11 min
Application Security
XSS in JSON: Old-School Attacks for Modern Applications
This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API and Javascript Object Notation (JSON).
4 min
Vulnerability Management
CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server (AS) Java
The new SAP vulnerability (RECON), a critical vulnerability affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard, is a huge deal.
1 min
Research
A Serial Problem: Exploitation and Exposure of Java Serialized Objects
In our new research report, we take a look at Java Serialized Objects (JSOs), which are a reliable threat vector and present a rising threat to enterprise networks.
2 min
Javascript
What are Javascript Source Maps?
It's generally a good practice to minify and combine your assets (Javascript &
CSS) when deploying to production. This process reduces the size of your assets
and dramatically improves your website's load time.
Source maps create a map from these compressed asset files back to the source
files.
This source map allows you to debug and view the source code of your compressed
assets, as if you were actually working with the original CSS and Javascript
source code.
Take a look at jQuery minifi
4 min
Application Security
AppSpider application security scanning solution deepens support for Single Page Applications - ReactJS
Today, Rapid7 is pleased to announce an AppSpider (application security
scanning) update that includes enhanced support for JavaScript Single Page
Applications (SPAs) built with ReactJS. This release is significant because SPAs
are proliferating rapidly and increasingly creating challenges for security
teams. Some of the key challenges with securing SPA's are:
1. Diverse frameworks - The diversity and number of JavaScript frameworks
contributes to the complexity in finding adequate scan co
5 min
Javascript
Client Side Logging In Javascript
Developers are writing Javascript applications of increasing complexity designed
to run in web browsers, on desktops, and on servers. Javascript applications
have reached a level of maturity that means they are running important business
operations. They must be more maintainable and supportable now that they have
achieved this level of responsibility in the enterprise. Javascript
applications should be expected to provide the same information for support and
maintenance as any other applic
1 min
Patch Tuesday
Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)
Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated
denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU
extensions on supported processors. AES intrinsics are enabled by default on the
Oracle JVM if the the JVM detects that processor capability, which is common for
modern processors manufactured after 2010. For more on AES-NI, see the
Wikipedia
article [https://en.wikipedia.org/wiki/AES_instruction_set].
This issue was tracked in the OpenJDK p
4 min
Haxmas
12 Days of HaXmas: Improvements to jsobfu
This post is the third in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements and events in the Metasploit Framework over
the course of 2014.
Several months ago, Wei sinn3r [https://twitter.com/_sinn3r] Chen and I landed
some improvements to Metasploit's Javascript obfuscator, jsobfu. Most notably,
we moved it out to its own repo [https://github.com/rapid7/jsobfu] and gem
[https://rubygems.org/gems/jsobfu], wrapped it in tests, beefed up its AV
resilience, and
5 min
Exploits
Exploiting CSRF under NoScript Conditions
CSRFs -- or Cross-Site Request Forgery
[https://www.rapid7.com/fundamentals/cross-site-request-forgery/]
vulnerabilities -- occur when a server accepts requests that can be “spoofed”
from a site running on a different domain. The attack goes something like this:
you, as the victim, are logged in to some web site, like your router
configuration page, and have a valid session token. An attacker gets you to
click on a link that sends commands to that web site on your behalf, without
your knowledge
4 min
Haxmas
12 Days of HaXmas: Exploiting (and Fixing) RJS Rails Info Leaks
This post is the fifth in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements in the Metasploit Framework over the course of
2013.
Several weeks ago, Egor Homakov wrote a blog post
[http://homakov.blogspot.com/2013/11/rjs-leaking-vulnerability-in-multiple.html]
pointing out a common info leak vulnerability in many Rails apps that utilize
Remote JavaScript. The attack vector and implications can be hard to wrap your
head around, so in this post I'll explain ho
2 min
Nexpose
Multi-tenant User Provisioning
Introduction
Performing bulk operations can be time consuming in Nexpose. A good example is
user provisioning, which can take a long time. To save time, using the Nexpose
APIs is an effective way to save you time and eliminate the error-prone process
of doing everything manually. For this blog post, I want to demonstrate how you
can manage users using the Nexpose API. I will be using an open source Java API
client, which is available on clee-r7/nexpose_java_api · GitHub
[https://github.com/clee-
0 min
Nexpose
Nexpose Reporting with the Java API Client
Nexpose reporting just got easier!
Now you can manage and generate Nexpose reports though an interactive
application that leverages the Nexpose Java API client.
Here is a list of the options that are currently supported.
1. List Reports
2. Generate Reports
3. Delete Reports
4. Delete Report Configurations (and all associated reports)
5. View Report Configuration
6. View Report History
Attached is a copy of the application and the source code so you can easily
modify and extend its func
5 min
Javascript
Creating a bunch of users at once using the Nexpose API
I would like to take the time to share an example of how you can use the Nexpose
API to create a batch of users at one time with the use of a CSV file. Sounds
too good to be true right?
I swear to you that this is not a mirage. In fact I am prepared to put my money
where my mouth is and post a code example with Rapid7's very own Open Source
Java API client. This will allow you to do the following:
* Interactively specify a CSV file to Create Update and even remove existing
users * Please s
2 min
Nexpose
Automating Nexpose Discovery Connections through the Java API
Nexpose has long offered APIs allowing for automated workflow operations. The
following examples are intended to help Nexpose users automate the discovery
mechanisms feature through the API. The following code shows how to leverage the
Java API client [https://github.com/clee-r7/nexpose_java_api] to create, list,
update and delete discovery mechanisms in Nexpose.
Nexpose supports Discovery connection API starting on version 5.2. The
supported operations on the API with regards to discovery ar
4 min
Javascript
Java API client - How to augment it and share with the community
The prerequisite is that you get the client: clee-r7/nexpose_java_api · GitHub
[https://github.com/clee-r7/nexpose_java_api]
This blog post will show you how to augment the java api client and use it in 4
easy steps.
The Java API client uses XML templates to generate requests. Browse to the
src/org/rapid7/nexpose/api folder within the API source code, you will see the
templates for the currently supported API client requests. i.e:
AssetGroupSaveRequest.xml.
There are currently 2 versions of