5 min
Cloud Security
Real-Time Risk Mitigation in Google Cloud Platform
With Google Cloud Next happening this week, there’s been some recent water cooler talk where discussions about what makes Google Cloud Platform unique when it comes to security.
4 min
News
State-Sponsored Threat Actors Target Security Researchers
On Monday, Google’s Threat Analysis Group published a blog on a widespread social engineering campaign that targeted security researchers working on vulnerability research and development.
5 min
Cloud Infrastructure
How to Set Up InsightVM in Your Google Cloud Environment
In this blog post, we’ll go over how to set up our vulnerability scanner, InsightVM in your Google Cloud and how to tweak it for your environment.
2 min
Metasploit
Metasploit, Google Summer of Code, and You!
Spend the summer with Metasploit
I'm proud to announce that the Metasploit Project has been accepted as a mentor
organization in the Google Summer of Code! For those unfamiliar with the
program, their about page [https://summerofcode.withgoogle.com/about/] sums it
up nicely:
> Google Summer of Code is a global program focused on introducing students to
open source software development. Students work on a 3 month programming project
with an open source organization during their break from univer
2 min
API
Mobile App & API Security - Application Security's "Where Waldo"
A version of this blog was originally posted on Feb. 1, 2013
As I have discussed in previous posts and at conferences, like OWASP AppSecUSA,
while the number of attacks continue to increase, the attack techniques aren't
new at all. They are actually the same old attacks like SQL Injection showing up
in new places including API's, mobile application services and AJAX
applications. Because these newer technologies have exploded in popularity and
become more mainstream, we keep seeing these same o
1 min
Android
Disclosure: Android Chrome Address Bar Spoofing (R7-2015-07)
Android Chrome Address Bar Spoofing (R7-2015-07)
Summary
Due to a problem in handling 204 "No Content" responses combined with a
window.open event, an attacker can cause the stock Chrome browser on Android to
render HTML pages in a misleading context. This effect was confirmed on an
Android device running Lollipop (5.0). An attacker could use this vulnerability
to convince a victim of a phishing e-mail, text, or link to enter private
credentials to an untrusted page controlled by the attacker.
2 min
Android
R7-2015-02: Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)
Vulnerability Summary
Due to a lack of complete coverage for X-Frame-Options
[https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options] (XFO)
support on Google's Play Store [https://play.google.com/] web application
domain, a malicious user can leverage either a Cross-Site Scripting (XSS)
vulnerability in a particular area of the Google Play Store web application, or
a Universal XSS (UXSS) targeting affected browsers, to remotely install and
launch the main intent of an arbitrary Play S
3 min
Cloud Infrastructure
Securing the Shadow IT: How to Enable Secure Cloud Services for Your Business
You may fear that cloud services jeopardize your organization's security. Yet,
your business relies on cloud services to increase its productivity. Introducing
a policy to forbid these cloud services may not be a viable option. The better
option is to get visibility into your shadow IT and to enable your business to
use it securely to increase productivity and keep up with the market.
Step one: Find out which cloud services your organization is using
First, you'll want to figure out what is act
2 min
Android
Metasploit Weekly Wrapup: Another Android Universal XSS
Click and Get Owned on Android... Again
This week, we landed another Metasploit exploit for another Android WebView
vulnerability
[http://www.rapid7.com/db/modules/auxiliary/gather/android_object_tag_webview_uxss]
; this time, it's a problem that occurs when replacing the "data" attribute of a
given HTML object with a JavaScript URL scheme. Like the last Android security
disaster [/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041] we
made a lot of noise about, this affects the st
1 min
Android
Android browser privacy bug explained [VIDEO]: Whiteboard Wednesday
todb [https://community.rapid7.com/people/todb]'s post earlier this week about
the flaw in Android's Open Source Platform browser
[/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041] has been
getting a lot of attention this week, and for good reason: By the numbers,
Android 4.2 and earlier builds have the vulnerable browser in question, and
about 75% of Androids in the world today are using pre-4.4 builds. While not
everyone uses the AOSP browser on their phone—certainly Firefox,
3 min
Product Updates
Weekly Update: Apache Struts Exploit, Android Meterpreter, and New Payloads
Apache Struts Exploit
This week's update includes an exploit for a pretty recent vulnerability in
Apache Struts, thanks to community contributor Richard @Console
[https://github.com/Console] Hicks. The struts_include_param module exercises
the vulnerability described at OSVDB 93645 [http://www.osvdb.org/93645],
disclosed on May 23, 2013, a bare two weeks ago, and originally discovered by
Eric Kobrin and Douglad Rodrigues.
The reason why I bring this up is not just because it's a solid exploit f