The nVisium Blog

Secure Password Strings in Java and C#

Published on March 31, 2016 by David Coursey

For the second time in a few months I had a conversation with friends on this Fortify finding - Privacy Violation: Heap Inspection.

The description reads:

"Sensitive data (such as passwords, social security numbers, credit card numbers, etc.) stored in memory can be leaked if it is stored in a managed String object."

The threat here is that the string data will remain in memory long enough to be retrieved by an attacker. This is exactly why Heartbleed (TM) was such a big problem--strings in memory could be accessed long after they were no longer being used. If you ran it a bunch of times and were lucky, the exploit would give you passwords or private keys.


Exploring SSTI in Flask/Jinja2, Part II

Published on March 11, 2016 by Tim Tomes

I recently wrote this article about exploring the true impact of Server-Side Template Injection (SSTI) in applications leveraging the Flask/Jinja2 development stack. My initial goal was to find a path to file or operating system access. I was previously unable to do so, but thanks to some feedback on the initial article, I have since been able to achieve my goal. This article is the result of the additional research.


Exploring SSTI in Flask/Jinja2

Published on March 9, 2016 by Tim Tomes

If you've never heard of Server-Side Template Injection (SSTI) or aren't exactly sure what it is, then read this article by James Kettle before continuing.

As security professionals, we are in the business of helping organizations make risk-based decisions. Seeing as risk is a product of impact and likelihood, without knowing the true impact of a vulnerability, we are unable to properly calculate the risk. As someone who frequently develops using the Flask framework, James' research prompted me to determine the full impact of SSTI on applications developed using the Flask/Jinja2 development stack. This article is the result of that research. If you want a little more context before diving in, check out this article by Ryan Reid that provides a bit more context to what SSTI looks like in Flask/Jinja2 applications.


CAPTCHA: What? Why? Build. Break.

Published on March 2, 2016 by Kyle Rippee

Love them, hate them, or otherwise in this day and age, CAPTCHAs are a part of everyday life on the web. In this blog we will dig a little deeper into the technology behind CAPTCHAs to find out what they are, why they are used, and how they are created, implemented, bypassed and broken. What are these things, and why are they everywhere?


Rails Dynamic Render to RCE (CVE-2016-0752)

Published on January 26, 2016 by John Poulin

Tl;dr: If your application uses dynamic render paths (eg: render params[:id]) then you are vulnerable to remote-code execution via local file inclusion. Update to the latest version of Rails, or refactor your controllers.

In this blog post we will be demonstrating the exploitation of a flaw in the Ruby on Rails framework that allows attackers to remotely execute code in certain circumstances.


What to Expect When You're Overriding

Published on December 21, 2015 by Ernie Miller

We've all been there. You're using some library or framework that's saving you SO MUCH TIME... until you run into that one little thing it does wrong. Whether "wrong" means buggy or just "different than the way I would do it," you're now faced with a choice: do you override behavior or do you live with it? Sometimes the obvious choice can have unintended consequences.