11 min
Application Security
XSS in JSON: Old-School Attacks for Modern Applications
This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API and Javascript Object Notation (JSON).
9 min
Application Security
Overview of Content Security Policies (CSPs) on the Web
A Content Security Policy is a protocol that allows a site owner to control what resources are loaded on a web page by the browser, and how those resources may be loaded.
4 min
Application Security
How to Prevent Cross-Site Scripting (XSS) Attacks
Cross-site scripting (XSS) isn’t new, but its impact and visibility are both growing. Here’s what you need to know to protect them from XSS attacks.
6 min
Application Security
App-a-Bet Soup: Should You Use a SAST, DAST, or RASP Application Security Tool?
In this blog, we discuss all things web applications and how to select the right application security solution to keep them safe from attack.
3 min
Vulnerability Disclosure
R7-2017-06 | CVE-2017-5241: Biscom SFT XSS (FIXED)
Summary
The Workspaces component of Biscom Secure File Transfer (SFT) version 5.1.1015
is vulnerable to stored cross-site scripting in two fields. An attacker would
need to have the ability to create a Workspace and entice a victim to visit the
malicious page in order to run malicious Javascript in the context of the
victim's browser. Since the victim is necessarily authenticated, this can allow
the attacker to perform actions on the Biscom Secure File Transfer instance on
the victim's behalf.
4 min
Vulnerability Disclosure
R7-2016-24, OpenNMS Stored XSS via SNMP (CVE-2016-6555, CVE-2016-6556)
Stored server cross-site scripting (XSS) vulnerabilities in the web application
component of OpenNMS [https://www.opennms.org/en] via the Simple Network
Management Protocol (SNMP). Authentication is not required to exploit.
Credit
This issue was discovered by independent researcher Matthew Kienow
[https://twitter.com/hacksforprofit], and reported by Rapid7.
Products Affected
The following versions were tested and successfully exploited:
* OpenNMS version 18.0.0
* OpenNMS version 18.0.1
Ope
13 min
Vulnerability Disclosure
Multiple Disclosures for Multiple Network Management Systems, Part 2
As you may recall, back in December Rapid7 disclosed six vulnerabilities
[/2015/12/16/multiple-disclosures-for-multiple-network-management-systems] that
affect four different Network Management System (NMS) products, discovered by
Deral Heiland [https://twitter.com/percent_x] of Rapid7 and independent
researcher Matthew Kienow [https://twitter.com/hacksforprofit]. In March, Deral
followed up with another pair of vulnerabilities
[/2016/03/17/r7-2016-02-multiple-vulnerabilities-in-mangeengine-opu
2 min
Exploits
R7-2016-19: Persistent XSS via Unescaped Parameters in Swagger-UI (CVE-2016-5682)
Parameters within a Swagger document are insecurely loaded into a browser based
documentation. Persistent XSS occurs when this documentation is then hosted
together on a public site. This issue was resolved in Swagger-UI 2.2.1
[https://github.com/swagger-api/swagger-ui/releases/tag/v2.2.1].
Summary
One of the components used to build the interactive documentation portion of the
swagger ecosystem is the Swagger-UI [https://github.com/swagger-api/swagger-ui].
This interface generates dynamic docu
8 min
Vulnerability Disclosure
R7-2016-10: Multiple OSRAM SYLVANIA Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059)
Nine issues affecting the Home or Pro versions of Osram LIGHTIFY were
discovered, with the practical exploitation effects ranging from the accidental
disclosure of sensitive network configuration information, to persistent
cross-site scripting (XSS) on the web management console, to operational command
execution on the devices themselves without authentication. The issues are
designated in the table below. At the time of this disclosure's publication, the
vendor has indicated that all but the la
3 min
IoT
What's In A Hostname?
Like the proverbial cat, curiosity can often get me in trouble, but often
enough, curiosity helps us create better security. It seems like every time I
encounter a product with a web management console, I end up feeding it data that
it wasn't expecting.
As an example, while configuring a wireless bridge that had a discovery function
that would identify and list all Wi-Fi devices in the radio range, I thought: "I
wonder what would happen if I broadcast a service set identifier (SSID)
[https://en
3 min
Exploits
Watch your SaaS: Partial parameter checking or the case of unfinished homework
“Laws are like sausages. It's better not to see them being made.” – Otto von
Bismarck
I'm not sure how many of you have kids or how diligent they are with their
homework but I'm sure you've heard stories of parents observing that their kids
have finished their homework in a remarkably short period of time. However,
upon investigation, you quickly discover that your child has only finished half
of their homework.
Sadly, this state of affairs can also be true for SAAS providers offering web
app
2 min
Penetration Testing
Top 3 Takeaways from the & Campfire Horror Stories: 5 Most Common Findings in Pen Tests & Webcast
Penetration Tests are a key part of assuring strong security, so naturally,
security professionals are very curious about how this best practice goes down
from the pen tester perspective. Jack Daniel, Director of Services at Rapid7
with 13 years of penetration testing under his belt, recently shared which flaws
pen testers are regularly using to access sensitive data on the job in the
webcast, “Campfire Horror Stories: 5 Most Common Findings in Pen Tests
[https://information.rapid7.com/campfire-
3 min
Exploits
R7-2015-01: CSRF, Backdoor, and Persistent XSS on ARRIS / Motorola Cable Modems
By combining a number of distinct vulnerabilities, attackers may take control of
the web interface for popular cable modems in order to further compromise
internal hosts over an external interface.
Affected Product
ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem
The device is described by the vendor as a "fully integrated all-in-one home
networking solution that combines the functionality of a DOCSIS/EuroDOCSIS 3.0
cable modem, four-port 10/100/1000 Ethernet switch with advanced fi
1 min
Nexpose
NEX-37823 XSS in Nexpose vuln-summary.jsp (Fixed)
Nexpose users are urged to update to the lastest version of Nexpose to receive
the patch for the described security vulnerability. Note that by default,
Nexpose installations update themselves automatically.
A cross-site scripting (XSS) vulnerability has been discovered by Yunus ÇADIRCI
[https://twitter.com/yunuscadirci] and subsequently patched in recent versions
of Rapid7's Nexpose vulnerability scanner.
By providing URL-encoded HTML tags (including script tags), an unauthenticated
attacker
5 min
Apple
Abusing Safari's webarchive file format
tldr: For now, don't open .webarchive files, and check the Metasploit module,
Apple Safari .webarchive File Format UXSS
[https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb]
Safari's webarchive format saves all the resources in a web page - images,
scripts, stylesheets - into a single file. A flaw exists in the security model
behind webarchives that allows us to execute script in the context of any domain
(a Universal Cross-site S