Research is one of our founding principles and we invest in it heavily. All of our researchers have the privilege to use %25 of their time, or one week every month, exclusively for self-directed research. We aim to provide research-driven application security, enabling trust in our client's products and evolving the resilience of the digital ecosystem. By discovering new vulnerabilities and attack techniques, we are constantly improving our capabilities and contributing to the security of the digital world.
Blog
post
05/20/2021
GraphQL CSRF: that single GraphQL issue that you keep missing
05/20/2021
GraphQL is getting more popular every day. Despite that, it is not immune to Cross-Site Request Forgery attacks. We spent the last few weeks testing a variety of GraphQL frameworks and applications to understand how widespread this issue is.
Read the full story on our blog: https://blog.doyensec.com/2021/05/20/graphql-csrf.html
Publication
deliverable
05/11/2021
Security Auditing of Teleport Cloud (Q1 2021)
05/11/2021
GoTeleport engaged Doyensec to perform an in-depth security assessment of the Teleport Cloud platform. From their technical blog post:
“Doyensec has demonstrated that their teams’ skill and attention to detail in attacking our infrastructure are unmatched.”
The full technical deliverable for this engagement is now available.
Download the Teleport Cloud testing deliverable: teleport-cloud-audit-q1-2021.pdf
Advisory
CVE-2021-xxxx
04/27/2021
Multiple Privilege Escalation Vulnerabilities in Pritunl VPN client
04/27/2021
Pritunl-client-electron is a free and open source cross platform OpenVPN client. Doyensec discovered two local privilege escalation issues. Due to insufficient configuration sanitization, a low-privileges attacker can obtain root level access. These vulnerabilities were fixed in version v1.2.2768.85.
Link to the public PDF advisory: Doyensec_Advisory_Pritunl_Client_Q22021.pdf
Publication
deliverable
04/12/2021
Security Auditing of Teleport (Q4 2020)
04/12/2021
GoTeleport engaged Doyensec to perform an in-depth security assessment of the Teleport product. The full technical deliverable for this engagement is now available.
Download the Teleport testing deliverable: teleport-audit-q4-2020.pdf
Code
regexploit
03/11/2021
Regexploit
03/11/2021
Regexploit - a tool to find regular expressions which are vulnerable to ReDoS. Many default regular expression parsers have unbounded worst-case complexity. Regex matching may be quick when presented with a matching input string. However, certain non-matching input strings can make the regular expression matcher go into crazy backtracking loops and take ages to process. This can cause denial of service, as the CPU will be stuck trying to match the regex.
This tool is designed to:
• find regular expressions which are vulnerable to ReDoS
• give an example malicious string which will cause catastrophic backtracking
Download the latest release from Regexploit's Github releases page
Blog
post
03/11/2021
Regexploit: DoS-able Regular Expressions
03/11/2021
In this blog post, we’re releasing a new tool to analyse regular expressions and hunt for ReDoS vulnerabilities. Our heuristic has been proven to be extremely effective, as demonstrated by many vulnerabilities discovered across popular NPM, Python and Ruby dependencies.
Read the full story on our blog: https://blog.doyensec.com/2021/03/11/regexploit.html
Advisory
CVE-2021-xxxx
03/11/2021
Regular Expression Denial of Service (ReDoS) in various open-source packages
03/11/2021
During our research on ReDoS, Doyensec reported several vulnerabilities:
• CVE-2020-5243: uap-core affecting uap-python, uap-ruby, etc. (User-Agent header parsing)
• CVE-2020-8492: cpython’s urllib.request (WWW-Authenticate header parsing)
• CVE-2021-21236: CairoSVG (SVG parsing)
• CVE-2021-21240: httplib2 (WWW-Authenticate header parsing)
• CVE-2021-25292: python-pillow (PDF parsing)
• CVE-2021-26813: python-markdown2 (Markdown parsing)
• CVE-2021-27290: npm/ssri (SRI parsing)
• CVE-2021-27291: pygments lexers for ADL, CADL, Ceylon, Evoque, Factor, Logos, Matlab, Octave, ODIN, Scilab & Varnish VCL (Syntax highlighting)
• CVE-2021-27292: ua-parser-js (User-Agent header parsing)
• CVE-2021-27293: RestSharp (JSON deserialisation in a .NET C# package)
• bpo-38804: cpython’s http.cookiejar (Set-Cookie header parsing)
• SimpleCrawler (archived) (HTML parsing)
• Plus many more unpublished bugs in a handful of pypi, npm, ruby and nuget packages. We will update this list on Regexploit's Github page.
Blog
post
02/16/2021
Electron APIs Misuse: An Attacker’s First Choice
02/16/2021
ElectronJs is getting more secure every day. Context isolation and other security settings are planned to become enabled by default with the upcoming release of Electron 12 stable, seemingly ending the somewhat deserved reputation of a systemically insecure framework.
From an attacker’s perspective, Electron-specific APIs are very often the easiest path to gain remote code execution, read or write access to the host’s filesystem, or leak sensitive user’s data. Malicious JavaScript running in the renderer can often subvert the application using such primitives.
Read the full story on our blog: https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html
Advisory
CVE-2021-21288
02/15/2021
Server-Side Request Forgery (SSRF) Vulnerability in CarrierWave's Remote File Upload Feature
02/15/2021
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files for Rails, Sinatra and other Ruby-based web frameworks. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This vulnerability was fixed in versions 1.3.2 and 2.1.1.
Link to the public Github Advisory: GHSA-fwcm-636p-68r5
Advisory
CVE-2021-3377
02/01/2021
Cross-Site Scripting (XSS) in ansi_up v4
02/01/2021
The npm package ansi_up converts ANSI escape codes (used by terminal emulators to, for example, set text color) into HTML. Since ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, extra HTML attributes and javascript code can be injected into the returned HTML. This can be used in a Cross-Site Scripting (XSS) attack. This vulnerability was fixed in v5.0.0.
Download the advisory PDF file: Doyensec_Advisory_ansi_up4_XSS.pdf
Advisory
CVE-2020-24025
01/11/2021
node-sass Missing Certificate Validation Vulnerability
01/11/2021
During a customer engagement, Doyensec discovered a Certificate Validation vulnerability affecting the node-sass package, used for the Node.js bindings to libsass. Because of an optional flag misconfiguration, libsass binaries fetched from the official github.com CDN may be tampered in-transit. Versions 2.0.0 to 4.14.1 are affected.
Blog
post
12/10/2020
Novel Abuses On Wi-Fi Direct Mobile File Transfers
12/10/2020
Doyensec researched mobile P2P Wi-Fi protocols and their obscure file-sharing implementations. As a result, an overlooked problem common to every Android vendor-provided solution was identified.
Read the full story on our blog: https://blog.doyensec.com/2020/12/10/novel-abuses-wifi-direct-mobile-file-transfers.html
Blog
post
11/19/2020
InQL Scanner v3 Release
11/19/2020
A new major release of InQL, our GraphQL security testing tool, is out! This release includes a Cycles Detector, Request Timer, Precise Query Generation and many bug fixes.
Read more on our blog: https://blog.doyensec.com/2020/11/19/inql-scanner-v3.html
Blog
post
09/09/2020
Fuzzing JavaScript Engines with Fuzzilli
09/09/2020
As part of our fuzzing initiatives, we worked on a few techniques to target popular JavaScript engines (JSE). Our research resulted in a contribution to the well known fuzzer "Fuzzilli". By integrating Fuzzilli with JerryScript, Doyensec was able to identify multiple security vulnerabilities over the course of just four weeks.
Read more on our latest blog post: https://blog.doyensec.com/2020/09/09/fuzzilli-jerryscript.html
Blog
post
08/20/2020
CSRF Protection Bypass in Play Framework
08/20/2020
This blog post illustrates a vulnerability affecting the Play Framework that we discovered during a client engagement. This issue allows a complete Cross-Site Request Forgery (CSRF) protection bypass under specific configurations.
Read more on the blog: https://blog.doyensec.com/2020/08/20/playframework-csrf-bypass.html
Advisory
CVE-2020-12480
08/10/2020
Play Framework below 2.8.2/2.7.5 CSRF Protection Bypass
08/10/2020
During a customer engagement, Doyensec discovered a CSRF Protection Bypass vulnerability affecting the Play Framework. If a black list is used, the result is that a malicious user may be able to perform a CSRF attack on the Play application.
Publication
resource
06/17/2020
Awesome Electron.js hacking & pentesting resources
06/17/2020
A frequently-updated repository with presentations, bug write-ups, and all kinds of content to help during Electron security testing and hacking.
You can find it over at doyensec/awesome-electronjs-hacking.
Blog
post
06/11/2020
InQL Scanner v2 is out!
06/11/2020
A new version of InQL, our GraphQL security testing tool, is out! This release includes a new stand-alone UI, which integrates an embedded GraphiQL server and many other features.
Read more on the blog: https://blog.doyensec.com/2020/06/11/inql-scanner-v2.html
Blog
post
05/14/2020
Fuzzing TLS Certificates From Their ASN.1 Grammar
05/14/2020
We are building a flexible ASN.1 grammar-based fuzzer for testing TLS certificate parsers. In this blog post, we introduce our research and provide references for security practitioners that are interested in the topic.
Find more details at https://blog.doyensec.com/2020/05/14/asn1fuzz.html
Blog
post
04/30/2020
Researching Polymorphic Images for XSS on Google Scholar
04/30/2020
Google Scholar was found to be vulnerable to multiple stored XSS using an exotic technique involving polymorphic images. In this blog post, we explain the bug found and all the possible ways to create and leverage polymorphic images for XSS through a survey of how popular image manipulation libraries in web apps behave when presented with a polymorphic image.
Find more details at https://blog.doyensec.com/2020/04/30/polymorphic-images-for-xss.html
Publication
slides
04/23/2020
InQL: GraphQL security testing made easy!
GitHub Security Virtual Meetup (April 23, 2020)
04/23/2020
Download the presentation PDF file: Doyensec_InQL_AB_Github.pdf
Given the rising popularity of GraphQL in web applications, Andrea Brancaleoni presented a turbo-talk on GraphQL security and the use of InQL to augment manual security testing.
Blog
post
04/08/2020
LibreSSL and OSS-Fuzz
04/08/2020
A different pick on bounty programs. Discover how to participate in securing free and open source software, while leveraging your blue team skills. In one of our early research projects we ported libressl to OSS-fuzz, a Google sponsored fuzzer infrastructure for open source projects.
Find more details at https://blog.doyensec.com/2020/04/08/libressl-fuzzer.html
Advisory
CVE-2020-5284
03/27/2020
Next.JS below 9.3.2 Path Traversal
03/27/2020
During a customer engagement, Doyensec discovered a path traversal vulnerability affecting the Next.js framework. Attackers could craft special requests to access files in the dist directory (.next), leading to the disclosure of source code and application's secrets. This issue affects Next.js below 9.3.2, when executed using next start
Release note: https://github.com/zeit/next.js/releases/tag/v9.3.2
Code
InQL
03/26/2020
A Burp Extension for GraphQL Security Testing
03/26/2020
InQL Scanner is security testing tool to facilitate GraphQL technology security auditing efforts. The tool can be used as a stand-alone script, or as a Burp Suite extension.
Download the latest release from InQL's Github releases page
Blog
post
03/16/2020
Don't Clone That Repo: Visual Studio Code^2 Execution
03/16/2020
Doyensec discovered a Code Execution vulnerability in Microsoft Visual Studio Code Python Extension (16.5M+ installations at the time of writing).
Find more details and the Proof of Concept in our blogpost: https://blog.doyensec.com/2020/03/16/vscode_codeexec.html
Advisory
CVE-2019-17636
03/10/2020
Eclipse Theia Arbitrary File Read
03/10/2020
In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.
Original Theia Bug Tracker issue: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747
PR of the fix: https://github.com/eclipse-theia/theia/pull/7205
Advisory
CVE-2020-9402
03/04/2020
Django SQL Injection Via Tolerance Parameter in GIS Functions and Aggregates
03/04/2020
During a targeted security research effort on the Django Framework, Doyensec discovered that GIS functions and aggregates on Oracle were subject to a SQL injection, using a suitably crafted tolerance parameter.
Publication
deliverable
03/02/2020
Security Auditing of Gravitational's Teleport and Gravity
03/02/2020
Gravitational engaged Doyensec to perform an in-depth security assessment of the Teleport and Gravity enteprise products. Quoting Gravitational's engineers: "This year, we had an opportunity to work with Doyensec, which provided the most thorough independent analysis of Gravity and Teleport to date."
Download the Teleport testing deliverable PDF file: Doyensec_Gravitational_Teleport_Report_Q22019_WithRetesting.pdf
Download the Gravity testing deliverable PDF file: Doyensec_Gravitational_Gravity_Report_Q22019_WithRetesting.pdf
Blog
post
02/24/2020
Signature Validation Bypass Leading to RCE In Electron-Updater
02/24/2020
This blog post illustrates a vulnerability we discovered in the popular electron-builder package: a signature validation bypass in the auto-update mechanism could be abused to push malicious updates and execute arbitrary code on the victims' machine. In this blog post, we explain the details of the vulnerability and demonstrate why such fail-open designs are inherently dangerous for security.
Link: https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
Code
burp-rest-api
02/24/2020
burp-rest-api
05/11/2018
burp-rest-api is a REST/JSON API to the Burp Suite security tool. Since the first commit back in 2016, burp-rest-api has been the default tool for BurpSuite-powered web scanning automation. Many security professionals and organizations have relied on this extension to orchestrate the work of Burp Spider and Scanner. Starting in June 2018, Doyensec joined VMware in the development and support of the growing burp-rest-api community.
Download the source and binary from burp-rest-api's Github page
Code
electronegativity
01/24/2019
Electronegativity
01/24/2019
Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications. Electronegativity is the first-of-its-kind tool that helps software developers and security auditors to detect and mitigate potential weaknesses in Electron applications; it is now the baseline for every Electron app’s security review for many professionals and organizations.
Download the source and binary from electronegativity's Github page
Code
hopper theme
08/08/2017
Hopper Disassembler Doyensec Theme
08/08/2017
Doyensec theme for the Hopper Disassembler - chill and functional for long RE nights.
Download Doyensec.hopperTheme and import the file through the Preferences menu.
Code
training
02/02/2017
Developing Burp Suite Extensions: Training Material
02/02/2017
We have open-sourced the repository containing the templates and code for the training "Developing Burp Suite Extensions - From Manual Testing to Security Automation".
The repository is accessible at https://github.com/doyensec/burpdeveltraining
Publication
deliverable
02/19/2020
Security Auditing of the Solo Firmware
02/19/2020
Download the deliverable PDF file: Doyensec_SoloKeys_TestingReport_Q12020_v3.pdf
SoloKeys engaged Doyensec to perform a security assessment of the SoloKeys software components. The project commenced on January 20, 2020, and ended on January 31, 2020, requiring one security researcher. The audit resulted in three (3) findings of which one (1) was rated as high severity.
The final deliverable, Proof-of-Concept exploits and our instrumentation for AFL fuzzing have been publicly released.
Blog
post
02/03/2020
Heap Overflow in F-Secure Internet Gatekeeper
02/03/2020
This blog post illustrates a vulnerability we discovered in the F-Secure Internet Gatekeeper application. It shows how a simple mistake can lead to an exploitable unauthenticated remote code execution vulnerability.
Link: https://blog.doyensec.com/2020/02/03/heap-exploit.html
Publication
slides
01/24/2020
Modern Web Security: The Art of Creating and Breaking Assertions
AppSec California 2020 (Santa Monica)
01/24/2020
Download the presentation PDF file: Villamil-Modern-Web-Security-Assertions.pdf
Modern web security is a mix of relatively recent frameworks, methods, languages, and abstractions. The age of injection bugs has come and gone. We are firmly in the age of assertions. This age is widely defined by business logic flaws. On a deeper level this age is governed by the security auditor's skill in creating and breaking assertions in the target. Assertions come from any source and they represent statements of security or functionality made by the target.
We'll talk about our experience auditing modern web applications over the last three years. We'll talk about the current state of web application security, how its evolved, and where its going. We give examples of assertions (big and small) created and broken during various security audits and the value this brought to the customer. Our goal is to introduce the age of assertions into the zeitgeist and provide auditors a more refined way of thinking beyond injection bugs.
Publication
slides
01/24/2020
Democratizing Electron.js Security
Covalence 2020 (San Francisco)
01/24/2020
Download the presentation PDF file: Covalence-2020-Carettoni-DemocratizingElectronSecurity.pdf
We love Electron.js so much, that we break it. Since 2017, we have audited dozens of Electron-based applications and witnessed a remarkable commitment to security. Back then, breaking the framework’s security mechanisms wasn’t too difficult. Fast forward to 2020, Electron.js is getting better, secure-by-default settings are slowly becoming the norm, vulnerability disclosure is handled with consolidated practices, and the dev community is gradually learning all common pitfalls.
It is better, but there is still a long road ahead. Responsibilities must be equally shared between core contributors and application developers. While the most effective way to bring security capabilities to everyone is to have them built into the framework, it is also important to have a community that considers security as a core value. Closing the web-native desktop gap is not trivial as we have to balance security with usability and framework flexibility.
In this talk we want to celebrate the progress made and discuss the technical challenges that both Electron.js maintainers and application developers are facing when building secure desktop applications. We will show common vulnerabilities and misconfigurations, discuss root causes and provide practical tips on how to mitigate existing attacks. If you care about Electron.js security, this talk is for you!
Advisory
cve-2019-xxxx
08/13/2019
Matomo - Cookie Signature Bypass Through PHP Type Confusion
08/13/2019
The "Cookie" handling class, responsible for validating the signature of a cookie value through the "extractSignedContent" function, is vulnerable to PHP Type Confusion.
Matomo Github's PR: https://github.com/matomo-org/matomo/pull/14760
Blog
post
08/22/2019
Modern Android Password Managers and FLAG_SECURE Misuse
08/22/2019
Doyensec discovered that an old Android vulnerability involving the `FLAG_SECURE` setting still affected popular mobile password managers for Android (1Password, Keeper, Dashlane, et al).
The article showcases the vulnerabilities found and explains the common underlying problem.
Link: https://blog.doyensec.com/2019/08/22/modern-password-managers-flag-secure.html
Publication
slides
08/07/2019
Electronegativity: Identify Misconfigurations and Security Anti-Patterns in Electron Applications
08/07/2019
Download the presentation PDF file: Electronegativity_ArsenalBHUS2019.pdf
Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
This is the first and only tool capable of detecting potential weaknesses and implementation bugs when developing applications using Electron, as recommended in the official security guidelines of the Electron project. Software developers and security auditors can use this tool to create secure desktop applications using web technologies.
After being first introduced at Black Hat US 2017 (Electronegativity - A Study of Electron Security) and featured at Black Hat Asia 2019 (Preloading Insecurity In Your Electron), the tool was showcased for the first time ever at the Black Hat USA 2019 Arsenal where we demonstrated its potential by scanning well-known applications.
Blog
post
08/01/2019
Lessons in auditing cryptocurrency wallets, systems, and infrastructures
08/01/2019
In the past three years, Doyensec has been providing security testing services for some of the global brands in the cryptocurrency world. We have audited desktop and mobile wallets, exchanges web interfaces, custody systems, and backbone infrastructure components.
We have seen many things done right, but also discovered many design and implementation vulnerabilities. Failure is a great lesson in security and can always be turned into positive teaching for the future. Learning from past mistakes is the key to create better systems.
Link: https://blog.doyensec.com/2019/08/01/common-crypto-bugs.html
Blog
post
07/22/2019
Jackson gadgets - Anatomy of a vulnerability (CVE-2019-12384)
07/22/2019
In this article, we explore a Jackson deserialization bug (CVE-2019-12384) discovered during one of our engagements. In particular, we illustrate how an attacker may leverage this deserialization vulnerability to trigger Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) using a new technique that relies on the popular JDBC/H2 library.
Link: https://blog.doyensec.com/2019/07/22/jackson-gadgets.html
Blog
post
06/11/2019
Electronegativity 1.3.0 released!
06/11/2019
After the first public release of Electronegativity, we had a great response from the community and the tool quickly became the baseline for every Electron app’s security review for many professionals and organizations. This pushed us forward, improving Electronegativity and expanding our research in the field. Today we are proud to release version 1.3.0 with many new improvements and security checks for your Electron applications.
Link: https://blog.doyensec.com/2019/06/11/electronegativity-1.3.html
Blog
post
04/24/2019
On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)
04/24/2019
During one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entry-point to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path traversal exploitation.
This blog post discusses our results, the “bug” discovered in the library itself and the implication of such an issue in a popular piece of software - Metasploit.
Blog
post
04/03/2019
Subverting Electron Apps via Insecure Preload
04/03/2019
We’re back from BlackHat Asia 2019 where we introduced a relatively unexplored class of vulnerabilities affecting Electron-based applications.
Despite popular belief, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning common pitfalls. Isolation is now widely deployed across all top Electron applications and so turning XSS into RCE isn’t child’s play anymore.
Link: https://blog.doyensec.com/2019/04/03/subverting-electron-apps-via-insecure-preload.html
Blog
post
01/24/2019
Electronegativity is finally out!
01/24/2019
We’re excited to announce the public release of Electronegativity, an opensource tool capable of identifying misconfigurations and security anti-patterns in Electron-based applications.
Electronegativity is the first-of-its-kind tool that can help software developers and security auditors to detect and mitigate potential weaknesses in Electron applications.
Link: https://blog.doyensec.com/2019/01/24/electronegativity.html
Blog
post
11/05/2018
Introducing burp-rest-api v2
11/05/2018
Since the first commit back in 2016, burp-rest-api has been the default tool for BurpSuite-powered web scanning automation. Many security professionals and organizations have relied on this extension to orchestrate the work of Burp Spider and Scanner.
Today, we’re proud to announce a new major release of the tool: burp-rest-api v2.0.1.
Starting in June 2018, Doyensec joined VMware in the development and support of the growing burp-rest-api community. After several years of experience in big tech companies and startups, we understand the need for security automation to improve efficacy and efficiency during software security activities. Unfortunately internal security tools are rarely open-sourced, and still, too many companies are reinventing the wheel. We believe that working together on foundational components, such as burp-rest-api, represents the future of security automation as it empowers companies of any size to build customized solutions.
Link: https://blog.doyensec.com/2018/11/05/burp-rest-api-v2.html
Blog
post
07/19/2018
Instrumenting Electron Apps for Security Testing
07/19/2018
With the increasing popularity of the Electron Framework, we have created this post to summarize a few techniques which can be used to instrument an Electron-based application, change its behavior, and perform in-depth security assessments.
Link: https://blog.doyensec.com/2018/07/19/instrumenting-electron-app.html
Blog
post
05/24/2018
Electron Windows Protocol Handler MITM/RCE
05/24/2018
As part of an engagement for one of our clients, we analyzed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.
Under certain circumstances this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. Electron apps designed to run on Windows that register themselves as the default handler for a protocol and do not prepend dash-dash in the registry entry are affected.
We reported the issue to the Electron core team (via security@electronjs.org) on May 14, 2018 and received immediate notification that they were already working on a patch. The issue was also reported by Google’s Nicolas Ruff a few days earlier.
Link: https://blog.doyensec.com/2018/05/24/electron-win-protocol-handler-bug-bypass.html
Blog
post
05/17/2018
GraphQL - Security Overview and Testing Tips
05/17/2018
With the increasing popularity of GraphQL technology, in this blog post we are summarizing some documentation and tips about common security mistakes.
Link: https://blog.doyensec.com/2018/05/17/graphql-security-overview.html
Blog
post
11/15/2017
Staring into the Spotlight
11/15/2017
Spotlight is the all pervasive seeing eye of the OSX userland. It drinks from a spout of file events sprayed out of the kernel and neatly indexes such things for later use. It is an amalgamation of binaries and libraries, all neatly fitted together just to give a user oversight of their box. It presents interesting attack surface and this blog post is an explanation of how some of it works.
Link: https://blog.doyensec.com/2017/11/15/osx-spotlight.html
Blog
post
08/03/2017
Modern Alchemy: Turning XSS into RCE
08/03/2017
At the recent Black Hat Briefings 2017, Doyensec’s co-founder Luca Carettoni presented a new research on Electron security. After a quick overview of Electron’s security model, we disclosed design weaknesses and implementation bugs that can be leveraged to compromise any Electron-based application. In particular, we discussed a bypass that would allow reliable Remote Code Execution (RCE) when rendering untrusted content (for example via Cross-Site Scripting) even with framework-level protections in place.
In this blog post, we would like to provide insight into the bug (CVE-2017-12581) and remediations.
Link: https://blog.doyensec.com/2017/08/03/electron-framework-security.html
Publication
slides
04/02/2019
Preloading Insecurity In Your Electron
Black Hat Asia 2019 (Singapore)
04/02/2019
Download the presentation PDF file: Asia-19-Carettoni-Preloading-Insecurity-In-Your-Electron.pdf
Modern browsers are complicated systems. They enforce numerous security mechanisms to ensure isolation between sites, facilitate web security protections and preventing untrusted remote content to compromise the security of the host. When working with Electron (https://electronjs.org/), things get even more complicated.
The good news is that building secure Electron-based desktop applications is possible. Despite popular belief, the average Electron-based app is more secure than the average web application. The framework itself is getting better, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning all common pitfalls.
It's time to shift gears. In this presentation, we will discuss a relatively unexplored class of vulnerabilities that can turn a boring XSS into RCE. Even without a framework bug (e.g. nodeIntegration bypass), BrowserWindow preload introduces a new interesting attack surface to Electron-based applications.
Abusing Electron's internal IPC, loggers and other application components we will show how we can turn a Cross-Site Scripting vulnerability into a reliable exploitation mechanism to fully compromise popular desktop applications.
Advisory
cve-2018-18604
10/23/2018
Saml_idp - AssertionConsumerServiceURL Allows Account Takeover/Information Leakage
10/23/2018
A vulnerability affects the /saml/auth endpoint of the saml_idp Ruby library (<= v0.7.2) during the processing of SAML requests. The AssertionConsumerServiceURL field is not properly validated. An attacker can abuse this issue to leak the full SAML response or even perform account takeover.
saml-idp Github's PR: https://github.com/saml-idp/saml_idp/pull/102
Publication
slides
09/13/2018
A Drone Tale, All Your Drones Are Belong To Us
SEC-T 2018 (Stockholm, Sweden)
09/13/2018
Download the presentation PDF file: A-Drone-Tale-by-Paolo-Stagno-SEC-T.pdf
Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on a daily basis. As a result of that, security has also become a crucial aspect when operating remote-controlled pilotless aircrafts. This talk provides a comprehensive overview of the security model and security issues affecting a popular consumer drone product: the DJI Phantom 3.
Advisory
cve-2018-1000006
05/24/2018
Electron Windows Protocol Handler MITM/RCE
05/24/2018
As part of an engagement for one of our clients, Doyensec analyzed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.
Under certain circumstances this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. Electron apps designed to run on Windows that register themselves as the default handler for a protocol and do not prepend dash-dash in the registry entry are affected.
More details in our blog post: https://blog.doyensec.com/2018/05/24/electron-win-protocol-handler-bug-bypass.html
Advisory
cve-2017-13850
10/31/2017
macOS Font Importer Information Disclosure
10/31/2017
Doyensec researchers discovered a bug in Apple's macOS Font Importer. Parsing a malicious font file will result in memory corruption and information leakage.
Apple's original advisory: https://support.apple.com/en-us/HT208221
Advisory
cve-2017-13820
10/31/2017
macOS ATS Information Disclosure
10/31/2017
Doyensec researchers discovered a bug in Apple's macOS ATS. Parsing a malicious font file will result in memory corruption and information leakage.
Apple's original advisory: https://support.apple.com/en-us/HT208144
Advisory
cve-2017-12621
09/27/2017
Apache Commons Jelly XML External Entity (XXE)
09/27/2017
An XXE vulnerability was identified in Apache Commons Jelly by Doyensec researchers. During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks.
Apache Commons' original advisory: http://commons.apache.org/proper/commons-jelly/security-reports.html#CVE-2017-12621
Advisory
cve-2017-xxxx
09/12/2017
QNAP QTS 4.3.3 arbitrary file retrieval (as root)
09/12/2017
An arbitrary file retrieval vulnerability was identified in QNAP QTS 4.3.3 File Manager. This functionality can be abused to download arbitrary files from the NAS filesystem as root, leading to system compromise.
Download the advisory PDF file: Doyensec_Advisory_QNAPQTS4.3_FileRetrieval.pdf
Publication
slides
07/27/2017
Electronegativity - A Study of Electron Security
Black Hat USA 2017 (Las Vegas, Nevada)
07/27/2017
Download the presentation PDF file: us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf
Despite all predictions, native Desktop apps are back. After years porting stand-alone apps to the web, we are witnessing an inverse trend. Many companies have started providing native desktop apps built using the same technologies as their web counterparts. In this trend, Github's Electron has become a popular framework to build cross-platform desktop apps with JavaScript, HTML, and CSS. While it seems to be easy, embedding a webapp in a self-contained web environment (Chromium, Node.Js) introduces new security challenges. In this presentation, we will illustrate Electron's security model and describe current isolation mechanisms to prevent untrusted content from using Node.js primitives. Electron's IPC messaging, preloading and other internals will be comprehensively discussed. BrowserWindow and WebView security-relevant options will be also analyzed, together with design-level weaknesses and implementation bugs in Electron.
Publication
whitepaper
07/27/2017
Electron Security Checklist - A guide for developers and auditors
Black Hat USA 2017 (Las Vegas, Nevada)
07/27/2017
Download the whitepaper PDF file: us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf
This document introduces a checklist of security anti-patterns and must-have features to illustrate misconfigurations and vulnerabilities in Electron-based applications. Software developers and security auditors can benefit from this document as it provides a concise, yet comprehensive, summary of potential weaknesses and implementation bugs when developing applications using Electron.
Advisory
cve-2017-2379
04/11/2017
macOS, iOS, tvOS, watchOS CarbonCore Buffer Overflow
04/11/2017
A memory corruption vulnerability was identified in a core component of Apple's font parsing - CarbonCore. This issue could allow an attacker to execute code during the parsing of a malicious Datafork TrueType font.
Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf
Advisory
cve-2017-2435
04/11/2017
macOS, iOS, tvOS, watchOS CoreText Corrupted Loop Index
04/11/2017
A memory corruption vulnerability was identified in a core component of Apple's font parsing - CoreText. Through a malicious True Type Collection (ttc) font file, CoreText will enter a loop unintentionally referencing out of bounds memory.
Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf
Advisory
cve-2017-2439
04/11/2017
macOS, iOS, tvOS, watchOS FontParser Infoleak
04/11/2017
An information leakage vulnerability (out-of-bounds read) was discovered in Apple's FontParser, which could allow an attacker to disclose the process memory. This issue could facilitate further exploitation.
Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf
Advisory
cve-2017-2450
04/11/2017
macOS, iOS, tvOS, watchOS CoreText Infoleak
04/11/2017
An information leakage vulnerability (out-of-bounds read) was discovered in Apple's CoreText, which could allow an attacker to disclose the process memory. This issue could facilitate further exploitation.
Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf
Publication
slides
03/30/2017
Application security recipes for fast paced environments
Computerworld SEMAFOR 2017 (Warsaw, Poland)
03/30/2017
Download the presentation PDF file: Application_Security_Recipes_for_Fast-Paced_Environments.pdf
Ensuring the security of web applications in continuous delivery environments is an open challenge for many organizations. In fast-paced environments (e.g. startups, agile SDLC shops, etc.), traditional application security practices can slow continuous delivery or simply not address security at all. Instead, a new approach based on security automation and tactical security testing is required to make sure that important components are tested before going live. In this presentation, I will illustrate a few examples on how Silicon Valley-based startups approach security testing while seeking the perfect balance between compliance, security and business productivity.
Code
ajpfuzzer
02/27/2017
A command-line fuzzer for the Apache JServ Protocol (ajp13)
02/27/2017
AJPFuzzer is a rudimental fuzzer for the Apache JServ Protocol, also known as 'ajp13'. Built on top of libajp13, the tool allows you to create and send AJP messages using an easy-to-use command line interface. AJPFuzzer can craft properly formatted AJP13 messages (all message types) as well as mutations (e.g. bit flipping, messages with type mismatch, etc.), which facilitates security testing efforts targeting AJP-based services like web servers AJP modules, J2EE containers, and many others.
Download the source and binary from AJPFuzzer's Github page
Code
libajp13
02/27/2017
A complete AJPv1.3 Java library
02/27/2017
libajp13 is a fully featured open source library implementing the Apache JServ Protocol version 1.3 (ajp13), based on the Apache Protocol Reference. Thanks to libajp13, it is now possible to craft properly formatted AJP binary packets with a single line of code.
Download the source and binary from libajp13's Github page
US Office
350 Townsend Street, Suite 840
94107 San Francisco - USA
John Villamil
john@doyensec.com
EMEA Office
Ul. Florianska 6, Suite 1B
03-707 Warsaw - Poland
Luca Carettoni
luca@doyensec.com
When working with Doyensec, you will be working directly with its founders. We are the points of contact, the negotiators, the problem solvers, and the hackers.
For proposals or questions: info@doyensec.com or +1 (628) 333 9093
