Day by day, technology introduces new changes affecting several aspects of everyone's life, from private individuals to industry.
In such ever changing world, cutting edge research on application security is one of the topics that requires attention
in order to keep up with this.
Minded Security, since the beginning of its mission, has been focusing on application security research in order to
professionally support analysis and mitigation of old and new threats for our customers.
This talk will go through some of the research performed by Minded Security improving the quality of security and privacy of our customers.
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
We will discuss the what, why and the how of running modern security operations. We will take a look at the pain points in a DevOps life cycle and see the benefits of pragmatic security solutions. Attendees will get an idea about where and how to start devsecops for secure devops pipeline.
This talk is focused on the what, why and the how of running security operations in the modern world. The way attacks are changing and developers are moving ahead with the next generation technologies is blazingly fast. However, traditional operations still exist. It then becomes imperative to make changes in the way security operations should run to defend against attackers and work with developers and modern businesses. In this talk, we will see what are the real world problems faced by organisations, how we can rapidly adapt to changes by modifying the culture and methodologies while relying on processes, tools and techniques.
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFPaul Mooney
Slides from Paul Mooney's talk at the OWASP Ireland June Chapter meeting offering an overview of the Encrypted Token Pattern, and ARMOR, its .NET implementation.
Kymberlee Price and Sam Vaughan, Microsoft
Many developers today are turning to well established third-party open source components and libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single OSS component may have multiple additional OSS subcomponents, and an application or service may have dozens of different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products - exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. This presentation will dive deep into vulnerability data and explore the source and spread of OSS vulnerabilities through products – as well as actions developers, the security research community, and enterprise customers can take to address this problem.
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
We will discuss the what, why and the how of running modern security operations. We will take a look at the pain points in a DevOps life cycle and see the benefits of pragmatic security solutions. Attendees will get an idea about where and how to start devsecops for secure devops pipeline.
This talk is focused on the what, why and the how of running security operations in the modern world. The way attacks are changing and developers are moving ahead with the next generation technologies is blazingly fast. However, traditional operations still exist. It then becomes imperative to make changes in the way security operations should run to defend against attackers and work with developers and modern businesses. In this talk, we will see what are the real world problems faced by organisations, how we can rapidly adapt to changes by modifying the culture and methodologies while relying on processes, tools and techniques.
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFPaul Mooney
Slides from Paul Mooney's talk at the OWASP Ireland June Chapter meeting offering an overview of the Encrypted Token Pattern, and ARMOR, its .NET implementation.
Kymberlee Price and Sam Vaughan, Microsoft
Many developers today are turning to well established third-party open source components and libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single OSS component may have multiple additional OSS subcomponents, and an application or service may have dozens of different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products - exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. This presentation will dive deep into vulnerability data and explore the source and spread of OSS vulnerabilities through products – as well as actions developers, the security research community, and enterprise customers can take to address this problem.
Equifax cyber attack contained by containersAqua Security
Equifax cyber attack - What if they had used containers?
Block Image with Struts Vulnerability
Virtual Patch Patching To Block Exploit
Prevent Host-based DOS Attack
Situational Awareness
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
Author: Jakub Kaluzny
Let's talk about large-scale security programmes and maintaining security with tens of project teams - agile or waterfall, in-house or outsourced. I will discuss how to effectively track security requirements, organise threat modelling sessions, log output from those and translate it into penetration testing scope and test cases. We will dive deep into evil brainstorming, come up with abuser stories for each user story and define what makes the SDLC process secure or not. This talk is based on my work with different organisations in multiple countries and observations what works well in regards to security at scale and what does not.
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chainPROIDEA
W dzisiejszych czasach powszechną praktyką jest przeprowadzanie okresowych testów bezpieczeństwa lokalnej sieci, jednakże rzadko kiedy właściciele firm decydują się na podobne testy ich środowisk chmurowych. Musimy zrozumieć nowe zagrożenia i ryzyka, które pojawiły się wraz z usługami chmurowymi oraz jak powinniśmy zmienić nasze podejście do ich testowania. Celem mojej prezentacji jest pokazanie konieczności testowania środowiska chmurowego oraz jak bardzo różni się ono od testów środowiska opartego o klasyczną architekturę. W formie dema przedstawię przykładowy atak na firmę wykorzystującą usługi AWS. Wykorzystując podatność w aplikacji webowej, a następnie szereg drobnych zaniedbań w konfiguracji AWS, pokażę jak potencjalny atakujący może krok po kroku przejąć rolę administratora AWS, a następnie usunąć wszystkie dowody swojej aktywności.
Nancy is a lightweight, low-ceremony, framework for building HTTP based services on .Net and Mono. The goal of the framework is to stay out of the way as much as possible and provide a super-duper-happy-path to all interactions. Find more about it at nancyfx.org.
This Slide deck (in English) used at the DWX Conference in Nürnberg in July 2013 and provides you with an overview of the basic elements of the framework. The presentation material as well as the demo code can be found on github at https://github.com/Timothep/Talk.NancyFx
Author: Paweł Rzepa
In this talk I'm going to show you various attack vectors against the serverless applications built from AWS Lambda functions. You'll see:
- my findings on publishing malicious NPM packages to smuggle malicious code into legitimately looking dependences,
- examples of validation errors in serverless applications, including Denial of Wallet attacks and RCE in a fugacious, serverless environment
- serverless attacks and security nuances in Azure and GCP
- recipes to prevent those attacks
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
The final talk of the Frontend2010 conference in Oslo, Norway talking about the need to make technical advancements interesting for people outside our comfort zone and about the benefits of using all the web technologies at our disposal to built bullet-proof solutions rather than flimsy showcases of what technologies could be used for.
Equifax cyber attack contained by containersAqua Security
Equifax cyber attack - What if they had used containers?
Block Image with Struts Vulnerability
Virtual Patch Patching To Block Exploit
Prevent Host-based DOS Attack
Situational Awareness
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
Author: Jakub Kaluzny
Let's talk about large-scale security programmes and maintaining security with tens of project teams - agile or waterfall, in-house or outsourced. I will discuss how to effectively track security requirements, organise threat modelling sessions, log output from those and translate it into penetration testing scope and test cases. We will dive deep into evil brainstorming, come up with abuser stories for each user story and define what makes the SDLC process secure or not. This talk is based on my work with different organisations in multiple countries and observations what works well in regards to security at scale and what does not.
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chainPROIDEA
W dzisiejszych czasach powszechną praktyką jest przeprowadzanie okresowych testów bezpieczeństwa lokalnej sieci, jednakże rzadko kiedy właściciele firm decydują się na podobne testy ich środowisk chmurowych. Musimy zrozumieć nowe zagrożenia i ryzyka, które pojawiły się wraz z usługami chmurowymi oraz jak powinniśmy zmienić nasze podejście do ich testowania. Celem mojej prezentacji jest pokazanie konieczności testowania środowiska chmurowego oraz jak bardzo różni się ono od testów środowiska opartego o klasyczną architekturę. W formie dema przedstawię przykładowy atak na firmę wykorzystującą usługi AWS. Wykorzystując podatność w aplikacji webowej, a następnie szereg drobnych zaniedbań w konfiguracji AWS, pokażę jak potencjalny atakujący może krok po kroku przejąć rolę administratora AWS, a następnie usunąć wszystkie dowody swojej aktywności.
Nancy is a lightweight, low-ceremony, framework for building HTTP based services on .Net and Mono. The goal of the framework is to stay out of the way as much as possible and provide a super-duper-happy-path to all interactions. Find more about it at nancyfx.org.
This Slide deck (in English) used at the DWX Conference in Nürnberg in July 2013 and provides you with an overview of the basic elements of the framework. The presentation material as well as the demo code can be found on github at https://github.com/Timothep/Talk.NancyFx
Author: Paweł Rzepa
In this talk I'm going to show you various attack vectors against the serverless applications built from AWS Lambda functions. You'll see:
- my findings on publishing malicious NPM packages to smuggle malicious code into legitimately looking dependences,
- examples of validation errors in serverless applications, including Denial of Wallet attacks and RCE in a fugacious, serverless environment
- serverless attacks and security nuances in Azure and GCP
- recipes to prevent those attacks
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
The final talk of the Frontend2010 conference in Oslo, Norway talking about the need to make technical advancements interesting for people outside our comfort zone and about the benefits of using all the web technologies at our disposal to built bullet-proof solutions rather than flimsy showcases of what technologies could be used for.
JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
Node.js has become one of the main tools developers use to create backends for their web apps. Read on to get some tips on how to make the most of this framework.
Node.js has become one of the main tools developers use to create backends for their web apps. Read on to get some tips on how to make the most of this framework.
https://www.solutionanalysts.com/blog/8-valuable-tips-to-master-best-code-practices-in-node-js/
Asset Discovery in India – Redhunt LabsRedhuntLabs2
Leading Asset Discovery Company Redhunt Labs provides a variety of solutions to assist companies in India in securing their online assets and guarding against cyber threats. Our Agent less Platform NVADR has been successful for many of our customers in locating significant data leaks across publicly exposed Docker containers. NVADR has the capability to continually monitor your exposed Docker Assets from across the globe.
We also provide a Free Scan if you'd like to examine the Attack Surface of your company. Here to visit our page for more information.
Application security for the modern web - ISSA South Texas Houston DevOpsPhillip Maddux
Presented on September 9, 2018 at ISSA South Texas Houston DevOps conference (http://www.southtexasissa.org/).
Over the last several years we’ve witnessed, and experienced, an advance towards new approaches in web technologies and the processes to deploy web applications. In this talk, we’ll explore and describe the “Modern Web”, discuss observations on the evolution of the Secure SDLC, recognize existing challenges in achieving real-time threat visibility once web applications are deployed to production, and finally, walk through the concepts that address the challenges in fast paced “agile” development cycles.
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...NowSecure
+ How do vulnerable mobile apps and insecure V2D communications put drivers and manufacturers at risk?
+ Applying crashworthiness and safety ratings concepts to mobile app and connected car cybersecurity
+ How to manage mobile app security defects and vulnerabilities in the connected car and mobile app development process
This talk focussed on the challenges facing the DevOps community from the “developers culture perspective” and the consequences of the perceived disinterest in inculcating a complete 360 degrees’ risk mitigation framework in DevOps practices.
The talk touched on the legal +Security+Operational Risk of using Open Source in their SDLC, the need for internal customized Open Source policy and a two-step approach to resolve these risks
Serverless is now well established pattern for all things Cloud. As we leverage this style architecture with more power we require more control. Discover how good architects and developers design and develop serverless platforms for the enterprise. We describe a framework that will move your serverless systems from good to great and help you grow our connected world.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs
New Era of Software with modern Application Security v1.0Dinis Cruz
(as presented at Codemotion Rome 2016)
This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive
More and more enterprises are restructuring their development teams to replicate the agility and innovation of startups.
In the last few years, microservices have gained popularity for their ability to provide modularity, scalability, high availability, as well as make it easier for smaller development teams to develop in an agile way.
But how do they deal with security? what about security contexts?
This talk will give insights about the most interesting issues found in the last years while testing the security of multilayered microservices solutions and how they were fixed.
Minded Security offers a series of courses that target different skills including secure design, secure coding, secure testing and vulnerability management. Besides the software developers, the main target roles for software security training are the software architects, the business analysts, the project managers and the information security managers/officers.
The training courses being developed by Minded Security have been developed over the course of several years (since 2007) delivering software security professional services for customers.
This month we delivered a really interesting Live Hacking Demo for one of our relevant customer. We published the anonymized results and you can have a look here.
This talk introduces the new OWASP projects focusing on the new GDPR regulation and the impact on the Software Development Life Cycle for a Company today.
Minded Security was invited to have a 4 mins pitch at the CyberTech Europe 2017. In this presentation we describe the technology Blueclosure a JavaScript Security Platform for developers, auditor, testers, SOC in order to identify, detect and response to JS security flaws in the code.
BC Detect Enterprise is a product designed to automate client-side JavaScript security analysis, and to provide continuous integration with DevOps teams for testing Web client side security issues.
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security
1. 3rd Party Software: how to manage the update of 3rd party software
2. 3rd Party Development: Outsourcing
3. 3rd Party Supplier
4. 3rd Party OF THINGS
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
== Abstract ==
Presented at Analysis of Security APIs
Satellite workshop of IEEE CSF
July 13th 2015, Verona, Italy
http://www.dsi.unive.it/~focardi/ASA8/#program
Browsers HTML sandbox is, by default, only protected by the "Same Origin Policy". Although this simple constraint gave companies a very flexible environment to play with, and was probably one of the key features that led the Web to success as we see it now, it is quite unsatisfactory from a security perspective. In fact, this solution does not face the problem of letting third party code access the whole data in the DOM when explicitly loaded and executed by the browser. This behaviour opens the door to malicious third party code attacks that can be achieved using either Cross Site Scripting (OWASP Top Ten Security risk #1 for many years) or second order attacks, such as malvertising software. In the past, several attempts to sandbox untrusted code have been made. In this talk we will focus on successes and failures of the most interesting open source sandboxing browser techniques.
Con PHP Object Injection ci si riferisce ad una classe di vulnerabilità che può affliggere quelle applicazioni PHP che utilizzano la funzione "unserialize" in modo insicuro. Attraverso questo genere di vulnerabilità un potenziale attaccante potrebbe essere in grado di "iniettare" uno o più oggetti all'interno dello scope dell'applicazione. Gli attributi di tali oggetti possono essere modificati arbitrariamente dall'attaccante, e ciò potrebbe causare un comportamento inaspettato del flusso di esecuzione dell'applicazione, che potrebbe consentire all'attaccante di eseguire diverse tipologie di attacchi, o nei casi più gravi di eseguire codice PHP arbitrario.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Ieee S&P 2020 - Software Security: from Research to Industry.
1.
2. w w w . m i n d e d s e c u r i t y . c o m
Who we are
✓
✓
✓
✓
✓
3. w w w . m i n d e d s e c u r i t y . c o m
Mission - Since 2007
✓
✓
✓
Minded Security: focus and strategies
4. w w w . m i n d e d s e c u r i t y . c o m
Here’s a little journey through time telling the story of
Minded Security approach and results in AppSec research.
4
5. w w w . m i n d e d s e c u r i t y . c o m
5
Industry in 2007
6. w w w . m i n d e d s e c u r i t y . c o m
It was 2007. We founded Minded Security with in mind that:
❑ Awareness is the first step to any change.
❑ Every year needs and offers change.
❑ Technology market pushes for innovation.
❑ We are an ambitious group of smart people with an high
level of expertise.
❑ Each company is a drop in the ocean of InfoSec Market (it
was in 2k7, let alone today! :)
6
Minded Security
7. w w w . m i n d e d s e c u r i t y . c o m
SINCE
“Awareness is the first step to any change”
AND
We want AppSec to be pushed in SDLC as much as possible
LET’S CONSIDER
AppSec Research as one of the keys to AppSec awareness
(well... as long as it involves widespread software ;)
...and let’s see what happens!
7
AppSec Awareness in Software Industry
8. w w w . m i n d e d s e c u r i t y . c o m
In 2007, when the majority was improving the server side
with WAFs, preventing SQL Injections and such.
What is the less mature type of software and most
widespread?
The client side.
That was the first research in Minded Security.
8
2007-2017 - The Client Side
9. w w w . m i n d e d s e c u r i t y . c o m
❑ Focus on browsers and browser plugins.
❑ Browsers + Adobe and Flash are on every PC and people
and companies completely trust the Browser sandbox…
❑ Most of the vulnerabilities rely on hard-to-find issues and
exploit such as Buffer Overflows and similar.
9
2007 - Client side Security
10. w w w . m i n d e d s e c u r i t y . c o m
❑ Adobe Universal Cross Site Scripting was an earthquake in Info
Security.
❑ For its simplicity and impact:
▪ Any browser accessing a pdf, locally or remotely, would have let
an attacker to read any file by abusing JavaScript Ajax
functionalities and the JavaScript: pseudo protocol.
http://host/file.pdf#blah=javascript:alert(“XSS”); < Remote
file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf#blah=javascript:alert(“XSS”);
< Local
10
2007 - The Adobe UXSS
11. w w w . m i n d e d s e c u r i t y . c o m
Industry response - Adobe:
11
San Jose AppSec 2007
12. w w w . m i n d e d s e c u r i t y . c o m
❑ Flash Research + Tool to check issues at runtime using smart
fuzzing.
❑ Actionscript, exposed several methods that could be abused by
attackers in SWF files.
❑ Impact was similar to a UXSS but for SWF files.
A few months later we were
asked by Google to give a
Google Tech Talk.
This raised awareness among
the SWF Devs community
12
2008 Flash Security Research
13. w w w . m i n d e d s e c u r i t y . c o m
❑ Java Applets on DNS Rebinding:
▪ again, a client side issue exposing any browser to access
arbitrary files in the internal network.
https://blog.mindedsecurity.com/2010/10/dns-rebinding-on-java-applets.html
“DNS rebinding is a technique that turns a victim’s browser into a proxy for
attacking private networks. Attackers can change the IP associated with a domain
name after it has been used to load JavaScript. Since Same-Origin Policy (SOP) is
domain-based, the JavaScript will have access to the new IP.”
13
2010 - Java Applets
14. w w w . m i n d e d s e c u r i t y . c o m
14
DNS Rebinding
15. w w w . m i n d e d s e c u r i t y . c o m
So, what’s the status of Browsers Plugin today?
Minded Security with its published research and advisories
contributed to raising awareness in AppSec Industry in the topic
of Browsers and Plugins.
15
What’s the status of Browsers Plugin today?
16. w w w . m i n d e d s e c u r i t y . c o m
❑ The last step was JavaScript analysis.
❑ We created the first tool using Dynamic Tainting to Identify
and Analyze DOM Based XSS at runtime (IAST Tool when no
one used to call it that way)
▪ DOMinator - Rewrite of Mozilla JS Engine (2011)
• https://blog.mindedsecurity.com/2011/05/dominator-project.html
▪ BCDetect - Rewrite of JS on-the-fly (2016)
16
2010 - JavaScript Security
17. w w w . m i n d e d s e c u r i t y . c o m
The new motto is:
If you can’t name it you can’t identify it!
❑ Lacks of Attack formalization creates a void around
particular vulnerabilities.
❑ AppSec Industry needs formalization of attacks!
❑ Minded Security Contribution to this:
▪ 2009 JBOSS Bypass with Verb Tampering
▪ 2009 HTTP Parameter Pollution
▪ 2011 Expression Language Injection
▪ 2016 EL Injection in NetBeans
17
2009-2016 AppSec Industry Lacks
18. w w w . m i n d e d s e c u r i t y . c o m
❑ Vulnerability found and formalized by Arshan Dabirsiaghi.
❑ We found a very important issue on default JBoss
installations.
“Any user with with network access to a JBoss server was able
to bypass authentication control and perform Remote
Command Execution on the JBoss remote instance.”
https://www.mindedsecurity.com/index.php/research/advisories/msa030409
❑ Thanks to the formalization of the issue we (and other
researchers) were able to identify issues on several
products.
https://cheatsheetseries.owasp.org/assets/REST_Security_Cheat_Sheet_Bypassing_VBAAC_with_HTTP_Verb_Tampe
ring.pdf
18
JBoss - Verb Tampering
19. w w w . m i n d e d s e c u r i t y . c o m
Presented with Luca Carettoni at OWASP AppSec in 2009
Formalizes a particular type of Web Attack which takes
advantage of parsing issues of a web application.
https://owasp.org/www-pdf-archive/AppsecEU09_CarettoniDiPaola_v0.8.pdf
19
2009 - HTTP Parameter Pollution
20. w w w . m i n d e d s e c u r i t y . c o m
❑ A Spring related issue that due to double evaluation allows
an attacker to execute code in the context of the Expression
Language.
❑ The impact can vary from XSS, Sensitive Data access to
RCE.
https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
❑ Several vulnerabilities of EL Injection have been found after
the publication of our paper.
❑ This research led a few years later to a more general
formalization named “Template Injection” by James Kettle of
PortSwigger.
20
2011 - Expression Language Injection
21. w w w . m i n d e d s e c u r i t y . c o m
❑ There is a virtual space everyone’s expects to be private,
even at home.
▪ How do we conceive our personal space in internet?
▪ How in our home/office/company?
❑ The issue involves what might be called:
Internal Perimeter Privacy or Cyber Proxemics
❑ Minded Security research also covered this topics with:
▪ 2018 - JStillery: JavaScript Malware Deobfuscation
▪ 2019 - DNS Rebinding + UPnP: A research to raise
awareness about an issue known since 2006.
▪ 2020 - Behave! A Browser Extension to warn if a web page
performs malicious scans in the internal network.
21
2018-2020 - Internal Perimeter Privacy
22. w w w . m i n d e d s e c u r i t y . c o m
https://www.slideshare.net/mindedsecurity/js-deobfuscation-with-jstillery-bsidesroma-2018
22
2018 - JStillery
23. w w w . m i n d e d s e c u r i t y . c o m
❑ DNS Rebinding.Rewind + IOT == Privacy gone
23
2019 DNS Rebinding + UPnP
24. w w w . m i n d e d s e c u r i t y . c o m
❑ A (Still in Development) monitoring browser extension for
pages acting as bad boys.
https://github.com/mindedsecurity/behave
24
2020 - Behave!
25. w w w . m i n d e d s e c u r i t y . c o m
❑ A (Still in Development) monitoring browser extension for
pages acting as bad boys.
https://github.com/mindedsecurity/behave
25
2020 - Behave!
26. w w w . m i n d e d s e c u r i t y . c o m
Key Role of Minded Security in OWASP
✓
✓
✓
✓
✓
27. w w w . m i n d e d s e c u r i t y . c o m
❑ Research, Development, Participation and Vertical
Expertise are a winning approach if pursued with attention
and dedication.
❑ Our expertise is supported and cherished by a team of very
smart people working with passion and focus.
❑ This approach led Minded Security to be an important
reality in Application Security since 2007 to present day.
❑ At international level.
27
Conclusions
28. w w w . m i n d e d s e c u r i t y . c o m
Minded Security Customers & Global Reach