tag:blogger.com,1999:blog-25981209318457408582024-03-12T18:40:25.040-07:00BlueClosure - Javascript SecurityGiorgio Fedonhttp://www.blogger.com/profile/17285473210424014740noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-2598120931845740858.post-87982478197437893822017-10-29T14:19:00.000-07:002017-12-04T02:46:01.474-08:00JavaScript Dangerous Functions (Part 2) - DOM Based XSS<h3>
<span style="font-size: 18px;"><b>1. Introduction to DOM Based Cross-Site Scripting</b></span></h3>
<span style="font-size: 14px;">
<br />
DOM Based XSS is an attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser. These modifications are usually performed by client side scripts.<br /><br />
In the case of a DOM XSS vulnerability the HTTP response sent by the server is not different from the normal execution of the application, but the payload injected from the attacker executes only in the browser of the victim.<br /><br />
This behavior is different from other XSS attacks (Stored or Reflected), where the attack payload is contained in the response page (due to a server side flaw).
<br /><br />
In the following example of OWASP code, "document.location.href" or "document.write" may appear not to be harmful, but depending on their use, they can lead to a DOM XSS vulnerability. </span>
<span style="font-size: 14px;">
<br />
<pre class="brush:html">[..]
Select your language:
<select>
<script>
document.write("<option value="1">"+
document.location.href.substring(
document.location.href.indexOf("lang=")+4)+
"</option>");
document.write("<option value="2">English</option>");
</script>
</select>
[..]</pre>
<span style="font-size: 14px;">
<span style="font-size: 14px;">Indeed, the "document.location.href" property is a Source because it can be controlled by the user through the input in the GET request (lang=[user-controlled-input]). On the opposite side, "document.write" is considered a Sink, because this is a function that could be abused to cause security issues. This kind of flow in the code can generate a DOM related vulnerability.</span><br /><span style="font-size: 14px;">Using the following request it is possible to exploit the above DOMXSS:</span><br />
<br /><span style="font-size: 14px;">
http://www.example.tld/</span><b style="font-size: 14px;">page.html?lang=<script>alert(document.cookie)</script></b>
<br /><br /><span style="font-size: 14px;">
When the victim clicks on this link, the browser sends a request for:
</span>
<br />
</span><br />
<pre class="brush:html">/page.html?lang=<script>alert(document.cookie)</script></pre>
<span style="font-size: 14px;">
<span style="font-size: 14px;"><span style="font-size: 14px;"><span style="font-size: 14px;">The server replies with the page containing the above JavaScript code.<br />
The browser creates a DOM object for the page, in which the document.location object contains the string:
<br /><br />
<b>http://www.example.tld/page.html?lang=<script>alert(document.cookie)</script></b>
<br /><br />
The original JavaScript code in the page does not expect the “lang” parameter to contain HTML markup, and therefore it simply echoes it into the page (DOM) at runtime.<br /><br />
The browser then renders the resulting page and executes the attacker’s script:
</span>
<span style="font-size: 14px;"></span><br />
<pre class="brush:html">alert(document.cookie)</pre>
<span style="font-size: 14px;">
Note that the HTTP response sent from the server does not contain the attacker’s payload, because the payload itself is executed only at the Client-side level.<br /><br />
</span><br />
<h3>
<span style="font-size: 14px;">
<span style="font-size: 18px;">2. BlueClosure Detection of DOM Based Cross-Site Scripting</span></span></h3>
<span style="font-size: 14px;">
<br />
The BlueClosure BCDetect product (<a href="https://www.blueclosure.com/">https://www.blueclosure.com</a>) can easily detect DOM HTML Injection vulnerability in web pages.
<br />
In this part of the article we are going to see how it is possible to use BCDetect in order to identify a DOM XSS vulnerability and perform a detailed analysis of it.<br /><br />
Let’s begin with a simple example (in the next articles we will explain the Detection and Exploiting phases of much more complex examples aimed toward more advanced readers).
<br /><br />
Once BCDetect instance has started, we can visit the website <b>domxss.com</b> (this service is hosted from MindedSecurity in order to practice DOM related vulnerabilties. It offers various sections with different kinds of vulnerabilities). When opening the following page (</span><span style="font-size: 14px;">http://www.domxss.com/domxss/01_Basics/00_simple_noHead.html</span><span style="font-size: 14px;">) with BCDetect, </span><span style="font-size: 14px;">the user is prompted with a pop-up window showing a potential vulnerability in the JavaScript code of the page as shown in the following screenshots:</span><br />
<br />
<center>
<span style="font-size: 14px;">
<span id="docs-internal-guid-ecd95d95-deb0-6990-be9c-432787a3be65"><span style="font-family: "arial"; font-size: 10pt; vertical-align: baseline;"><img height="225" src="https://lh6.googleusercontent.com/CTei9HB-O4yxAtqvq6MkQ_QBNFBVUwsBAzGhRRpEUrWCS-2Kkis1xjywzidVqNAdUmqkTJ5GYdAkuul5mZrJ-srjN657CjDr_A1UxqmAeKraick3ZUEs41jqZlCSkg1pQOOiBUEQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="602" /></span></span></span></center>
<span style="font-size: 14px;">
</span>
<br />
<div>
<span style="font-size: 14px;">The popup alerts the user with the Summary view which includes alerts, warning and informational issues found in the page; Clicking on an issue it shows the specific data of the vulnerability through the dedicated BCDetect browser window, as shown in the following screenshot:
<br /><span id="docs-internal-guid-ecd95d95-dea3-8904-d130-7cbbe25d97c1"><span style="font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"></span></span></span><br />
<center>
<span style="font-size: 14px;"><span id="docs-internal-guid-ecd95d95-dea3-8904-d130-7cbbe25d97c1"><span style="font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><img height="296" src="https://lh5.googleusercontent.com/R_iyQPtfoXL-YSCuB9VKwFimWlOIDilbcMOggGS54N0Cfggd9bnfUp9bWkKo5tCHmEvttBQbIziHigRtsb7LgSrMImqCXQonuZDon7Wpdy7MG0KldYgBZAiPaZHH-0H96ZR0lVkge02_rJfELw" style="-webkit-transform: rotate(0.00rad); border: 1pt solid #000000; transform: rotate(0.00rad);" width="602" /></span></span></span></center>
</div>
<br />
<div>
<span style="font-size: 14px;">This window can be considered as a "point of reference" which shows all the possible issues, warnings or information previously found while browsing the target website.
<br /><br />
Looking at the vulnerability pane, we can infer that the issue is categorized as an Alert and it could be a potential High Risk vulnerability (BCDetect makes a great effort to minimize False-positives, but this will be the subject for a later article). So let's examine the <b>HTML Injection </b>previously<b> </b>pointed out.
<br /><br />
The following snippet shows the source code of the page that BCDetect analyzed at runtime:
</span><br />
<pre class="brush:html"><script>
var pos = document.URL.indexOf("name=") + 5;
var r = '<b>' +
document.URL.substring(pos, document.URL.length) +
'</b>'
document.write(unescape(r));
</script></pre>
<span style="font-size: 14px;">
As shown above, the string is retrieved from the "name=" parameter which is not filtered in any way, nor in input via document.URI neither in output via document.write.
</span><br />
<span style="font-size: 14px;">In order to better investigate the vulnerability, we can simply click on the related box and a detailed "history" window will appear below it. This window will contain all the information that led to the discover of the vulnerability itself.</span>
<span style="font-size: 14px;"><br /></span>
<span style="font-size: 14px;"> </span></div>
<div>
<center>
<span style="font-size: 14px;"><span id="docs-internal-guid-ecd95d95-dea3-de18-2c66-2b57cb38b7d8"><span style="font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><img height="535" src="https://lh6.googleusercontent.com/hSsyAlNyb1clrSKMCNR9__PmEZZzyEQ_EuxVkYZ0lMPjephByk04TsPkcDW2ek97I8cfLC9__gRUDlenJp8Zls0J6QNwuWO0BqOQJd9RF2T1TKe5sr5gBPbY0Gsx_0OK6xvB2DVfD1-YQU15WA" style="-webkit-transform: rotate(0.00rad); border: 1pt solid #000000; transform: rotate(0.00rad);" width="602" /></span></span></span></center>
</div>
<div>
<span style="font-size: 14px;"><br /></span></div>
<div>
<span style="font-size: 14px;">As shown in the above image, the window contains the categorization of the vulnerability, it shows if the issue is Exploitable or not, if the data is Encoded or Not Encoded. It also highlights the user's controllable value and the vulnerable code, identified by the engine of BCDetect.
<br /><br />By clicking the link "Show operations", there are a couple of features that give us the ability to have more information about the vulnerability going through the specific low-level information (Inside the box History -> Flow #N and Show Operations).
<br /><br />For instance:
</span></div>
<div>
<span style="font-size: 14px;"><span id="docs-internal-guid-ecd95d95-dea4-2191-5ad1-e178e7139e6a"><span style="font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"></span></span></span><br />
<center>
<span style="font-size: 14px;"><span id="docs-internal-guid-ecd95d95-dea4-2191-5ad1-e178e7139e6a"><span style="font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><img height="905" src="https://lh5.googleusercontent.com/B2awJ9arm1w6vmnb3QDt0OIaEFAtLde4DPTTpDSIa24eyOu5LXxNzhWuJovv22POVDiNQoL2P_qRZUveXlJavVpAwDXVTK5kpByfzJGvJOS3Jg_A58HaD-rMv5FCgDgvMABx-EaoyvSKA913Iw" style="-webkit-transform: rotate(0.00rad); border: 1pt solid #000000; transform: rotate(0.00rad);" width="602" /></span></span></span></center>
</div>
<div>
<span style="font-size: 14px;"><br /></span></div>
<div>
<span style="font-size: 14px;">These are the main points to understand how to perform the Detection phase with BCDetect and conduct a smart analysis of the issue.
<br />
</span><br />
<br />
<h4>
<span style="font-size: 14px;">
<span style="font-size: 16px;">2.1 BlueClosure Exploiting a DOM Based Cross-Site Scripting</span></span></h4>
<br />
<span style="font-size: 14px;">
In the previous section we saw how BCDetect was able to identify an HTML injection issue in real-time and how to exploit it (in the user's client context).
<br /><br />
Let 's consider the example we were using in the detection phase and type the following request in our browser:<br /><br />
http://www.domxss.com/domxss/01_Basics/00_simple_noHead.html<b>?#name=<script>alert(document.cookie)</script></b>
<br /><br />We will see that the page shows an alert popup containing the user's cookie values as shown in the following screenshot.
<br /><br /><span id="docs-internal-guid-ecd95d95-dea4-4cbd-0c05-37a521cd5c21"><span style="font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"></span></span></span><br />
<center>
<span style="font-size: 14px;"><span id="docs-internal-guid-ecd95d95-dea4-4cbd-0c05-37a521cd5c21"><span style="font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><img height="229" src="https://lh5.googleusercontent.com/TjmThBEidSXS4wWYUPV8xlaR_YPRD0LJsH1eQRLGsLBAka2lbuQpOgsmkrZMnJKUSea0QQb4oMe_GfxLKl5mCQEUG1zW0MzBxp4XvJj8oaZq9KvGUHUt9dp_ZSTBplj-aAYvT_U9EAnVW7UVIw" style="-webkit-transform: rotate(0.00rad); border: 1pt solid #000000; transform: rotate(0.00rad);" width="602" /></span></span></span></center>
</div>
<div>
<span style="font-size: 14px;"><br /></span></div>
<div>
<span style="font-size: 14px;">Using more advanced payloads, an attacker can steal the cookies and try to impersonate the victim. </span><br />
<br />
Even during the exploiting phase, BCDetect will report us through the popup notifications which as usual contains the type of vulnerability and the information about it, as can be seen in the the following screenshot:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-EGJOgCgtG6w/Wd336ghHd3I/AAAAAAAAAGY/iEmC7ao9ELoix9C3HtofdTb2THKS5AI9ACLcBGAs/s1600/bcdetect-find.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="643" data-original-width="1600" height="256" src="https://1.bp.blogspot.com/-EGJOgCgtG6w/Wd336ghHd3I/AAAAAAAAAGY/iEmC7ao9ELoix9C3HtofdTb2THKS5AI9ACLcBGAs/s640/bcdetect-find.png" width="640" /></a></div>
</div>
</span>
</span>
</span>
</span>Anonymousnoreply@blogger.com25tag:blogger.com,1999:blog-2598120931845740858.post-7823628986108349612017-09-14T01:56:00.000-07:002017-10-02T13:54:47.318-07:00JavaScript Dangerous Functions (Part 1) - HTML Manipulation<span style="font-size: 14px;">
</span>
<br />
<h3>
<span style="font-size: 18px;">
<b>1. Introduction to HTML Manipulation Functions </b></span></h3>
<span style="font-size: 14px;">
<br />
When a method or operation allows HTML manipulation if it is possible to control, even partially, an argument, then it is possible to manipulate, to some extent the HTML and consequently gain control of the user interface or execute JavaScript using classic Cross Site Scripting attacks.
<br />
<br />
Data flow starts from Sources (input data that could be tainted) and ends to Sinks (functions potentially dangerous).<br />
<br />
In software security the <b>Sources[*]</b> are to be considered starting points where untrusted input data is taken by an application.<br />
<br />
There are two types of input sources: <b>Direct</b> and <b>Indirect</b>. In this next articles, we will analyze the various types of Direct/Indirect input and how malicious JavaScript code can cause damage by exploiting incorrect programming techniques.<br />
<br />
In software security the <b>Sinks[*]</b> are meant to be the points in the flow where data depending from sources is used in a potentially dangerous way resulting in loss of Confidentiality, Integrity or Availability (the CIA triad).<br />
<br />
This means that a function is a Sink if its behavior is generally safe but could be dangerous with a tainted input data.<br />
<br />
To understand the difference between Source and tainted Source take a look to the following code:
</span><br />
<span style="font-size: 14px;"><pre class="brush:html"><script>
var name = document.URL.indexOf("name=") + 5; <- TAINTED SOURCE
document.write("Welcome " +
document.URL.substring(name, document.URL.length)); <- SINK
</script>
</pre></span>
<span style="font-size: 14px;">
</span>
<span style="font-size: 14px;">
<b>Source: </b> document.URL<br />
<b>Sink:</b> document.write()<br />
<b>Result:</b> document.write(“<script>alert(document.cookie)</script>”);<br />
<br />
The exploit will take place when visiting the following URL:<br />
<br />
http://example.tld/page.html<b>#name=<script>alert(document.cookie)</script></b><br />
<br />
<small><b>* Glossary </b></small>
<small><b><u><br /></u></b></small>
<small><b><u>Sources:</u></b> Sources are all the DOM Properties that can be influenced by an attacker. </small><br />
<small><b><u>Sinks:</u></b> Sinks are all the DOM Properties, JavaScript functions and other Client-side entities that can lead to or influence Client-side code execution.
</small><br />
</span><br />
<h4>
<span style="font-size: 16px;">
1.1 Table of dangerous JavaScript functions/properties for HTML Manipulation</span></h4><br>
<span style="font-size: 14px;">Here below we report a table with the principal sinks that allow HTML manipulation which </span><span style="font-size: 14px;">likely</span><span style="font-size: 14px;"> </span><span style="font-size: 14px;">will result JavaScript execution.</span><br />
<span style="font-size: 14px;"><br /></span>
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="202"></col><col width="105"></col><col width="295"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #24292e; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Function Name</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Browser</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Example</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<style type="text/css">
<!--
@page { margin: 0.79in }
td p { margin-bottom: 0in }
p { margin-bottom: 0.1in; line-height: 120% }
a:link { so-language: zxx }
-->
</style>
<br />
<span style="font-family: "arial";"><span style="font-size: 9pt;">document.write</span></span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<style type="text/css">
<!--
@page { margin: 0.79in }
td p { margin-bottom: 0in }
p { margin-bottom: 0.1in; line-height: 120% }
a:link { so-language: zxx }
-->
</style>
<br />
<span style="font-family: "arial";"><span style="font-size: 9pt;">document.write(“<b>”
+ userControlledVal + “</b>”);</span></span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 12px; white-space: pre-wrap;">document.writeln </span></span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">document.writeln("<b>" + userControlledVal + "</b>");</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">anyElement.innerHTML</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 12px; white-space: pre-wrap;">divElem.innerHTML = “Hello ” + userControlledVal</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">anyElement.outerHTML</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: x-small;">divElem.outerHTML = "<div>Hello " + userControlledVal + "</div>"</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 12px; white-space: pre-wrap;">anyElement.insertAdjacentHTML</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All</span></div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 12px; white-space: pre-wrap;">divElem.insertAdjacentHTML("","<b>"+ userControlledVal + "</b>");)</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
...</div>
</td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
</td></tr>
</tbody></table>
</div>
<div>
<br /></div>
<br>
<h3 style="margin-left: 0pt;">
<span style="font-size: 18px;">
2. Differences between document.write functions and properties like innerHTML</span></h3>
<span style="font-size: 14px;">
<b><br /></b>
<b>The document.write method: </b><br />
<br />Let's take functions like <b>document.write</b> (or <b>document.writeln</b>) as an example to explain better the Sink and let's see the difference between this function and for example, the property <b>innerHTML</b>.<br />
<br />
As we can see, the document.write goes to operate in a direct way as Sink writing (output) the malicious code entered by a user who checks the value, going, in fact, to the following URL:
<br />
<br />
http://example.tld/page.html#?<b>foo=<script>alert(document.cookie)</script></b><br />
<br />
And, by analyzing the page code:
<br />
</span><br />
<span style="font-size: 14px;"><pre class="brush:html"><script>
var pos = document.URL.indexOf("foo=") + 4; <- TAINTED SOURCE
document.write(documemt.URL.substring(pos, document.URL.length)); <- SINK
</script>
</pre></span>
<span style="font-size: 14px;">
We can see that the Sink in question, therefore, the document.write will have the task of printing screen the data value inserted into the function as an argument, and though having passed the user argument of malicious JavaScript code, then the function will only unintentionally execute writing in the DOM code in question, then:
<br />
</span><br />
<span style="font-size: 14px;"><pre class="brush:html"> alert(document.cookie)</pre></span>
<span style="font-size: 14px;">
Building up the browser side, then Client-side, a popup containing the cookie values of the current user session.<br />
<br />
<b>The innerHTML method: </b><br />
<br />
Concerning the use of the <b>innerHTML</b> method, and, of how this can be abused by an object controlled directly by a user, we can make a more detailed example, then let’s take the following code:<br />
</span>
<span style="font-size: 14px;">
<span style="font-size: 14px;"><pre class="brush:html"><div id="nm">John Doe</div>
<script>
var name = window.localStorage.name; <- SOURCE
document.getElementById("nm").innerHTML = name;
</script>
</pre></span>
As you can see, if we call the innerHTML method to retrieve the information, nothing happens, even in the case that instead of the name "John Doe" there has been the malicious JavaScript code; Instead let’s take another example:
<br />
<pre class="brush:html"><div id="nm">John Doe</div>
<script>
var pos = document.URL.indexOf("name=") + 5;
var name = document.URL.substring(pos, document.URL.length); <- TAINTED
document.getElementById("nm").innerHTML = name; <- SINK
</script>
</pre>
Following this example script and browsing its URL:<br />
<br />
http://example.tld/page.html?<b>name=<script>alert(document.cookie)</script></b><br />
<br />
In this case, the browser will return us a window that is to show us that our JavaScript code passed to the URL parameter name, was executed.
<br />
<br />
<h4>
<span style="font-size: 16px;">2.1 Examples of vulnerable source code for the HTML Manipulation vulnerabilities</span></h4>
<br />
At this point we can do is give a few examples so you can see the various existing possibilities that allow you to identify and subsequently Exploiting a vulnerability in <b>HTML Manipulation</b> type, then:<br />
<br />
<ul>
<li>DOM Based Cross-Site Scripting </li>
<li>Stored DOM Based Cross-Site Scripting </li>
<li>Others</li>
</ul>
<div>
<br /></div>
Then we will see practical examples and in the next step will explain how you can detect these types of vulnerabilities through<i><b> <a href="https://www.blueclosure.com/product/bc-detect" target="_blank">BlueClosure BCDetect</a></b></i> and how exploit them.
<br />
<br />
<b>DOM Based Cross-Site Scripting (DOM XSS):</b><br />
<br />
So, to explain this type of vulnerability, we can also take one of the above examples that made it very simple:<br />
Taking the following vulnerable code:
<br />
<pre class="brush:html"><script>
var pos = document.URL.indexOf("foo=") + 4;
document.write(document.URL.substring(pos, document.URL.length));
</script>
</pre>
<b>Source:</b> document.URL<br />
<b>Sink:</b> document.write()<br />
<b>Result:</b> document.write(“<script>alert(document.cookie)</script>”);
<br />
<br />
The attack is possible to a Client-side level (this due to the # fragment identifier).<br />
<br />
To exploiting this attack just go to the following URL and specify the malicious code in the “foo=” parameter:<br />
<br />
http://example.tld/page.html<b>#foo=<script>alert(document.cookie)</script></b><br />
<b><br /></b>
<b>Stored DOM Based Cross-Site Scripting (Stored DOM XSS)</b><br />
<br />
Let's see an example of this type of vulnerability where unlike the first, we can see that the malicious code will first be saved in the local Storage of the HTML5 (only recent browsers support Storage feature), then, browse the following URL:
<br />
<br />
http://example.tld/store.html?<b>name=</b><b><img src=z onerror='alert(document.cookie)' ></b><br />
<br />
Below the vulnerable code of the page:<br />
<pre class="brush:html"><script>
var pos = document.URL.indexOf("name=") + 5;
var name = document.URL.substring(pos, document.URL.length);
decodeURI(name);
window.localStorage.name = name;
</script>
</pre>
As mentioned above, the "name" is saved in the browser Storage.<br />
<br />
Now to exploit this type of vulnerability, let's see what happens if we go to visit (in relation to previous page) the following welcome page URL:<br />
<br />
http://example.tld/welcome.html<br />
<br />
With the source code of the page:
<br />
<pre class="brush:html"><script>
var element = document.getElementById("header");
var name = window.localStorage.name;
element.innerHTML = "Hello, " + name;
</script>
</pre>
<b>Source:</b> document.URL<br />
<b>Storage:</b> window.localStorage.name<br />
<b>Sink:</b> element.innerHTML<br />
<b>Result:</b> element.innerHTML = “Hello, <img src=z onerror='alert(document.cookie)' >“;<br />
<br />
Surely we would have a nasty surprise with a popup alert which show the cookie data for the current user session.<br />
A malicious user could retrieve the following example data to make unauthorized access by your users.<br />
<b><br /></b></span>Anonymousnoreply@blogger.com36tag:blogger.com,1999:blog-2598120931845740858.post-27299602892909425742017-09-12T06:09:00.000-07:002017-09-14T03:47:07.790-07:00JavaScript Security Awareness - BlueClosure<span style="font-size: 14px;"><h3>
<b><span style="font-family: "verdana" , sans-serif; font-size: 18px;">1. Introduction</span></b></span></h3>
<span style="font-size: 14px;">
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<span style="font-family: "verdana" , sans-serif;">With a biweekly article’s publication we are going to cover as much possible of the JavaScript security theme. We’ll talk about the possible threats that a vulnerable JavaScript code could lead, the detection techniques and some real scenarios.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The logical line that we will follow starts from the “beginning” with the simplest exploitation and attack possible and, basing on that, we’ll expand the coverage to increasingly difficult attacks. Doing this we’ll show the main sources and sink tainting techniques, covering all kind of attacks documented by the <a href="https://www.owasp.org/index.php/Client_Side_Testing" target="_blank"><b>OWASP Testing Guide</b></a> in the Client Side Testing chapter.
The purpose of the JavaScript Security Awareness is to inform the users how easily is to find some vulnerable JavaScript showing how and when an issue could occur.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Furthermore we want to present an all new tool, <b><a href="https://www.blueclosure.com/" target="_blank">BlueClosure</a></b>, that can <b>automate</b> the <b>security analysis</b> process <b>testing</b> the <b>JavaScript</b>.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The structure of the each article is the following: introduction to a vulnerability (of a security issue), explanation and detection of the vulnerability with BlueClosure and, in the end, a real world scenario where the particular vulnerability that we are talking about created a security breach. We have decided to start from the DOM XSS because it’s a very important issue (listed in the OWASP top 10) and XSS is the most prevalent web application security flaw.</span><br />
<h4>
<b><span style="font-family: "verdana" , sans-serif;"><br /></span></b></h4>
<div>
<b><span style="font-family: "verdana" , sans-serif;"><br /></span></b></div>
<h4>
<b><span style="font-family: "verdana" , sans-serif; font-size: 16px;">1.1 Introduction to DOM Based XSS</span></b></h4>
<span style="font-family: "verdana" , sans-serif;"><b><br /></b>
<b>DOM Based XSS</b> is an attack wherein the attack payload is executed as a result of modifying the DOM “<b>environment</b>” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">This is in contrast to other XSS attacks (Stored or Reflected), wherein the attack payload is placed in the response page (due to a server side flaw).</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">In the following OWASP code example, the “<b>document.location.href</b>” or “<b>document.write</b>” aren’t malicious, as the rest of the code.
</span><br />
<pre class="brush:html"><select>
<script>
document.write("<option value=1>"+
document.location.href.substring(document.location.href.indexOf("lang=")+4)+
"</OPTION>");
document.write("<option value=2>English</OPTION>");
</script>
</select>
</pre>
<span style="font-family: "verdana" , sans-serif;">
</span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><b>document.location.href</b> and <b>document.write</b> are sinks because theirs behaviour is legit but with a tainted input theirs becomes malicious.</span><br />
<span style="font-family: "verdana" , sans-serif;">Indeed with the following input is possible to exploit a DOMXSS:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> http://www.example.tld<b>/page.html?lang=<script>alert(document.cookie)</script></b></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">When the victim clicks on this link, the browser sends a request for:
</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<pre class="brush:html"> /page.html?lang=<script>alert(document.cookie)</script></pre>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">to <b>www.some.site</b>. The server responds with the page containing the above JavaScript code. The browser creates a DOM object for the page, in which the <b>document.location</b> object contains the string:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"> <b>http://www.example.tld/page.html?lang=<script>alert(document.cookie)</script> </b></span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The original JavaScript code in the page does not expect the “<b>lang</b>” parameter to contain HTML markup, and as such it simply echoes it into the page (DOM) at runtime.</span><br />
<span style="font-family: "verdana" , sans-serif;">The browser then renders the resulting page and executes the attacker’s script:
</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<pre class="brush:html"> alert(document.cookie)</pre>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Note that the HTTP response sent from the server does not contain the attacker’s payload.</span><br />
<span style="font-family: "verdana" , sans-serif;">This payload manifests itself at the Client-side script at runtime, when a flawed script accesses the DOM variable "document.location" and assumes it is not malicious.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<h3>
<b><span style="font-family: "verdana" , sans-serif; font-size: 18px;">2. BlueClosure in Pills (A brief introduction to BC functionalities)</span></b></h3>
<div>
<b><span style="font-family: "verdana" , sans-serif;"><br /></span></b></div>
<span style="font-family: "verdana" , sans-serif;">The BlueClosure platform provides the elements needed to execute the JavaScript analysis in real time (then while browsing the selected web target) and <b>search</b> for possible <b>vulnerabilities</b> such as <b>HTML Injection</b>, <b>JS Execution</b>, <b>HTTP Parameter Pollution</b> and <b>others</b>.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The main features of BlueClosure are:</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<ul>
<li><span style="font-family: "verdana" , sans-serif;"><b>JS Frameworks supports:</b> Where BlueClosure can analyse any codebase written with JavaScript frameworks like <i><b>Angular.js</b>, <b>jQuery</b>, <b>Meteor.js</b>, <b>React.js</b></i> and many more. </span></li>
<li><span style="font-family: "verdana" , sans-serif;"><b>Realtime Dynamic Data Tainting:</b> Where BlueClosure uses an advanced JavaScript instrumentation engine to understand the code. By leveraging our proprietary technology the BC engine can inspect any code, no matter how obfuscated it is. </span></li>
<li><span style="font-family: "verdana" , sans-serif;"><b>Scanning Automation:</b> BlueClosure technology can automatically scan an entire website. This is the fastest way to scan and analyse BIG enterprise portals with rich JavaScript content as a tester would with his browser. </span></li>
<li><span style="font-family: "verdana" , sans-serif;"><b>Near-Zero False Positives:</b> Data Validation and Context Awareness makes the use of a dynamic runtime tainting model on strings even more powerful, as it understands if a client side vulnerability is actually exploitable.</span></li>
</ul>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<span style="font-family: "verdana" , sans-serif;">As mentioned earlier, BlueClosure provides accurate and careful analysis of the code in real time by reporting to the user the possible Findings that are categorized into <b>Alerts</b>, <b>Warnings</b> and <b>Infos</b>. Through these alerts, the user can quickly access the related vulnerability information by tracing the steps that led to the identification of the vulnerability in a highly detailed way.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The following example shows an issue identified by BlueClosure engine:
</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://lh3.googleusercontent.com/HDjf1LVfBsEd3wkO3T9r8cBAZ3v2pJPh8c9nMifLmptY47bbUyxhLxX1TejD7lwE4LWP-VzFMn-jBruua2xCMRBllhTOGYkxPaJU6zLBaL13-xZRUcIo9Bm4NzNedl43RIkPuSYWe-QLZZkTyw" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "verdana" , sans-serif;"><img border="0" height="399" src="https://lh3.googleusercontent.com/HDjf1LVfBsEd3wkO3T9r8cBAZ3v2pJPh8c9nMifLmptY47bbUyxhLxX1TejD7lwE4LWP-VzFMn-jBruua2xCMRBllhTOGYkxPaJU6zLBaL13-xZRUcIo9Bm4NzNedl43RIkPuSYWe-QLZZkTyw" style="border: none; transform: rotate(0rad);" width="561" /></span></a></div>
<span style="font-family: "verdana" , sans-serif;"><span id="docs-internal-guid-63e32c0a-757a-b3d1-16a8-4f94dd412f45"><span style="background-color: white; color: #333333; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /></span>
<span style="font-family: "verdana" , sans-serif;"><span style="background-color: white; color: #333333; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
As you can see from the image above, BlueClosure indicates the main vulnerability information, like the <b>Typology</b>, the <b>Source</b> and finally the <b>Sink</b> (then, the <b>Taint Propagation</b>) that led to malicious code execution and its user-controlled <b>Value</b> (in the described case, the value is an HTML data).</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The user can access more detailed information by clicking the Link in the vulnerability box, adding two more boxes.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<ul>
<li><span style="font-family: "verdana" , sans-serif;">The first box describes the <b>History</b> of the vulnerability, then the user-controlable value, if the vulnerability is Exploitable, whether the data is <b>Encoded</b> / <b>Not Encoded</b>, and by clicking on Show operations you can access the list of operations JavaScript that led to vulnerability execution; </span></li>
<li><span style="font-family: "verdana" , sans-serif;">The second one, <b>Vulnerable Code</b> that will show the user the part of malicious code that was executed by exploiting the vulnerability.</span></li>
</ul>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">The following example shows an example of History and Vulnerable Code in relation to the HTML Injection vulnerability described above:
</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://lh6.googleusercontent.com/1pVkTiCNFZAam7ml8fs6uGINuxyru_fDri6Uk0RxWXYa_W5EDjK65kdWi0H7bkmnftGJ92w29kt7iOeODpCja85JNZdEe8cvfbcJpLZUs6SiIk2R6P5zPvZtRyc4BC7oBfwu_iC5Hzrv13fekQ" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "verdana" , sans-serif;"><img border="0" height="661" src="https://lh6.googleusercontent.com/1pVkTiCNFZAam7ml8fs6uGINuxyru_fDri6Uk0RxWXYa_W5EDjK65kdWi0H7bkmnftGJ92w29kt7iOeODpCja85JNZdEe8cvfbcJpLZUs6SiIk2R6P5zPvZtRyc4BC7oBfwu_iC5Hzrv13fekQ" style="border: none; transform: rotate(0rad);" width="602" /></span></a></div>
<span style="font-family: "verdana" , sans-serif;"><span id="docs-internal-guid-63e32c0a-757d-159f-8c97-07054f15e9e7"><span style="background-color: white; color: #333333; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /></span>
<span style="background-color: white; color: #333333; font-family: "verdana" , sans-serif; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; color: #333333; font-family: "arial"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
</span>Anonymousnoreply@blogger.com26tag:blogger.com,1999:blog-2598120931845740858.post-10143533927455139562016-10-09T23:48:00.000-07:002017-09-12T06:46:57.696-07:00Blueclosure Detect: get your license now!<span style="font-size: 14px;">
<span style="font-family: inherit;">London, 5 October 2016 - Minded Security is proud to announce that BlueClosure Detect is now available for <span style="font-family: inherit;">purchase</span> from the BlueClosure portal.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><a href="https://www.blueclosure.com/product/bc-detect" target="_blank">BC Detect </a>has th<span style="font-family: inherit;">ereby</span> combined the many years of experience gathered with <a href="https://dominator.mindedsecurity.com/" target="_blank">DOMinatorPro</a> together with an all new technology environment in order to focus on a new approach. <a href="https://www.blueclosure.com/product/bc-detect" target="_blank">BC Detect</a> is the first product that makes use of our new proprietary taint analysis engine.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">BC Detect represents a completely rewritten technology that extends the DOMinatorPro functionalities with the aims to have:</span><br />
</span><br />
<ul><span style="font-size: 14px;">
<li><span style="font-family: inherit;">A more stable tool;</span></li>
<li><span style="font-family: inherit;"><span style="font-family: inherit;">The</span> fastest client side security analysis;</span></li>
<li><span style="font-family: inherit;">A real-time and reliable taint propagation flow;</span></li>
<li><span style="font-family: inherit;">A tool that can run on the latest browsers.</span></li>
</span></ul>
<span style="font-size: 14px;">
<br />
<span style="font-family: inherit;">All of the DOMinatorPro customers will now have the chance to use the new product. <span style="font-family: inherit;">N</span>ew customers can now easily buy the new product <span style="font-family: inherit;">via</span> the <a href="https://www.blueclosure.com/page/download#table-price" target="_blank">buy page</a>.</span><br />
<br />
<span style="font-family: inherit;">The following screenshot shows BC Detect in action: </span><br />
<br />
<span style="font-family: inherit;"><span id="docs-internal-guid-2a2990c2-9a49-156d-834c-c6acedbe1f0c" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="310" src="https://docs.google.com/a/mindedsecurity.com/drawings/d/shjStTMu0j6xPoidlM7GPRA/image?w=602&h=310&rev=1&ac=1" style="border: 3px solid rgb(0, 0, 0); transform: rotate(0rad);" width="602" /></span></span><br />
</span><br />
<div dir="ltr" id="docs-internal-guid-2a2990c2-9a5f-7ef2-e0c2-5a8a83cdcd8f" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: 14px;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The Websites panel is where vulnerable URLs and page locations are reported<span style="font-family: inherit;">;</span> it <span style="font-family: inherit;">enables</span> users to navigate and filter through all the detected issues.</span></span></span></div>
<span style="font-size: 14px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For any website for which security vulnerabilities have <span style="font-family: inherit;">been identified</span>, BC Detect inserts an entry in the URL list. All issues are categori<span style="font-family: inherit;">s</span>ed in three different risk levels:</span></span><br />
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br /></span></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">Alerts</span></span></div>
</li>
</ul>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">Warnings </span></span></li>
</ul>
<ul id="docs-internal-guid-2a2990c2-9a6a-131b-b0f0-15a915748b75" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">Information</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
</li>
</ul>
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The following is a screenshot of the website panel:</span></span><br />
<span style="font-family: inherit;"><span id="docs-internal-guid-2a2990c2-9a4a-576e-340a-4a127e7f9ed7" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"></span></span><br />
<span style="font-family: inherit;"><span id="docs-internal-guid-2a2990c2-9a4a-576e-340a-4a127e7f9ed7" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><img height="368" src="https://docs.google.com/a/mindedsecurity.com/drawings/d/se9EZ-L0cBHWis4wBLvQR3A/image?w=602&h=368&rev=1&ac=1" style="border: 3px solid rgb(0, 0, 0); transform: rotate(0rad);" width="602" /></span> </span><br />
<br />
<span style="font-family: inherit;">The following pictures show the summary of the vulnerability panel: </span><br />
<br />
<span style="font-family: inherit;"><span id="docs-internal-guid-2a2990c2-9a5a-e84e-1735-f92d4de74177" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="200" src="https://docs.google.com/a/mindedsecurity.com/drawings/d/sk8qsTovWOUjFAQzGPNptiw/image?w=602&h=200&rev=1&ac=1" style="border: 3px solid rgb(0, 0, 0); transform: rotate(0rad);" width="602" /> </span></span><br />
<br />
<span style="font-family: inherit;"><span id="docs-internal-guid-2a2990c2-9a5a-e84e-1735-f92d4de74177" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"></span></span><br />
<span style="font-family: inherit;"><span id="docs-internal-guid-2a2990c2-9a5a-e84e-1735-f92d4de74177" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><b>BC Detect represents the state of the art of Client Side Security</b>. Smart Fuzzing for example is a powerful tool that <span style="font-family: inherit;">ena<span style="font-family: inherit;">bles</span></span> testers to audit a broader set of code features and expanding code coverage. BC Detect engine collects input sources via dynamic and static code analysis. With smart fuzz<span style="font-family: inherit;">ing</span> you can perform the parameter tampering of hidden input sources.<br /><br />This technique <span style="font-family: inherit;">enables</span> Minded Security team to discover many bug bounties and hundreds of DOMXSS <span style="font-family: inherit;">o</span>n prominent websites such as <span style="font-family: inherit;">A</span>lexa top 100.</span></span><br />
<br />
<span style="font-family: inherit;"><span id="docs-internal-guid-2a2990c2-9a5a-e84e-1735-f92d4de74177" style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Get your <a href="https://www.blueclosure.com/page/download#table-price" target="_blank">licen<span style="color: black;"><span style="font-family: inherit;">c</span></span>e</a> now! </span></span><br />
<br />
<br />
<br />
<br />
<br />
<br />
</span>Matteo Meuccihttp://www.blogger.com/profile/14563434479199405929noreply@blogger.com30tag:blogger.com,1999:blog-2598120931845740858.post-76728447317329587022016-06-17T09:15:00.001-07:002017-09-12T06:49:12.046-07:00BlueClosure at InfoSecurity Europe 2016<span style="font-size: 14px;">
<h3>
Presentation</h3>
London, 8 June 2016 - <a href="https://www.mindedsecurity.com/" target="_blank">Minded Security, The Software Security Company</a> is proud to present <a href="https://www.blueclosure.com/" target="_blank">BlueClosure</a> the new JavaScript Security Platform at <a href="http://www.infosecurityeurope.com/" target="_blank">InfoSecurity Europe</a>. <br />
<br />
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/VHxv_QGty1A" width="560"></iframe></div>
<br />
<br />
<a href="https://www.blueclosure.com/product/bc-detect" target="_blank">BC Detect </a>has thus combined the many years of experience gathered with <a href="https://dominator.mindedsecurity.com/" target="_blank">DOMinatorPro</a> together with an all new technology environment to focus on a new approach. <a href="https://www.blueclosure.com/product/bc-detect" target="_blank">BC Detect</a> is the first product that makes use of our new proprietary taint analysis engine.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXIWjk7ztiasl6hSAh4pc6HwFKXdk4RIxzBJk98Gk1aDW32izGjjpTNzBRfwhq9O5spJRtqA672Td36J9JbieGeLlBSXyKoFwUd_xhBZzVruRQ5yki3RfAXL56wPoUhbLCMiBLC2-NSG0X/s1600/1.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXIWjk7ztiasl6hSAh4pc6HwFKXdk4RIxzBJk98Gk1aDW32izGjjpTNzBRfwhq9O5spJRtqA672Td36J9JbieGeLlBSXyKoFwUd_xhBZzVruRQ5yki3RfAXL56wPoUhbLCMiBLC2-NSG0X/s320/1.jpeg" width="320" /></a></div>
<br />
<br />
<h3>
BC Detect innovative features</h3>
The main advantages of this product: <br />
<ul>
<li>remarkably fast</li>
<li>stable</li>
<li>real-time taint propagation</li>
<li>support for the latest browsers</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJNAyWRJg0ylIGI6yzunq1nohOoTS5WHmHaKiHg4QZed56F9HeWhJVpNXWZlmGMO3auN4Gyrp04XlN32TYA0ZBOtl3GMdKy9F3Z2Mci-d5YUEbgBedmUe5K8qQ3bHHrHmURSzLq8iD1YOX/s1600/2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJNAyWRJg0ylIGI6yzunq1nohOoTS5WHmHaKiHg4QZed56F9HeWhJVpNXWZlmGMO3auN4Gyrp04XlN32TYA0ZBOtl3GMdKy9F3Z2Mci-d5YUEbgBedmUe5K8qQ3bHHrHmURSzLq8iD1YOX/s320/2.jpeg" width="320" /></a></div>
<br />
<h3>
Win a license</h3>
All the people that visited our stand at Infosecurity <a href="http://www.infosecurityeurope.com/en/Exhibitors/1106879/Minded-Security-UK-Limited/Products/993974/BlueClosure-Detect" target="_blank">(L79 at the first Floor)</a> where offered the chance for winning a full 1 year license!<br />
<br />
<a href="mailto:info@blueclosure.com"></a><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5FKCeSLVbo3RBdwPVBD9pSzvesD1xWSCddkX08FgYZ0_DmtX-JHBXa2ruk2aWOHwXw6prMTeaOZTYhWltKTneb1rUqX7zBKjHy9EeZRX30IxkubM_qzxQv1yOLTJuDss8IPINgqpBW0s5/s1600/team.jpeg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5FKCeSLVbo3RBdwPVBD9pSzvesD1xWSCddkX08FgYZ0_DmtX-JHBXa2ruk2aWOHwXw6prMTeaOZTYhWltKTneb1rUqX7zBKjHy9EeZRX30IxkubM_qzxQv1yOLTJuDss8IPINgqpBW0s5/s320/team.jpeg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Find the <domxss> in the picture!</td></tr>
</tbody></table>
<br />
If you are one of the winners but you did not activate your license yet, contact us at info@blueclosure.com<br />
<br />
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY-RbLYLntnpUbFt0UCW-Rt1BwZAEzEbiPwqKcrrLVV7I8-S-HHNs6fx6Bsku2f9pXTSqt2uAsohXXWoxP_gIzYKoUAeIIk2d0y0SrU_oRn0jCMK4BSNQ356dOkSrxcRG-1kQcDX5q9eZV/s1600/unspecified.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY-RbLYLntnpUbFt0UCW-Rt1BwZAEzEbiPwqKcrrLVV7I8-S-HHNs6fx6Bsku2f9pXTSqt2uAsohXXWoxP_gIzYKoUAeIIk2d0y0SrU_oRn0jCMK4BSNQ356dOkSrxcRG-1kQcDX5q9eZV/s320/unspecified.jpeg" width="320" /></a></div>
</span>Giorgio Fedonhttp://www.blogger.com/profile/17285473210424014740noreply@blogger.com34