11 min
Application Security
XSS in JSON: Old-School Attacks for Modern Applications
This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API and Javascript Object Notation (JSON).
2 min
Javascript
What are Javascript Source Maps?
It's generally a good practice to minify and combine your assets (Javascript &
CSS) when deploying to production. This process reduces the size of your assets
and dramatically improves your website's load time.
Source maps create a map from these compressed asset files back to the source
files.
This source map allows you to debug and view the source code of your compressed
assets, as if you were actually working with the original CSS and Javascript
source code.
Take a look at jQuery minifi
3 min
Javascript
Web Application Security Testing: Single Page Applications Built with JavaScript Frameworks
In recent years, more and more applications are being built on popular new
JavaScript frameworks like ReactJS and AngularJS. As is often the case with new
application technologies, these frameworks have created an innovation gap for
most application security scanning solutions and an acute set of challenges for
those of us who focus on web application security
[https://www.rapid7.com/solutions/web-application-security.jsp]. It is
imperative that our application security testing approaches keep p
4 min
Javascript
AppSpider application security scanning solution deepens support for Single Page Applications - ReactJS
Today, Rapid7 is pleased to announce an AppSpider
[https://www.rapid7.com/products/appspider/] (application security scanning)
update that includes enhanced support for JavaScript Single Page Applications
(SPAs) built with ReactJS. This release is significant because SPAs are
proliferating rapidly and increasingly creating challenges for security teams.
Some of the key challenges with securing SPA's are:
1. Diverse frameworks - The diversity and number of JavaScript frameworks
contributes
5 min
IT Ops
Client Side Logging In Javascript
Developers are writing Javascript applications of increasing complexity designed
to run in web browsers, on desktops, and on servers. Javascript applications
have reached a level of maturity that means they are running important business
operations. They must be more maintainable and supportable now that they have
achieved this level of responsibility in the enterprise. Javascript
applications should be expected to provide the same information for support and
maintenance as any other applic
3 min
AppSpider
7 Ways to Improve the Accuracy of your Application Security Tests
For more than 10 years, application security testing has been a common practice
to identify and remediate vulnerabilities in their web applications. While, it's
difficult to figure out the best web security software for your organization,
there are seven key techniques that not only increase accuracy of testing in
most applications, but also enable teams to leverage expert resources to test
necessary areas by hand.
IT security experts who conduct application security testing or are trying to
fi
4 min
Javascript
12 Days of HaXmas: Improvements to jsobfu
This post is the third in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements and events in the Metasploit Framework over
the course of 2014.
Several months ago, Wei sinn3r [https://twitter.com/_sinn3r] Chen and I landed
some improvements to Metasploit's Javascript obfuscator, jsobfu. Most notably,
we moved it out to its own repo [https://github.com/rapid7/jsobfu] and gem
[https://rubygems.org/gems/jsobfu], wrapped it in tests, beefed up its AV
resilience, and
3 min
Android
Ahoy! It's the Metasploit Weekly Wrapup: More on Android UXSS and refreshing JSObfu
First things first -- today is International Talk Like a Pirate Day
[http://www.talklikeapirate.com/howto.html], which is great for me, given my
office decor [http://i.imgur.com/XGnzkMm.jpg]. Arrr! So grab a flagon of grog,
and read on, ye landlubbers!
Updates to the Android Universal XSS bug (CVE-2014-6041)
This has been a pretty busy week for us here in Metasploit Nation. You probably
heard about Rafay Baloch [https://twitter.com/rafaybaloch]'s kind of massive
SOP-busting Android disclosure
5 min
Exploits
Exploiting CSRF under NoScript Conditions
CSRFs -- or Cross-Site Request Forgery [https://www.owasp.org/index.php/CSRF]
vulnerabilities -- occur when a server accepts requests that can be “spoofed”
from a site running on a different domain. The attack goes something like this:
you, as the victim, are logged in to some web site, like your router
configuration page, and have a valid session token. An attacker gets you to
click on a link that sends commands to that web site on your behalf, without
your knowledge.
These vulnerabilities ca
2 min
Exploits
New Metasploit Payloads for Firefox Javascript Exploits
Those of you with a keen eye on metasploit-framework/master
[https://github.com/rapid7/metasploit-framework] will notice the addition of
three new payloads:
* firefox/shell_reverse_tcp
* firefox/shell_bind_tcp
* firefox/exec
These are Javascript payloads meant for executing in a privileged Javascript
context inside of Firefox. By calling certain native functions not meant to be
exposed to ordinary web content, a classic TCP command shell can be opened. To a
pentester, these payloads are use
4 min
Ruby on Rails
12 Days of HaXmas: Exploiting (and Fixing) RJS Rails Info Leaks
This post is the fifth in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements in the Metasploit Framework over the course of
2013.
Several weeks ago, Egor Homakov wrote a blog post
[http://homakov.blogspot.com/2013/11/rjs-leaking-vulnerability-in-multiple.html]
pointing out a common info leak vulnerability in many Rails apps that utilize
Remote JavaScript. The attack vector and implications can be hard to wrap your
head around, so in this post I'll explain ho
3 min
Metasploit
The Art of Keylogging with Metasploit & Javascript
Rarely does a week go by without a friend or family member getting their login
credentials compromised, then reused for malicious purposes. My wife is always
on the lookout on Facebook, warning relatives and friends to change their
passwords. Many people don't understand how their credentials get compromised.
Password reuse on several websites is usually the culprit. Password reuse is a
problem even if the website encrypts the passwords in their databases. An
attacker only needs to insert some
3 min
Javascript
Javascript Obfuscation in Metasploit
As of this writing, Metasploit has 152 browser exploits. Of those, 116 use
javascript either to trigger the vulnerability or as a means to control the
memory layout of the browser process [1]. Right now most of that javascript is
static. That makes it easier for anti-virus and IDS folks to signature. That
makes it less likely for you to get a shell.
Skape recognized this problem several years ago and added
Rex::Exploitation::ObfuscateJS to address it. This first-gen obfuscator was
based on sub