11 min
Application Security
XSS in JSON: Old-School Attacks for Modern Applications
This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API and Javascript Object Notation (JSON).
4 min
Vulnerability Management
CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server (AS) Java
The new SAP vulnerability (RECON), a critical vulnerability affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard, is a huge deal.
1 min
Research
A Serial Problem: Exploitation and Exposure of Java Serialized Objects
In our new research report, we take a look at Java Serialized Objects (JSOs), which are a reliable threat vector and present a rising threat to enterprise networks.
2 min
Javascript
What are Javascript Source Maps?
It's generally a good practice to minify and combine your assets (Javascript &
CSS) when deploying to production. This process reduces the size of your assets
and dramatically improves your website's load time.
Source maps create a map from these compressed asset files back to the source
files.
This source map allows you to debug and view the source code of your compressed
assets, as if you were actually working with the original CSS and Javascript
source code.
Take a look at jQuery minifi
2 min
AppSpider
Web Application Security Testing: Single Page Applications Built with JavaScript Frameworks
In recent years, more and more applications are being built on popular new
JavaScript frameworks like ReactJS and AngularJS. As is often the case with new
application technologies, these frameworks have created an innovation gap for
most application security scanning solutions and an acute set of challenges for
those of us who focus on web application security
[https://www.rapid7.com/solutions/web-application-security.jsp]. It is
imperative that our application security testing approaches keep p
4 min
Application Security
AppSpider application security scanning solution deepens support for Single Page Applications - ReactJS
Today, Rapid7 is pleased to announce an AppSpider
[https://www.rapid7.com/products/appspider/] (application security scanning)
update that includes enhanced support for JavaScript Single Page Applications
(SPAs) built with ReactJS. This release is significant because SPAs are
proliferating rapidly and increasingly creating challenges for security teams.
Some of the key challenges with securing SPA's are:
1. Diverse frameworks - The diversity and number of JavaScript frameworks
contributes
5 min
Javascript
Client Side Logging In Javascript
Developers are writing Javascript applications of increasing complexity designed
to run in web browsers, on desktops, and on servers. Javascript applications
have reached a level of maturity that means they are running important business
operations. They must be more maintainable and supportable now that they have
achieved this level of responsibility in the enterprise. Javascript
applications should be expected to provide the same information for support and
maintenance as any other applic
2 min
Patch Tuesday
R7-2015-09: Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)
Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated
denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU
extensions on supported processors. AES intrinsics are enabled by default on the
Oracle JVM if the the JVM detects that processor capability, which is common for
modern processors manufactured after 2010. For more on AES-NI, see the
Wikipedia
article [http://en.wikipedia.org/wiki/AES_instruction_set].
This issue was tracked in the OpenJDK pu
3 min
AppSpider
7 Ways to Improve the Accuracy of your Application Security Tests
For more than 10 years, application security testing
[https://www.rapid7.com/fundamentals/web-application-security-testing/] has been
a common practice to identify and remediate vulnerabilities in their web
applications. While, it's difficult to figure out the best web security software
for your organization, there are seven key techniques that not only increase
accuracy of testing in most applications, but also enable teams to leverage
expert resources to test necessary areas by hand.
IT secur
4 min
Haxmas
12 Days of HaXmas: Improvements to jsobfu
This post is the third in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements and events in the Metasploit Framework over
the course of 2014.
Several months ago, Wei sinn3r [https://twitter.com/_sinn3r] Chen and I landed
some improvements to Metasploit's Javascript obfuscator, jsobfu. Most notably,
we moved it out to its own repo [https://github.com/rapid7/jsobfu] and gem
[https://rubygems.org/gems/jsobfu], wrapped it in tests, beefed up its AV
resilience, and
2 min
Javascript
Oracle CPU: July 2014
Oracle's Quarterly Critical Patch Update (CPU) is never a minor event. In April
we saw 104 security issues addressed, in January it was 144. This time around
we are faced with 113 updates. These updates span the entire portfolio of
Oracle software, including the JRE, Solaris, Oracle Database, MySQL, and
numerous web and middleware products.
What stands out is the belated fix for Heartbleed in MySQL Enterprise Server,
coming fully 3 months after Oracle fixed that issue in their other products
5 min
Exploits
Exploiting CSRF under NoScript Conditions
CSRFs -- or Cross-Site Request Forgery
[https://www.rapid7.com/fundamentals/cross-site-request-forgery/]
vulnerabilities -- occur when a server accepts requests that can be “spoofed”
from a site running on a different domain. The attack goes something like this:
you, as the victim, are logged in to some web site, like your router
configuration page, and have a valid session token. An attacker gets you to
click on a link that sends commands to that web site on your behalf, without
your knowledge
4 min
Haxmas
12 Days of HaXmas: Exploiting (and Fixing) RJS Rails Info Leaks
This post is the fifth in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements in the Metasploit Framework over the course of
2013.
Several weeks ago, Egor Homakov wrote a blog post
[http://homakov.blogspot.com/2013/11/rjs-leaking-vulnerability-in-multiple.html]
pointing out a common info leak vulnerability in many Rails apps that utilize
Remote JavaScript. The attack vector and implications can be hard to wrap your
head around, so in this post I'll explain ho
1 min
Javascript
Oracle October 2013 CPU roundup
The story here is that Oracle has synced up their Java patching with the rest of
their patching cycle and, when it comes to vulnerabilities, Java always steals
the show. The CPU includes fixes for 127 vulnerabilities in Oracle products, but
aside from Java, it's mostly ho-hum, low impact stuff. There's a CVSS 8.5
vulnerability in MySQL's Enterprise Service manager, but besides the Java
patches, nothing else jumps out as particularly interesting.
The Java patches include 51 of the 127 addresse
2 min
Javascript
Oracle April 2013 CPU - 42 Java vulns!
Oracle Security had a busy day yesterday. They released two of their Cumulative
Patch Updates, one for Java and one for everything else that they patch. The
Java CPU contains 19 CVEs with CVSS base score of 10 (the highest you can go)
indicating that exploiting the vulnerability is not particularly challenging and
could give complete control of compromised systems. For all of these
vulnerabilities, the browser is the vector of exploit. For one of those
(CVE-2013-1537)some Java server configurat