GoSecure Blog

Large Scale Vulnerability Scanning with Jenkins

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

Topics: appsec, devops, android, static analysis, tool, vulnerability, java

Beyond XSS: Edge Side Include Injection

Update: A new blog post has been published as a follow up to this article : ESI Part 2: Abusing specific implementations.

Abusing Caching Servers into SSRF and Client-Side Attacks

While conducting a security assessment, we noticed an unexpected behavior in the markup language Edge Side Includes (ESI), a language used in many popular HTTP surrogates (reverse proxies, load balancers, caching servers, proxy servers). We identified that successful ESI attacks can lead to Server Side Request Forgery (SSRF), various Cross-Site Scripting (XSS) vectors that bypass the HTTPOnly cookie mitigation flag, and server-side denial of service. We call this technique ESI Injection.

Read More

Topics: appsec, SSRF, vulnerability, web, XSS, ESI, exploitation

Building a Content Security Policy configuration with CSP Auditor

Content Security Policy - or CSP in short – is the latest milestone in browser XSS attack mitigation. Rather than relying on the browser's anti-XSS filter solely, it is now possible to instruct browsers to apply additional restrictions on external resources like Javascript. This is enforced via the CSP HTTP Headers. The true adoption of this standard will probably not happen before auto-generated and transparent CSP configuration become built-in to web frameworks. At the moment, manual work is still needed in most cases.

Read More

Topics: appsec, auditor, burp

An Introduction to Application Security

To remain in business, companies rely on perimeter security to protect, among other, their “secret sauce” recipe and the confidential information of their customers. To this end, information security vendors offer different types of defenses. The intent is commendable and the organization then feels confident, warm and cozy behind its firewall. However, there is something fishy. Businesses put up a variety of web applications on the Internet (thus accessible by everyone - including malicious actors) to offer different services. These applications can take many shapes, from transactional Web sites, to mobile applications or Web services. With them, the appropriate security question becomes: beyond securing the infrastructure, how can one defend these applications against hackers? The answer is: the proper design of the application’s source code. There you have it: application security.

Read More

Topics: appsec, process, sdlc, security

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all