Ieee S&P 2020 - Software Security: from Research to Industry.
0 likes131 views
Minded Security, founded in 2007, focuses on raising awareness in application security (appsec) through research and innovative strategies, particularly targeting client-side vulnerabilities in browsers and plugins. Their research has addressed significant issues like cross-site scripting in Adobe, Java applet vulnerabilities, and has contributed to formalizing various web attack techniques. With a commitment to ongoing education and awareness, Minded Security has established itself as a key player in the international appsec landscape.
Ieee S&P 2020 - Software Security: from Research to Industry.
- 2. w w w . m i n d e d s e c u r i t y . c o m Who we are ✓ ✓ ✓ ✓ ✓
- 3. w w w . m i n d e d s e c u r i t y . c o m Mission - Since 2007 ✓ ✓ ✓ Minded Security: focus and strategies
- 4. w w w . m i n d e d s e c u r i t y . c o m Here’s a little journey through time telling the story of Minded Security approach and results in AppSec research. 4
- 5. w w w . m i n d e d s e c u r i t y . c o m 5 Industry in 2007
- 6. w w w . m i n d e d s e c u r i t y . c o m It was 2007. We founded Minded Security with in mind that: ❑ Awareness is the first step to any change. ❑ Every year needs and offers change. ❑ Technology market pushes for innovation. ❑ We are an ambitious group of smart people with an high level of expertise. ❑ Each company is a drop in the ocean of InfoSec Market (it was in 2k7, let alone today! :) 6 Minded Security
- 7. w w w . m i n d e d s e c u r i t y . c o m SINCE “Awareness is the first step to any change” AND We want AppSec to be pushed in SDLC as much as possible LET’S CONSIDER AppSec Research as one of the keys to AppSec awareness (well... as long as it involves widespread software ;) ...and let’s see what happens! 7 AppSec Awareness in Software Industry
- 8. w w w . m i n d e d s e c u r i t y . c o m In 2007, when the majority was improving the server side with WAFs, preventing SQL Injections and such. What is the less mature type of software and most widespread? The client side. That was the first research in Minded Security. 8 2007-2017 - The Client Side
- 9. w w w . m i n d e d s e c u r i t y . c o m ❑ Focus on browsers and browser plugins. ❑ Browsers + Adobe and Flash are on every PC and people and companies completely trust the Browser sandbox… ❑ Most of the vulnerabilities rely on hard-to-find issues and exploit such as Buffer Overflows and similar. 9 2007 - Client side Security
- 10. w w w . m i n d e d s e c u r i t y . c o m ❑ Adobe Universal Cross Site Scripting was an earthquake in Info Security. ❑ For its simplicity and impact: ▪ Any browser accessing a pdf, locally or remotely, would have let an attacker to read any file by abusing JavaScript Ajax functionalities and the JavaScript: pseudo protocol. http://host/file.pdf#blah=javascript:alert(“XSS”); < Remote file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf#blah=javascript:alert(“XSS”); < Local 10 2007 - The Adobe UXSS
- 11. w w w . m i n d e d s e c u r i t y . c o m Industry response - Adobe: 11 San Jose AppSec 2007
- 12. w w w . m i n d e d s e c u r i t y . c o m ❑ Flash Research + Tool to check issues at runtime using smart fuzzing. ❑ Actionscript, exposed several methods that could be abused by attackers in SWF files. ❑ Impact was similar to a UXSS but for SWF files. A few months later we were asked by Google to give a Google Tech Talk. This raised awareness among the SWF Devs community 12 2008 Flash Security Research
- 13. w w w . m i n d e d s e c u r i t y . c o m ❑ Java Applets on DNS Rebinding: ▪ again, a client side issue exposing any browser to access arbitrary files in the internal network. https://blog.mindedsecurity.com/2010/10/dns-rebinding-on-java-applets.html “DNS rebinding is a technique that turns a victim’s browser into a proxy for attacking private networks. Attackers can change the IP associated with a domain name after it has been used to load JavaScript. Since Same-Origin Policy (SOP) is domain-based, the JavaScript will have access to the new IP.” 13 2010 - Java Applets
- 14. w w w . m i n d e d s e c u r i t y . c o m 14 DNS Rebinding
- 15. w w w . m i n d e d s e c u r i t y . c o m So, what’s the status of Browsers Plugin today? Minded Security with its published research and advisories contributed to raising awareness in AppSec Industry in the topic of Browsers and Plugins. 15 What’s the status of Browsers Plugin today?
- 16. w w w . m i n d e d s e c u r i t y . c o m ❑ The last step was JavaScript analysis. ❑ We created the first tool using Dynamic Tainting to Identify and Analyze DOM Based XSS at runtime (IAST Tool when no one used to call it that way) ▪ DOMinator - Rewrite of Mozilla JS Engine (2011) • https://blog.mindedsecurity.com/2011/05/dominator-project.html ▪ BCDetect - Rewrite of JS on-the-fly (2016) 16 2010 - JavaScript Security
- 17. w w w . m i n d e d s e c u r i t y . c o m The new motto is: If you can’t name it you can’t identify it! ❑ Lacks of Attack formalization creates a void around particular vulnerabilities. ❑ AppSec Industry needs formalization of attacks! ❑ Minded Security Contribution to this: ▪ 2009 JBOSS Bypass with Verb Tampering ▪ 2009 HTTP Parameter Pollution ▪ 2011 Expression Language Injection ▪ 2016 EL Injection in NetBeans 17 2009-2016 AppSec Industry Lacks
- 18. w w w . m i n d e d s e c u r i t y . c o m ❑ Vulnerability found and formalized by Arshan Dabirsiaghi. ❑ We found a very important issue on default JBoss installations. “Any user with with network access to a JBoss server was able to bypass authentication control and perform Remote Command Execution on the JBoss remote instance.” https://www.mindedsecurity.com/index.php/research/advisories/msa030409 ❑ Thanks to the formalization of the issue we (and other researchers) were able to identify issues on several products. https://cheatsheetseries.owasp.org/assets/REST_Security_Cheat_Sheet_Bypassing_VBAAC_with_HTTP_Verb_Tampe ring.pdf 18 JBoss - Verb Tampering
- 19. w w w . m i n d e d s e c u r i t y . c o m Presented with Luca Carettoni at OWASP AppSec in 2009 Formalizes a particular type of Web Attack which takes advantage of parsing issues of a web application. https://owasp.org/www-pdf-archive/AppsecEU09_CarettoniDiPaola_v0.8.pdf 19 2009 - HTTP Parameter Pollution
- 20. w w w . m i n d e d s e c u r i t y . c o m ❑ A Spring related issue that due to double evaluation allows an attacker to execute code in the context of the Expression Language. ❑ The impact can vary from XSS, Sensitive Data access to RCE. https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf ❑ Several vulnerabilities of EL Injection have been found after the publication of our paper. ❑ This research led a few years later to a more general formalization named “Template Injection” by James Kettle of PortSwigger. 20 2011 - Expression Language Injection
- 21. w w w . m i n d e d s e c u r i t y . c o m ❑ There is a virtual space everyone’s expects to be private, even at home. ▪ How do we conceive our personal space in internet? ▪ How in our home/office/company? ❑ The issue involves what might be called: Internal Perimeter Privacy or Cyber Proxemics ❑ Minded Security research also covered this topics with: ▪ 2018 - JStillery: JavaScript Malware Deobfuscation ▪ 2019 - DNS Rebinding + UPnP: A research to raise awareness about an issue known since 2006. ▪ 2020 - Behave! A Browser Extension to warn if a web page performs malicious scans in the internal network. 21 2018-2020 - Internal Perimeter Privacy
- 22. w w w . m i n d e d s e c u r i t y . c o m https://www.slideshare.net/mindedsecurity/js-deobfuscation-with-jstillery-bsidesroma-2018 22 2018 - JStillery
- 23. w w w . m i n d e d s e c u r i t y . c o m ❑ DNS Rebinding.Rewind + IOT == Privacy gone 23 2019 DNS Rebinding + UPnP
- 24. w w w . m i n d e d s e c u r i t y . c o m ❑ A (Still in Development) monitoring browser extension for pages acting as bad boys. https://github.com/mindedsecurity/behave 24 2020 - Behave!
- 25. w w w . m i n d e d s e c u r i t y . c o m ❑ A (Still in Development) monitoring browser extension for pages acting as bad boys. https://github.com/mindedsecurity/behave 25 2020 - Behave!
- 26. w w w . m i n d e d s e c u r i t y . c o m Key Role of Minded Security in OWASP ✓ ✓ ✓ ✓ ✓
- 27. w w w . m i n d e d s e c u r i t y . c o m ❑ Research, Development, Participation and Vertical Expertise are a winning approach if pursued with attention and dedication. ❑ Our expertise is supported and cherished by a team of very smart people working with passion and focus. ❑ This approach led Minded Security to be an important reality in Application Security since 2007 to present day. ❑ At international level. 27 Conclusions
- 28. w w w . m i n d e d s e c u r i t y . c o m Minded Security Customers & Global Reach