a free and open source cross platform OpenVPN client. Doyensec discovered two local privilege escalation issues. Due to insufficient configuration sanitization, a low-privileges attacker can obtain root level access. These vulnerabilities were fixed in version v1.2.2768.85.

Link to the public PDF advisory: Doyensec_Advisory_Pritunl_Client_Q22021.pdf

Publication

deliverable

04/12/2021

Security Auditing of Teleport (Q4 2020)

04/12/2021

GoTeleport engaged Doyensec to perform an in-depth security assessment of the Teleport product. The full technical deliverable for this engagement is now available.

Download the Teleport testing deliverable: teleport-audit-q4-2020.pdf

Code

regexploit

03/11/2021

Regexploit

03/11/2021

Regexploit - a tool to find regular expressions which are vulnerable to ReDoS. Many default regular expression parsers have unbounded worst-case complexity. Regex matching may be quick when presented with a matching input string. However, certain non-matching input strings can make the regular expression matcher go into crazy backtracking loops and take ages to process. This can cause denial of service, as the CPU will be stuck trying to match the regex.

This tool is designed to:
• find regular expressions which are vulnerable to ReDoS
• give an example malicious string which will cause catastrophic backtracking

Download the latest release from Regexploit's Github releases page

Blog

post

03/11/2021

Regexploit: DoS-able Regular Expressions

03/11/2021

In this blog post, we’re releasing a new tool to analyse regular expressions and hunt for ReDoS vulnerabilities. Our heuristic has been proven to be extremely effective, as demonstrated by many vulnerabilities discovered across popular NPM, Python and Ruby dependencies.

Read the full story on our blog: https://blog.doyensec.com/2021/03/11/regexploit.html

Advisory

CVE-2021-xxxx

03/11/2021

Regular Expression Denial of Service (ReDoS) in various open-source packages

03/11/2021

During our research on ReDoS, Doyensec reported several vulnerabilities:

• CVE-2020-5243: uap-core affecting uap-python, uap-ruby, etc. (User-Agent header parsing)
• CVE-2020-8492: cpython’s urllib.request (WWW-Authenticate header parsing)
• CVE-2021-21236: CairoSVG (SVG parsing)
• CVE-2021-21240: httplib2 (WWW-Authenticate header parsing)
• CVE-2021-25292: python-pillow (PDF parsing)
• CVE-2021-26813: python-markdown2 (Markdown parsing)
• CVE-2021-27290: npm/ssri (SRI parsing)
• CVE-2021-27291: pygments lexers for ADL, CADL, Ceylon, Evoque, Factor, Logos, Matlab, Octave, ODIN, Scilab & Varnish VCL (Syntax highlighting)
• CVE-2021-27292: ua-parser-js (User-Agent header parsing)
• CVE-2021-27293: RestSharp (JSON deserialisation in a .NET C# package)
• bpo-38804: cpython’s http.cookiejar (Set-Cookie header parsing)
• SimpleCrawler (archived) (HTML parsing)
• Plus many more unpublished bugs in a handful of pypi, npm, ruby and nuget packages. We will update this list on Regexploit's Github page.

Blog

post

02/16/2021

Electron APIs Misuse: An Attacker’s First Choice

02/16/2021

ElectronJs is getting more secure every day. Context isolation and other security settings are planned to become enabled by default with the upcoming release of Electron 12 stable, seemingly ending the somewhat deserved reputation of a systemically insecure framework.

From an attacker’s perspective, Electron-specific APIs are very often the easiest path to gain remote code execution, read or write access to the host’s filesystem, or leak sensitive user’s data. Malicious JavaScript running in the renderer can often subvert the application using such primitives.

Read the full story on our blog: https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html

Advisory

CVE-2021-21288

02/15/2021

Server-Side Request Forgery (SSRF) Vulnerability in CarrierWave's Remote File Upload Feature

02/15/2021

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files for Rails, Sinatra and other Ruby-based web frameworks. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This vulnerability was fixed in versions 1.3.2 and 2.1.1.

Link to the public Github Advisory: GHSA-fwcm-636p-68r5

Advisory

CVE-2021-3377

02/01/2021

Cross-Site Scripting (XSS) in ansi_up v4

02/01/2021

The npm package ansi_up converts ANSI escape codes (used by terminal emulators to, for example, set text color) into HTML. Since ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, extra HTML attributes and javascript code can be injected into the returned HTML. This can be used in a Cross-Site Scripting (XSS) attack. This vulnerability was fixed in v5.0.0.

Download the advisory PDF file: Doyensec_Advisory_ansi_up4_XSS.pdf

Advisory

CVE-2020-24025

01/11/2021

node-sass Missing Certificate Validation Vulnerability

01/11/2021

During a customer engagement, Doyensec discovered a Certificate Validation vulnerability affecting the node-sass package, used for the Node.js bindings to libsass. Because of an optional flag misconfiguration, libsass binaries fetched from the official github.com CDN may be tampered in-transit. Versions 2.0.0 to 4.14.1 are affected.

Blog

post

12/10/2020

Novel Abuses On Wi-Fi Direct Mobile File Transfers

12/10/2020

Doyensec researched mobile P2P Wi-Fi protocols and their obscure file-sharing implementations. As a result, an overlooked problem common to every Android vendor-provided solution was identified.

Read the full story on our blog: https://blog.doyensec.com/2020/12/10/novel-abuses-wifi-direct-mobile-file-transfers.html

Blog

post

11/19/2020

InQL Scanner v3 Release

11/19/2020

A new major release of InQL, our GraphQL security testing tool, is out! This release includes a Cycles Detector, Request Timer, Precise Query Generation and many bug fixes.

Blog

post

09/09/2020

Fuzzing JavaScript Engines with Fuzzilli

09/09/2020

As part of our fuzzing initiatives, we worked on a few techniques to target popular JavaScript engines (JSE). Our research resulted in a contribution to the well known fuzzer "Fuzzilli". By integrating Fuzzilli with JerryScript, Doyensec was able to identify multiple security vulnerabilities over the course of just four weeks.

Read more on our latest blog post: https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html

Blog

post

08/20/2020

CSRF Protection Bypass in Play Framework

08/20/2020

This blog post illustrates a vulnerability affecting the Play Framework that we discovered during a client engagement. This issue allows a complete Cross-Site Request Forgery (CSRF) protection bypass under specific configurations.

Advisory

CVE-2020-12480

08/10/2020

Play Framework below 2.8.2/2.7.5 CSRF Protection Bypass

08/10/2020

During a customer engagement, Doyensec discovered a CSRF Protection Bypass vulnerability affecting the Play Framework. If a black list is used, the result is that a malicious user may be able to perform a CSRF attack on the Play application.

Publication

resource

06/17/2020

Awesome Electron.js hacking & pentesting resources

06/17/2020

A frequently-updated repository with presentations, bug write-ups, and all kinds of content to help during Electron security testing and hacking.

You can find it over at doyensec/awesome-electronjs-hacking.

Blog

post

06/11/2020

InQL Scanner v2 is out!

06/11/2020

A new version of InQL, our GraphQL security testing tool, is out! This release includes a new stand-alone UI, which integrates an embedded GraphiQL server and many other features.

Blog

post

05/14/2020

Fuzzing TLS Certificates From Their ASN.1 Grammar

05/14/2020

We are building a flexible ASN.1 grammar-based fuzzer for testing TLS certificate parsers. In this blog post, we introduce our research and provide references for security practitioners that are interested in the topic.

Find more details at https://blog.doyensec.com/2020/05/14/asn1fuzz.html

Blog

post

04/30/2020

Researching Polymorphic Images for XSS on Google Scholar

04/30/2020

Google Scholar was found to be vulnerable to multiple stored XSS using an exotic technique involving polymorphic images. In this blog post, we explain the bug found and all the possible ways to create and leverage polymorphic images for XSS through a survey of how popular image manipulation libraries in web apps behave when presented with a polymorphic image.

Find more details at https://blog.doyensec.com/2020/04/30/polymorphic-images-for-xss.html

Publication

slides

04/23/2020

InQL: GraphQL security testing made easy!
GitHub Security Virtual Meetup (April 23, 2020)

04/23/2020

Download the presentation PDF file: Doyensec_InQL_AB_Github.pdf

Given the rising popularity of GraphQL in web applications, Andrea Brancaleoni presented a turbo-talk on GraphQL security and the use of InQL to augment manual security testing.

Blog

post

04/08/2020

LibreSSL and OSS-Fuzz

04/08/2020

A different pick on bounty programs. Discover how to participate in securing free and open source software, while leveraging your blue team skills. In one of our early research projects we ported libressl to OSS-fuzz, a Google sponsored fuzzer infrastructure for open source projects.

Find more details at https://blog.doyensec.com/2020/04/08/libressl-fuzzer.html

Advisory

CVE-2020-5284

03/27/2020

Next.JS below 9.3.2 Path Traversal

03/27/2020

During a customer engagement, Doyensec discovered a path traversal vulnerability affecting the Next.js framework. Attackers could craft special requests to access files in the dist directory (.next), leading to the disclosure of source code and application's secrets. This issue affects Next.js below 9.3.2, when executed using next start

Release note: https://github.com/zeit/next.js/releases/tag/v9.3.2

Code

InQL

03/26/2020

A Burp Extension for GraphQL Security Testing

03/26/2020

InQL Scanner is security testing tool to facilitate GraphQL technology security auditing efforts. The tool can be used as a stand-alone script, or as a Burp Suite extension.

Download the latest release from InQL's Github releases page

Blog

post

03/16/2020

Don't Clone That Repo: Visual Studio Code^2 Execution

03/16/2020

Doyensec discovered a Code Execution vulnerability in Microsoft Visual Studio Code Python Extension (16.5M+ installations at the time of writing).

Find more details and the Proof of Concept in our blogpost: https://blog.doyensec.com/2020/03/16/vscode_codeexec.html

Advisory

CVE-2019-17636

03/10/2020

Eclipse Theia Arbitrary File Read

03/10/2020

In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.

Original Theia Bug Tracker issue: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747
PR of the fix: https://github.com/eclipse-theia/theia/pull/7205

Advisory

CVE-2020-9402

03/04/2020

Django SQL Injection Via Tolerance Parameter in GIS Functions and Aggregates

03/04/2020

During a targeted security research effort on the Django Framework, Doyensec discovered that GIS functions and aggregates on Oracle were subject to a SQL injection, using a suitably crafted tolerance parameter.

Publication

deliverable

03/02/2020

Security Auditing of Gravitational's Teleport and Gravity

03/02/2020

Gravitational engaged Doyensec to perform an in-depth security assessment of the Teleport and Gravity enteprise products. Quoting Gravitational's engineers: "This year, we had an opportunity to work with Doyensec, which provided the most thorough independent analysis of Gravity and Teleport to date."

Download the Teleport testing deliverable PDF file: Doyensec_Gravitational_Teleport_Report_Q22019_WithRetesting.pdf
Download the Gravity testing deliverable PDF file: Doyensec_Gravitational_Gravity_Report_Q22019_WithRetesting.pdf

Blog

post

02/24/2020

Signature Validation Bypass Leading to RCE In Electron-Updater

02/24/2020

This blog post illustrates a vulnerability we discovered in the popular electron-builder package: a signature validation bypass in the auto-update mechanism could be abused to push malicious updates and execute arbitrary code on the victims' machine. In this blog post, we explain the details of the vulnerability and demonstrate why such fail-open designs are inherently dangerous for security.

Link: https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html

Code

burp-rest-api

02/24/2020

burp-rest-api

05/11/2018

burp-rest-api is a REST/JSON API to the Burp Suite security tool. Since the first commit back in 2016, burp-rest-api has been the default tool for BurpSuite-powered web scanning automation. Many security professionals and organizations have relied on this extension to orchestrate the work of Burp Spider and Scanner. Starting in June 2018, Doyensec joined VMware in the development and support of the growing burp-rest-api community.

Download the source and binary from burp-rest-api's Github page

Code

electronegativity

01/24/2019

Electronegativity

01/24/2019

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications. Electronegativity is the first-of-its-kind tool that helps software developers and security auditors to detect and mitigate potential weaknesses in Electron applications; it is now the baseline for every Electron app’s security review for many professionals and organizations.

Download the source and binary from electronegativity's Github page

Code

hopper theme

08/08/2017

Hopper Disassembler Doyensec Theme

08/08/2017

Doyensec theme for the Hopper Disassembler - chill and functional for long RE nights.

Download Doyensec.hopperTheme and import the file through the Preferences menu.

Code

training

02/02/2017

Developing Burp Suite Extensions: Training Material

02/02/2017

We have open-sourced the repository containing the templates and code for the training "Developing Burp Suite Extensions - From Manual Testing to Security Automation".

The repository is accessible at https://github.com/doyensec/burpdeveltraining

Publication

deliverable

02/19/2020

Security Auditing of the Solo Firmware

02/19/2020

Download the deliverable PDF file: Doyensec_SoloKeys_TestingReport_Q12020_v3.pdf

SoloKeys engaged Doyensec to perform a security assessment of the SoloKeys software components. The project commenced on January 20, 2020, and ended on January 31, 2020, requiring one security researcher. The audit resulted in three (3) findings of which one (1) was rated as high severity.

The final deliverable, Proof-of-Concept exploits and our instrumentation for AFL fuzzing have been publicly released.

Blog

post

02/03/2020

Heap Overflow in F-Secure Internet Gatekeeper

02/03/2020

This blog post illustrates a vulnerability we discovered in the F-Secure Internet Gatekeeper application. It shows how a simple mistake can lead to an exploitable unauthenticated remote code execution vulnerability.

Link: https://blog.doyensec.com/2020/02/03/heap-exploit.html

Publication

slides

01/24/2020

Modern Web Security: The Art of Creating and Breaking Assertions
AppSec California 2020 (Santa Monica)

01/24/2020

Download the presentation PDF file: Villamil-Modern-Web-Security-Assertions.pdf

Modern web security is a mix of relatively recent frameworks, methods, languages, and abstractions. The age of injection bugs has come and gone. We are firmly in the age of assertions. This age is widely defined by business logic flaws. On a deeper level this age is governed by the security auditor's skill in creating and breaking assertions in the target. Assertions come from any source and they represent statements of security or functionality made by the target.

We'll talk about our experience auditing modern web applications over the last three years. We'll talk about the current state of web application security, how its evolved, and where its going. We give examples of assertions (big and small) created and broken during various security audits and the value this brought to the customer. Our goal is to introduce the age of assertions into the zeitgeist and provide auditors a more refined way of thinking beyond injection bugs.

Publication

slides

01/24/2020

Democratizing Electron.js Security
Covalence 2020 (San Francisco)

01/24/2020

Download the presentation PDF file: Covalence-2020-Carettoni-DemocratizingElectronSecurity.pdf

We love Electron.js so much, that we break it. Since 2017, we have audited dozens of Electron-based applications and witnessed a remarkable commitment to security. Back then, breaking the framework’s security mechanisms wasn’t too difficult. Fast forward to 2020, Electron.js is getting better, secure-by-default settings are slowly becoming the norm, vulnerability disclosure is handled with consolidated practices, and the dev community is gradually learning all common pitfalls.

It is better, but there is still a long road ahead. Responsibilities must be equally shared between core contributors and application developers. While the most effective way to bring security capabilities to everyone is to have them built into the framework, it is also important to have a community that considers security as a core value. Closing the web-native desktop gap is not trivial as we have to balance security with usability and framework flexibility.

In this talk we want to celebrate the progress made and discuss the technical challenges that both Electron.js maintainers and application developers are facing when building secure desktop applications. We will show common vulnerabilities and misconfigurations, discuss root causes and provide practical tips on how to mitigate existing attacks. If you care about Electron.js security, this talk is for you!

Advisory

cve-2019-xxxx

08/13/2019

Matomo - Cookie Signature Bypass Through PHP Type Confusion

08/13/2019

The "Cookie" handling class, responsible for validating the signature of a cookie value through the "extractSignedContent" function, is vulnerable to PHP Type Confusion.

Matomo Github's PR: https://github.com/matomo-org/matomo/pull/14760

Blog

post

08/22/2019

Modern Android Password Managers and FLAG_SECURE Misuse

08/22/2019

Doyensec discovered that an old Android vulnerability involving the `FLAG_SECURE` setting still affected popular mobile password managers for Android (1Password, Keeper, Dashlane, et al).

The article showcases the vulnerabilities found and explains the common underlying problem.

Link: https://blog.doyensec.com/2019/08/22/modern-password-managers-flag-secure.html

Publication

slides

08/07/2019

Electronegativity: Identify Misconfigurations and Security Anti-Patterns in Electron Applications

08/07/2019

Download the presentation PDF file: Electronegativity_ArsenalBHUS2019.pdf

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.

This is the first and only tool capable of detecting potential weaknesses and implementation bugs when developing applications using Electron, as recommended in the official security guidelines of the Electron project. Software developers and security auditors can use this tool to create secure desktop applications using web technologies.

After being first introduced at Black Hat US 2017 (Electronegativity - A Study of Electron Security) and featured at Black Hat Asia 2019 (Preloading Insecurity In Your Electron), the tool was showcased for the first time ever at the Black Hat USA 2019 Arsenal where we demonstrated its potential by scanning well-known applications.

Blog

post

08/01/2019

Lessons in auditing cryptocurrency wallets, systems, and infrastructures

08/01/2019

In the past three years, Doyensec has been providing security testing services for some of the global brands in the cryptocurrency world. We have audited desktop and mobile wallets, exchanges web interfaces, custody systems, and backbone infrastructure components.

We have seen many things done right, but also discovered many design and implementation vulnerabilities. Failure is a great lesson in security and can always be turned into positive teaching for the future. Learning from past mistakes is the key to create better systems.

Link: https://blog.doyensec.com/2019/08/01/common-crypto-bugs.html

Blog

post

07/22/2019

Jackson gadgets - Anatomy of a vulnerability (CVE-2019-12384)

07/22/2019

In this article, we explore a Jackson deserialization bug (CVE-2019-12384) discovered during one of our engagements. In particular, we illustrate how an attacker may leverage this deserialization vulnerability to trigger Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) using a new technique that relies on the popular JDBC/H2 library.

Link: https://blog.doyensec.com/2019/07/22/jackson-gadgets.html

Blog

post

06/11/2019

Electronegativity 1.3.0 released!

06/11/2019

After the first public release of Electronegativity, we had a great response from the community and the tool quickly became the baseline for every Electron app’s security review for many professionals and organizations. This pushed us forward, improving Electronegativity and expanding our research in the field. Today we are proud to release version 1.3.0 with many new improvements and security checks for your Electron applications.

Link: https://blog.doyensec.com/2019/06/11/electronegativity-1.3.html

Blog

post

04/24/2019

On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)

04/24/2019

During one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entry-point to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path traversal exploitation.
This blog post discusses our results, the “bug” discovered in the library itself and the implication of such an issue in a popular piece of software - Metasploit.

Link: https://blog.doyensec.com/2019/04/24/rubyzip-bug.html

Blog

post

04/03/2019

Subverting Electron Apps via Insecure Preload

04/03/2019

We’re back from BlackHat Asia 2019 where we introduced a relatively unexplored class of vulnerabilities affecting Electron-based applications.
Despite popular belief, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning common pitfalls. Isolation is now widely deployed across all top Electron applications and so turning XSS into RCE isn’t child’s play anymore.

Link: https://blog.doyensec.com/2019/04/03/subverting-electron-apps-via-insecure-preload.html

Blog

post

01/24/2019

Electronegativity is finally out!

01/24/2019

We’re excited to announce the public release of Electronegativity, an opensource tool capable of identifying misconfigurations and security anti-patterns in Electron-based applications.
Electronegativity is the first-of-its-kind tool that can help software developers and security auditors to detect and mitigate potential weaknesses in Electron applications.

Link: https://blog.doyensec.com/2019/01/24/electronegativity.html

Blog

post

11/05/2018

Introducing burp-rest-api v2

11/05/2018

Since the first commit back in 2016, burp-rest-api has been the default tool for BurpSuite-powered web scanning automation. Many security professionals and organizations have relied on this extension to orchestrate the work of Burp Spider and Scanner.
Today, we’re proud to announce a new major release of the tool: burp-rest-api v2.0.1.
Starting in June 2018, Doyensec joined VMware in the development and support of the growing burp-rest-api community. After several years of experience in big tech companies and startups, we understand the need for security automation to improve efficacy and efficiency during software security activities. Unfortunately internal security tools are rarely open-sourced, and still, too many companies are reinventing the wheel. We believe that working together on foundational components, such as burp-rest-api, represents the future of security automation as it empowers companies of any size to build customized solutions.

Link: https://blog.doyensec.com/2018/11/05/burp-rest-api-v2.html

Blog

post

07/19/2018

Instrumenting Electron Apps for Security Testing

07/19/2018

With the increasing popularity of the Electron Framework, we have created this post to summarize a few techniques which can be used to instrument an Electron-based application, change its behavior, and perform in-depth security assessments.

Link: https://blog.doyensec.com/2018/07/19/instrumenting-electron-app.html

Blog

post

05/24/2018

Electron Windows Protocol Handler MITM/RCE

05/24/2018

As part of an engagement for one of our clients, we analyzed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.
Under certain circumstances this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. Electron apps designed to run on Windows that register themselves as the default handler for a protocol and do not prepend dash-dash in the registry entry are affected.
We reported the issue to the Electron core team (via security@electronjs.org) on May 14, 2018 and received immediate notification that they were already working on a patch. The issue was also reported by Google’s Nicolas Ruff a few days earlier.

Link: https://blog.doyensec.com/2018/05/24/electron-win-protocol-handler-bug-bypass.html

Blog

post

05/17/2018

GraphQL - Security Overview and Testing Tips

05/17/2018

With the increasing popularity of GraphQL technology, in this blog post we are summarizing some documentation and tips about common security mistakes.

Link: https://blog.doyensec.com/2018/05/17/graphql-security-overview.html

Blog

post

11/15/2017

Staring into the Spotlight

11/15/2017

Spotlight is the all pervasive seeing eye of the OSX userland. It drinks from a spout of file events sprayed out of the kernel and neatly indexes such things for later use. It is an amalgamation of binaries and libraries, all neatly fitted together just to give a user oversight of their box. It presents interesting attack surface and this blog post is an explanation of how some of it works.

Link: https://blog.doyensec.com/2017/11/15/osx-spotlight.html

Blog

post

08/03/2017

Modern Alchemy: Turning XSS into RCE

08/03/2017

At the recent Black Hat Briefings 2017, Doyensec’s co-founder Luca Carettoni presented a new research on Electron security. After a quick overview of Electron’s security model, we disclosed design weaknesses and implementation bugs that can be leveraged to compromise any Electron-based application. In particular, we discussed a bypass that would allow reliable Remote Code Execution (RCE) when rendering untrusted content (for example via Cross-Site Scripting) even with framework-level protections in place.
In this blog post, we would like to provide insight into the bug (CVE-2017-12581) and remediations.

Link: https://blog.doyensec.com/2017/08/03/electron-framework-security.html

Publication

slides

04/02/2019

Preloading Insecurity In Your Electron
Black Hat Asia 2019 (Singapore)

04/02/2019

Download the presentation PDF file: Asia-19-Carettoni-Preloading-Insecurity-In-Your-Electron.pdf

Modern browsers are complicated systems. They enforce numerous security mechanisms to ensure isolation between sites, facilitate web security protections and preventing untrusted remote content to compromise the security of the host. When working with Electron (https://electronjs.org/), things get even more complicated.

The good news is that building secure Electron-based desktop applications is possible. Despite popular belief, the average Electron-based app is more secure than the average web application. The framework itself is getting better, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning all common pitfalls.

It's time to shift gears. In this presentation, we will discuss a relatively unexplored class of vulnerabilities that can turn a boring XSS into RCE. Even without a framework bug (e.g. nodeIntegration bypass), BrowserWindow preload introduces a new interesting attack surface to Electron-based applications.

Abusing Electron's internal IPC, loggers and other application components we will show how we can turn a Cross-Site Scripting vulnerability into a reliable exploitation mechanism to fully compromise popular desktop applications.

Advisory

cve-2018-18604

10/23/2018

Saml_idp - AssertionConsumerServiceURL Allows Account Takeover/Information Leakage

10/23/2018

A vulnerability affects the /saml/auth endpoint of the saml_idp Ruby library (<= v0.7.2) during the processing of SAML requests. The AssertionConsumerServiceURL field is not properly validated. An attacker can abuse this issue to leak the full SAML response or even perform account takeover.

saml-idp Github's PR: https://github.com/saml-idp/saml_idp/pull/102

Publication

slides

09/13/2018

A Drone Tale, All Your Drones Are Belong To Us
SEC-T 2018 (Stockholm, Sweden)

09/13/2018

Download the presentation PDF file: A-Drone-Tale-by-Paolo-Stagno-SEC-T.pdf

Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on a daily basis. As a result of that, security has also become a crucial aspect when operating remote-controlled pilotless aircrafts. This talk provides a comprehensive overview of the security model and security issues affecting a popular consumer drone product: the DJI Phantom 3.

Advisory

cve-2018-1000006

05/24/2018

Electron Windows Protocol Handler MITM/RCE

05/24/2018

As part of an engagement for one of our clients, Doyensec analyzed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.

Under certain circumstances this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. Electron apps designed to run on Windows that register themselves as the default handler for a protocol and do not prepend dash-dash in the registry entry are affected.

More details in our blog post: https://blog.doyensec.com/2018/05/24/electron-win-protocol-handler-bug-bypass.html

Advisory

cve-2017-13850

10/31/2017

macOS Font Importer Information Disclosure

10/31/2017

Doyensec researchers discovered a bug in Apple's macOS Font Importer. Parsing a malicious font file will result in memory corruption and information leakage.

Apple's original advisory: https://support.apple.com/en-us/HT208221

Advisory

cve-2017-13820

10/31/2017

macOS ATS Information Disclosure

10/31/2017

Doyensec researchers discovered a bug in Apple's macOS ATS. Parsing a malicious font file will result in memory corruption and information leakage.

Apple's original advisory: https://support.apple.com/en-us/HT208144

Advisory

cve-2017-12621

09/27/2017

Apache Commons Jelly XML External Entity (XXE)

09/27/2017

An XXE vulnerability was identified in Apache Commons Jelly by Doyensec researchers. During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks.

Apache Commons' original advisory: http://commons.apache.org/proper/commons-jelly/security-reports.html#CVE-2017-12621

Advisory

cve-2017-xxxx

09/12/2017

QNAP QTS 4.3.3 arbitrary file retrieval (as root)

09/12/2017

An arbitrary file retrieval vulnerability was identified in QNAP QTS 4.3.3 File Manager. This functionality can be abused to download arbitrary files from the NAS filesystem as root, leading to system compromise.

Download the advisory PDF file: Doyensec_Advisory_QNAPQTS4.3_FileRetrieval.pdf

Publication

slides

07/27/2017

Electronegativity - A Study of Electron Security
Black Hat USA 2017 (Las Vegas, Nevada)

07/27/2017

Download the presentation PDF file: us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf

Despite all predictions, native Desktop apps are back. After years porting stand-alone apps to the web, we are witnessing an inverse trend. Many companies have started providing native desktop apps built using the same technologies as their web counterparts. In this trend, Github's Electron has become a popular framework to build cross-platform desktop apps with JavaScript, HTML, and CSS. While it seems to be easy, embedding a webapp in a self-contained web environment (Chromium, Node.Js) introduces new security challenges. In this presentation, we will illustrate Electron's security model and describe current isolation mechanisms to prevent untrusted content from using Node.js primitives. Electron's IPC messaging, preloading and other internals will be comprehensively discussed. BrowserWindow and WebView security-relevant options will be also analyzed, together with design-level weaknesses and implementation bugs in Electron.

Publication

whitepaper

07/27/2017

Electron Security Checklist - A guide for developers and auditors
Black Hat USA 2017 (Las Vegas, Nevada)

07/27/2017

Download the whitepaper PDF file: us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf

This document introduces a checklist of security anti-patterns and must-have features to illustrate misconfigurations and vulnerabilities in Electron-based applications. Software developers and security auditors can benefit from this document as it provides a concise, yet comprehensive, summary of potential weaknesses and implementation bugs when developing applications using Electron.

Advisory

cve-2017-2379

04/11/2017

macOS, iOS, tvOS, watchOS CarbonCore Buffer Overflow

04/11/2017

A memory corruption vulnerability was identified in a core component of Apple's font parsing - CarbonCore. This issue could allow an attacker to execute code during the parsing of a malicious Datafork TrueType font.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Advisory

cve-2017-2435

04/11/2017

macOS, iOS, tvOS, watchOS CoreText Corrupted Loop Index

04/11/2017

A memory corruption vulnerability was identified in a core component of Apple's font parsing - CoreText. Through a malicious True Type Collection (ttc) font file, CoreText will enter a loop unintentionally referencing out of bounds memory.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Advisory

cve-2017-2439

04/11/2017

macOS, iOS, tvOS, watchOS FontParser Infoleak

04/11/2017

An information leakage vulnerability (out-of-bounds read) was discovered in Apple's FontParser, which could allow an attacker to disclose the process memory. This issue could facilitate further exploitation.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Advisory

cve-2017-2450

04/11/2017

macOS, iOS, tvOS, watchOS CoreText Infoleak

04/11/2017

An information leakage vulnerability (out-of-bounds read) was discovered in Apple's CoreText, which could allow an attacker to disclose the process memory. This issue could facilitate further exploitation.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Publication

slides

03/30/2017

Application security recipes for fast paced environments
Computerworld SEMAFOR 2017 (Warsaw, Poland)

03/30/2017

Download the presentation PDF file: Application_Security_Recipes_for_Fast-Paced_Environments.pdf

Ensuring the security of web applications in continuous delivery environments is an open challenge for many organizations. In fast-paced environments (e.g. startups, agile SDLC shops, etc.), traditional application security practices can slow continuous delivery or simply not address security at all. Instead, a new approach based on security automation and tactical security testing is required to make sure that important components are tested before going live. In this presentation, I will illustrate a few examples on how Silicon Valley-based startups approach security testing while seeking the perfect balance between compliance, security and business productivity.

Code

ajpfuzzer

02/27/2017

A command-line fuzzer for the Apache JServ Protocol (ajp13)

02/27/2017

AJPFuzzer is a rudimental fuzzer for the Apache JServ Protocol, also known as 'ajp13'. Built on top of libajp13, the tool allows you to create and send AJP messages using an easy-to-use command line interface. AJPFuzzer can craft properly formatted AJP13 messages (all message types) as well as mutations (e.g. bit flipping, messages with type mismatch, etc.), which facilitates security testing efforts targeting AJP-based services like web servers AJP modules, J2EE containers, and many others.

Download the source and binary from AJPFuzzer's Github page

Code

libajp13

02/27/2017

A complete AJPv1.3 Java library

02/27/2017

libajp13 is a fully featured open source library implementing the Apache JServ Protocol version 1.3 (ajp13), based on the Apache Protocol Reference. Thanks to libajp13, it is now possible to craft properly formatted AJP binary packets with a single line of code.

Download the source and binary from libajp13's Github page