Day by day, technology introduces new changes affecting several aspects of everyone's life, from private individuals to industry. In such ever changing world, cutting edge research on application security is one of the topics that requires attention in order to keep up with this. Minded Security, since the beginning of its mission, has been focusing on application security research in order to professionally support analysis and mitigation of old and new threats for our customers. This talk will go through some of the research performed by Minded Security improving the quality of security and privacy of our customers.

2. w w w . m i n d e d s e c u r i t y . c o m
Who we are
✓
✓
✓
✓
✓

3. w w w . m i n d e d s e c u r i t y . c o m
Mission - Since 2007
✓
✓
✓
Minded Security: focus and strategies

4. w w w . m i n d e d s e c u r i t y . c o m
Here’s a little journey through time telling the story of
Minded Security approach and results in AppSec research.
4

5. w w w . m i n d e d s e c u r i t y . c o m
5
Industry in 2007

6. w w w . m i n d e d s e c u r i t y . c o m
It was 2007. We founded Minded Security with in mind that:
❑ Awareness is the first step to any change.
❑ Every year needs and offers change.
❑ Technology market pushes for innovation.
❑ We are an ambitious group of smart people with an high
level of expertise.
❑ Each company is a drop in the ocean of InfoSec Market (it
was in 2k7, let alone today! :)
6
Minded Security

7. w w w . m i n d e d s e c u r i t y . c o m
SINCE
“Awareness is the first step to any change”
AND
We want AppSec to be pushed in SDLC as much as possible
LET’S CONSIDER
AppSec Research as one of the keys to AppSec awareness
(well... as long as it involves widespread software ;)
...and let’s see what happens!
7
AppSec Awareness in Software Industry

8. w w w . m i n d e d s e c u r i t y . c o m
In 2007, when the majority was improving the server side
with WAFs, preventing SQL Injections and such.
What is the less mature type of software and most
widespread?
The client side.
That was the first research in Minded Security.
8
2007-2017 - The Client Side

9. w w w . m i n d e d s e c u r i t y . c o m
❑ Focus on browsers and browser plugins.
❑ Browsers + Adobe and Flash are on every PC and people
and companies completely trust the Browser sandbox…
❑ Most of the vulnerabilities rely on hard-to-find issues and
exploit such as Buffer Overflows and similar.
9
2007 - Client side Security

10. w w w . m i n d e d s e c u r i t y . c o m
❑ Adobe Universal Cross Site Scripting was an earthquake in Info
Security.
❑ For its simplicity and impact:
▪ Any browser accessing a pdf, locally or remotely, would have let
an attacker to read any file by abusing JavaScript Ajax
functionalities and the JavaScript: pseudo protocol.
http://host/file.pdf#blah=javascript:alert(“XSS”); < Remote
file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf#blah=javascript:alert(“XSS”);
< Local
10
2007 - The Adobe UXSS

11. w w w . m i n d e d s e c u r i t y . c o m
Industry response - Adobe:
11
San Jose AppSec 2007

12. w w w . m i n d e d s e c u r i t y . c o m
❑ Flash Research + Tool to check issues at runtime using smart
fuzzing.
❑ Actionscript, exposed several methods that could be abused by
attackers in SWF files.
❑ Impact was similar to a UXSS but for SWF files.
A few months later we were
asked by Google to give a
Google Tech Talk.
This raised awareness among
the SWF Devs community
12
2008 Flash Security Research

13. w w w . m i n d e d s e c u r i t y . c o m
❑ Java Applets on DNS Rebinding:
▪ again, a client side issue exposing any browser to access
arbitrary files in the internal network.
https://blog.mindedsecurity.com/2010/10/dns-rebinding-on-java-applets.html
“DNS rebinding is a technique that turns a victim’s browser into a proxy for
attacking private networks. Attackers can change the IP associated with a domain
name after it has been used to load JavaScript. Since Same-Origin Policy (SOP) is
domain-based, the JavaScript will have access to the new IP.”
13
2010 - Java Applets

14. w w w . m i n d e d s e c u r i t y . c o m
14
DNS Rebinding

15. w w w . m i n d e d s e c u r i t y . c o m
So, what’s the status of Browsers Plugin today?
Minded Security with its published research and advisories
contributed to raising awareness in AppSec Industry in the topic
of Browsers and Plugins.
15
What’s the status of Browsers Plugin today?

16. w w w . m i n d e d s e c u r i t y . c o m
❑ The last step was JavaScript analysis.
❑ We created the first tool using Dynamic Tainting to Identify
and Analyze DOM Based XSS at runtime (IAST Tool when no
one used to call it that way)
▪ DOMinator - Rewrite of Mozilla JS Engine (2011)
• https://blog.mindedsecurity.com/2011/05/dominator-project.html
▪ BCDetect - Rewrite of JS on-the-fly (2016)
16
2010 - JavaScript Security

17. w w w . m i n d e d s e c u r i t y . c o m
The new motto is:
If you can’t name it you can’t identify it!
❑ Lacks of Attack formalization creates a void around
particular vulnerabilities.
❑ AppSec Industry needs formalization of attacks!
❑ Minded Security Contribution to this:
▪ 2009 JBOSS Bypass with Verb Tampering
▪ 2009 HTTP Parameter Pollution
▪ 2011 Expression Language Injection
▪ 2016 EL Injection in NetBeans
17
2009-2016 AppSec Industry Lacks

18. w w w . m i n d e d s e c u r i t y . c o m
❑ Vulnerability found and formalized by Arshan Dabirsiaghi.
❑ We found a very important issue on default JBoss
installations.
“Any user with with network access to a JBoss server was able
to bypass authentication control and perform Remote
Command Execution on the JBoss remote instance.”
https://www.mindedsecurity.com/index.php/research/advisories/msa030409
❑ Thanks to the formalization of the issue we (and other
researchers) were able to identify issues on several
products.
https://cheatsheetseries.owasp.org/assets/REST_Security_Cheat_Sheet_Bypassing_VBAAC_with_HTTP_Verb_Tampe
ring.pdf
18
JBoss - Verb Tampering

19. w w w . m i n d e d s e c u r i t y . c o m
Presented with Luca Carettoni at OWASP AppSec in 2009
Formalizes a particular type of Web Attack which takes
advantage of parsing issues of a web application.
https://owasp.org/www-pdf-archive/AppsecEU09_CarettoniDiPaola_v0.8.pdf
19
2009 - HTTP Parameter Pollution

20. w w w . m i n d e d s e c u r i t y . c o m
❑ A Spring related issue that due to double evaluation allows
an attacker to execute code in the context of the Expression
Language.
❑ The impact can vary from XSS, Sensitive Data access to
RCE.
https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
❑ Several vulnerabilities of EL Injection have been found after
the publication of our paper.
❑ This research led a few years later to a more general
formalization named “Template Injection” by James Kettle of
PortSwigger.
20
2011 - Expression Language Injection

21. w w w . m i n d e d s e c u r i t y . c o m
❑ There is a virtual space everyone’s expects to be private,
even at home.
▪ How do we conceive our personal space in internet?
▪ How in our home/office/company?
❑ The issue involves what might be called:
Internal Perimeter Privacy or Cyber Proxemics
❑ Minded Security research also covered this topics with:
▪ 2018 - JStillery: JavaScript Malware Deobfuscation
▪ 2019 - DNS Rebinding + UPnP: A research to raise
awareness about an issue known since 2006.
▪ 2020 - Behave! A Browser Extension to warn if a web page
performs malicious scans in the internal network.
21
2018-2020 - Internal Perimeter Privacy

22. w w w . m i n d e d s e c u r i t y . c o m
https://www.slideshare.net/mindedsecurity/js-deobfuscation-with-jstillery-bsidesroma-2018
22
2018 - JStillery

23. w w w . m i n d e d s e c u r i t y . c o m
❑ DNS Rebinding.Rewind + IOT == Privacy gone
23
2019 DNS Rebinding + UPnP

24. w w w . m i n d e d s e c u r i t y . c o m
❑ A (Still in Development) monitoring browser extension for
pages acting as bad boys.
https://github.com/mindedsecurity/behave
24
2020 - Behave!

25. w w w . m i n d e d s e c u r i t y . c o m
❑ A (Still in Development) monitoring browser extension for
pages acting as bad boys.
https://github.com/mindedsecurity/behave
25
2020 - Behave!

26. w w w . m i n d e d s e c u r i t y . c o m
Key Role of Minded Security in OWASP
✓
✓
✓
✓
✓

27. w w w . m i n d e d s e c u r i t y . c o m
❑ Research, Development, Participation and Vertical
Expertise are a winning approach if pursued with attention
and dedication.
❑ Our expertise is supported and cherished by a team of very
smart people working with passion and focus.
❑ This approach led Minded Security to be an important
reality in Application Security since 2007 to present day.
❑ At international level.
27
Conclusions

28. w w w . m i n d e d s e c u r i t y . c o m
Minded Security Customers & Global Reach