Multiple critical vulnerabilities in Maxthon and Avant browsers
Hi, Below you can find a short summary of discovered vulnerabilities in Maxthon and Avant browsers. Such vulnerabilities were demonstrated during HITBAMS2012 security conference and more recently at HackPra. Affected Products - Maxthon (www.maxthon.com) - Avant Browser (www.avantbrowser.com) Security advisories - [advisory] Maxthon multiple vulnerabilities: http://www.security-assessment.com/files/documents/advisory/Maxthon_multiple_vulnerabilities_advisory.pdf - [advisory] Avant multiple vulnerabilities: http://www.security-assessment.com/files/documents/advisory/Avant_multiple_vulnerabilities_advisory.pdf Individual security advisories, exploit modules and video links can be found below. [1] Maxthon - Cross Context Scripting - about: history - Remote Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html [metasploit module] https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb [demo] http://www.youtube.com/watch?v=d-55asVLqNI [2] Maxthon - Cross Context Scripting (XCS) - RSS - Remote Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-rss-rce.html [metasploit module] https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb [demo] http://www.youtube.com/watch?v=d-55asVLqNI [3] Maxthon - Privileged APIs on i.maxthon.com [advisory] http://blog.malerisch.net/2012/12/maxthon-privileged-api-imaxthoncom.html [demo] http://www.youtube.com/watch?v=1IqZBS0O2Hs [4] Maxthon - Cross Context Scripting (XCS) - Bookmark Toolbar and Bookmark Sidebar - Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-bookmark.html [demo] http://www.youtube.com/watch?v=YR0RQz45t3M [5] Maxthon - Incorrect Executable File Handling and Same Origin Policy Implementation [advisory] http://blog.malerisch.net/2012/12/maxthon-incorrect-executable-file-sop.html [6] Avant Browser - Same of Origin Policy Bypass - browser:home [advisory] http://blog.malerisch.net/2012/12/avant-browser-same-of-origin-policy.html [BeEF module] https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history [demo] http://www.youtube.com/watch?v=I4LiSfTmuM0 [7] Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*) [advisory] http://blog.malerisch.net/2012/12/avant-browser-stored-cross-site-scripting.html [demo] http://www.youtube.com/watch?v=-mShxsspxy8 [8] Avant Browser - Cross Context Scripting - browser:home - Most Visited And History Tabs [advisory] http://blog.malerisch.net/2012/12/avant-browser-cross-context-scripting.html [demo] http://www.youtube.com/watch?v=cHHtsOpYGH4 References [presentation] HITBAMS2012 - Window Shopping: Browser Bugs Hunting in 2012 - http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf [presentation] HackPra - Cross Context Scripting attacks exploitation - http://www.slideshare.net/robertosl81/cross-context-scripting-attacks-exploitation Any further material, comments or updates will be communicated over Twitter, at https://twitter.com/malerisch Roberto Suggi Liverani
Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
Hi Michael,
Let me share some background on this advisory...
I came to this result when I was looking into a way of exploiting the
Apache Web Server Compatibility with older browser feature. A separate
paper has been published here:
http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_with_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Applet.pdf
Interestingly enough, I got the idea of using Java Applet to achieve the
attack described above after I bumped into the following from your
browser security handbook
(http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_Java):
The ability to send same-origin HTTP requests using the browser stack
via the URLConnection API, with virtually no security controls,
including the ability to set Host headers, or insert conflicting caching
directives. On the upside, it appears that there is no ability to read
30x redirect bodies or httponly cookies from within applets.
After that, I thought Java Applet could be quite handy when it comes to
force the browser performing a non-standard/malformed HTTP request (e.g.
multiple Host: headers which exploits the Apache feature mentioned above).
At the same time, I also realised that in my testing environment I was
using virtual hosts resolving to the same IP address. Following a
discussion with Apache Security Team and after further research, I have
found that the Java Applet could be used to control the cookie header
sent to a different domain...
But let's come back to your response - you mention about a bug from
Stefano but I am not aware if it is the same bug or a different one
though. When I contacted the vendor, they created a new ticket for the
bug and told me that it would have been fixed with the next critical
patch release in October 2010. They haven't mentioned about anyone with
an identical bug was already reported, as they normally do when
cross-referring bug reports. Apologies in advance if this is a bug
Stefano or someone else reported before August the 1st .
Furthermore, my testing was performed on the latest version JRE (build
1.6.0_21-b07) so I assumed (wrongly?) that all previous critical bugs
were fixed.
The main issue reported is related to the getRequestProperty('cookie')
property which can be controlled by a Java Applet. This could lead to
leaking cookie to unauthorised domains given the attack is performed
between domains that resolve to the same IP address.
The fix provided by Oracle is that getRequestProperty('cookie') now
returns a 'Null' value and cannot be any more controlled via the Java
Applet, even if URLconnection class is used to performed a cross site
request between domains that resolve to the same IP address. The fix
effectively mitigates the attack shown in the PoC but does not resolve
the behavior you mention:
Two hosts are considered equivalent if both host names can be resolved
into the same IP addresses
Unfortunately, the above statement is still enforced in Java Applet as
the URLConnection class can be used to make a request between two
domains that resolve to the same IP address without a crossdomain.xml
policy.
In my advisory, I stated: The Java Applet bypasses the Same-of-Origin
policy (SOP) as an unsigned Java Applet should not be able to
communicate from www.badsite.com to www.targetsite.net without a
crossdomain.xml.
According to the documentation/design, there is no SOP bypass as both
hosts are considered equivalent. However, in practice, there is a SOP
bypass, as cookie can leak to an unauthorised domain.
Hope this sheds some light on this research ;-). Apologies if I didn't
explain well enough the above in the original advisory.
Cheers,
Roberto
Michal Zalewski wrote:
Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.
My understanding is that Stefano Di Paola of Minded Security reported
this back in April; and further, the feature was a part of reasonably
well-documented functionality of Java pretty much ever since:
http://download.oracle.com/javase/6/docs/api/java/net/URL.html
Two hosts are considered equivalent if both host names can be
resolved into the same IP addresses
This was a pretty horrible design, so it's good to see it gone, though.
/mz
--
Roberto Suggi Liverani
Senior Security Consultant
Mob. +64 21 928 780
www.security-assessment.com
Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
(, ) (,
. `.' ) ('.',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( _ ) Y Y \
/__ /\___|__ / \___ /|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_='```=.
presents..
Oracle JRE - java.net.URLConnection class –
Same-of-Origin (SOP) Policy Bypass
PDF:
http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_urlconnection_SOP_Bypass.pdf
CVE Identifier: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3573
+---+
|Description|
+---+
Security-Assessment.com discovered that a Java Applet
making use of java.net.URLConnection class can be used
to bypass same-of-origin (SOP) policy and domain based
security controls in modern browsers when communication
occurs between two domains that resolve to the same IP
address. This advisory includes a Proof-of-Concept
(PoC) demo and a Java Applet source code, which
demonstrates how this security can be exploited to leak
cookie information to an unauthorised domain, which
resides on the same host IP address.
++
|Exploitation|
++
The Flash movie demo can be viewed at the following
link:
http://www.security-assessment.com/files/advisories/java_net_urlconnection_sop_bypass_demo.swf
Proof of Concept (PoC) in demo demonstrates that a
Cross Site Request Forgery (XSRF) attack can be leveraged
by using a Java Applet which implements the
java.net.URLConnection class. Traditionally, XSRF is used
to force a user to perform an unwanted action on a target
web site. In this case, the PoC shows that XSRF can be
used to capture sensitive information such as cookie
associated to a target web site.
The following assumptions are made in this PoC:
1. Virtual hosts www.targetsite.net and
www.badsite.com resolve to the same IP address;
2. Malicious user controls www.badsite.com web site;
3. Malicious user targets www.targetsite.net users.
The following list summarises the sequence of actions
shown in the demo:
1. User has a valid cookie for www.targetsite.net
2. The same user visits www.badsite.com which performs
a cross site forged request to www.targetsite.net .
The forged request is performed by a Java Applet
embedded on the malicious site. The Java Applet
bypasses the Same-of-Origin policy as an unsigned Java
Applet should not be able to communicate
from www.badsite.com to www.targetsite.net without
a crossdomain.xml policy file.
3. Java Applet performs first GET request to
www.targetsite.net. At this stage, the Java Applet
controls the Cookie: header sent to www.targetsite.net
through the getRequestProperty(cookie) method.
This is in breach with SOP.
4. A second request is done for the purpose
of the demo which leaks www.targetsite.net
cookie’s to www.badsite.com via an HTTP GET
request.
Testing was successfully performed using Java(TM)
SE Runtime Environment (build 1.6.0_21-b07) and the
following browsers:
- Mozilla Firefox 3.5.8 (Windows XP)
- Opera 10.60 (Windows XP)
- Internet Explorer 6.0.2900.5512 (Windows XP)
- Google Chrome 5.0.375.9 (Windows XP)
- Internet Explorer 8.0.6001.18702 (Windows XP)
- Safari 5.0 (7533.16) (Windows XP)
The Java Applet source code used in the demo can be
downloaded at the following link:
http://www.security-assessment.com/files/advisories/MaliciousJavaApplet.zip
++
|Solution|
++
Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.
Oracle has created a fix for this vulnerability which
has been included as part of Critical Patch Update
Advisory - October 2010. Security-Assessment.com
recommends all users of JRE and JDK to upgrade to
the latest version as soon as possible.
For more information on the new release of JRE/JDK
please refer to the link:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
+--+
|Credit|
+--+
Discovered and advised to Oracle
August 2010 by Roberto Suggi Liverani of
Security-Assessment.com.
Personal site: http://malerisch.net
+-+
|Extra|
+-+
Another interesting attack was discovered as part
of the research on this vulnerability.
This attack is another example of leveraging XSRF
with the potential of leaking cookie, basic and digest
authentication tokens using Java Applet and the
Compability with older browser feature in
Apache Web Server.
For a PDF version of this research please follow the link below:
http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_with_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Applet.pdf
+-+
|About Security-Assessment.com|
+-+
Security-Assessment.com is a New Zealand based world
leader in web
Security-Assessment.com WhitePaper/Addendum: Cross Context Scripting with Firefox Exploiting Cross Context Scripting vulnerabilities in Firefox
(, ) (,
. `.' ) ('.',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( _ ) Y Y \
/__ /\___|__ / \___ /|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_='```=.
presents..
Hi there,
For the last year, we have been focusing on
Firefox Extension security and we have now
released a research paper and an addendum
on the topic of Cross Context Scripting (XCS).
The research paper Cross Context Scripting
with Firefox demonstrates different ways of
attacking Firefox extensions via Cross
Context Scripting (XCS) vulnerabilities.
Several XCS cases are detailed, including
vulnerable extension code and exploit.
Cross Context Scripting with Firefox - Roberto Suggi Liverani
Link:
http://www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf
The addendum Exploiting Cross Context
Scripting vulnerabilities in Firefox
includes a number of exploits tailored
for Cross Context Scripting vulnerabilities.
Exploiting Cross Context Scripting vulnerabilities in Firefox - Nick Freeman,
Roberto Suggi Liverani
Link:
http://www.security-assessment.com/files/whitepapers/Exploiting_Cross_Context_Scripting_vulnerabilities_in_Firefox.pdf
++
|Abstract|
++
Cross Context Scripting (XCS) is a term coined
for a browser based content injection in the
Firefox chrome zone. This term was originally
used by researcher Petro D. Petkov (pdp), when
David Kierznowski found a vulnerability in the
Sage RSS Reader Firefox extension .
XCS injection occurs between different
security zones, an untrusted and a trusted
zone.
This paper details several XCS cases. XCS
attacks may be possible due to a lack of
input filtering controls for example.
However, other components may be vulnerable as
well, including wrappers, XPCOM components, XUL
overlays, the browser sandbox and DOM events.
This paper can be seen as complimentary to the
presentations given at EUSecWest 2009 , DEFCON 17
and SecurityByte OWASP AppSec Asia 2009
security conferences.
++
|Acknowledgements|
++
Special thanks go to Paul Craig, kuza55 and
Stefano Di Paola for their invaluable feedback.
+-+
|About Security-Assessment.com|
+-+
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.
--
Roberto Suggi Liverani
Senior Security Consultant
Mob. +64 21 928 780
www.security-assessment.com
Multiple Adobe Products - XML External Entity And XML Injection Vulnerabilities
BlazeDS 3.2.0.39
Linux Ubuntu 9.04 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
2. Adobe LiveCycle Data Services ES2 3.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
3. ColdFusion 9.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/flex2gateway/http
{server.name}:{server.port}/
{context.root}/flex2gateway/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
4. Adobe LiveCycle ES2
Windows XP SP2 / IBM Websphere 7.0
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
The vendor has released several patches for this
vulnerability. See the Solution section of this
document for more information.
++
|Exploitation - XML Injection|
++
The XML parser lacks of proper input and output
validation controls. Security-Assessment.com managed
to inject arbitrary XML content which was returned
in the XML response.
The following table shows an XML injection in the
BlazeDS HTTPChannel. The injected payload becomes
part of the response. In this case, injection is
possible via the “responseURI” attribute.
XMLInjection – BlazeDS - Request
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
?xml version=1.0 encoding=utf-8?
amfx ver=3body targetURI= responseURI=dquot;
injectedattr=quot;anythingnull/
/body/amfx
XMLInjection – BlazeDS - Response
?xml version=1.0 encoding=utf-8?
amfx ver=3body targetURI=d injectedattr=anything
responseURI=null//body/amfx/body/amfx
The above injection was successfully tested on
multiple Adobe products, as shown below:
1. Product: Adobe BlazeDS 3.2.0.39
Linux Ubuntu 9.04 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
2. Adobe LiveCycle Data Services ES2 3.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
3. ColdFusion 9.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/flex2gateway/http
{server.name}:{server.port}/
{context.root}/flex2gateway/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
4. Adobe LiveCycle ES2
Windows XP SP2 / IBM Websphere 7.0
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
The vendor has released several patches for this
vulnerability. See the Solution section of this
document for more information.
++
|Solution|
++
Security-Assessment.com follows responsible
disclosure and promptly contacted the vendor after
discovering the issues. The vendor was contacted on
the 6th November 2009 and a reply was received on the
same day. The vendor released security patches on
the 11th February 2010.
The security patches can be downloaded at the
following website:
http://www.adobe.com/support/security/bulletins/apsb10-05.html
+--+
|Credit|
+--+
Discovered and advised to Adobe in
November 2009 by Roberto Suggi Liverani of Security-
Assessment.com. Personal Page: http://malerisch.net/
For full details regarding this vulnerability
download the PDF from our website:
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
+-+
|Greetings|
+-+
Bug found at Hack in The Sun 2009, Waiheke Island.
+-+
|About Security-Assessment.com|
+-+
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.
Roberto Suggi Liverani
CoolPreviews - Firefox Extension - Chrome Privileged Code Injection
(, ) (,
. `.' ) ('.',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( _ ) Y Y \
/__ /\___|__ / \___ /|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_='```=.
presents..
CoolPreviews Chrome Privileged Code Injection
+---+
|Description|
+---+
Security-Assessment.com discovered that Coolpreviews
stack feature is vulnerable to Cross Site Scripting
injection. The Coolpreviews stack previews link
content within a Chrome window positioned on the right
side of the browser window. A malicious page is then
able to pass arbitrary browser code, such as
JavaScript, via a link that points to a data URI which
embeds the cross site scripting payload. The injected
browser code is rendered and executed in the chrome
privileged Firefox zone.
The code is automatically executed when the user adds
the malicious link to the stack (by default, right
click and then Cool Previews – Add To Stack).
++
|Exploitation|
++
This vulnerability can be exploited in several ways.
As the injection point is in the chrome privileged
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
or modify other Firefox extensions.
++
|Solution|
++
Security-Assessment.com follows responsible disclosure
and promptly contacted the developer after discovering
the issue. The developer was contacted on March 5,
2009, and no response was received. A fix was silently
released on April 20, 2009.
Install the latest CoolPreviews version. This is
available from Mozilla Add-ons website
(https://addons.mozilla.org/en-US/firefox/addon/2207).
+--+
|Credit|
+--+
Discovered and advised to the CoolPreviews vendor
March 2009 by Roberto Suggi Liverani of Security-
Assessment.com. Personal Page: http://malerisch.net/
For full details regarding this vulnerability
(including a detailed proof of concept exploit)
download the PDF from our website:
http://www.security-assessment.com/files/advisories/CoolPreviews_Firefox_Extension_Security_Advisory.pdf
For more details regarding exploitation of Firefox
extensions, refer to our DEFCON 17 presentation at
http://www.security-assessment.com/files/presentations/liverani_freeman_abusing_firefox_extensions_defcon17.pdf
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.
Roberto Suggi Liverani
Update Scanner - Firefox Extension - Chrome Privileged Code Injection
(, ) (,
. `.' ) ('.',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( _ ) Y Y \
/__ /\___|__ / \___ /|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_='```=.
presents..
Update Scanner Chrome Privileged Code Injection
+---+
|Description|
+---+
Security-Assessment.com discovered that Update Scanner
is vulnerable to Cross Site Scripting injection.
Update
Scanner renders scanned site content within a chrome
window located at
chrome://updatescan/content/diffPage.xul. A malicious
web page is then able to pass arbitrary browser code,
such as JavaScript, following a scan performed by
Update Scanner. The browser code is directly rendered
and
executed in the chrome privileged Firefox zone related
to Update Scanner.
Update Scanner performs input data filtering by
stripping script tags but this is not enough to
prevent
JavaScript code execution. For example, it is possible
to trigger JavaScript code execution by using event
handlers such as “onerror”.
++
|Exploitation|
++
This vulnerability can be exploited in several ways.
As the injection point is in the chrome privileged
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
or modify other Firefox extensions.
++
|Solution|
++
Security-Assessment.com follows responsible disclosure
and promptly contacted the developer after discovering
the issue. The developer was contacted on June 8,
2009, and a response was received on the June 11. A
fix was
released on June 15, 2009.
Install latest Update Scanner version. This is
available from Mozilla Add-ons web site
(https://addons.mozilla.org/en-US/firefox/addon/3362).
+--+
|Credit|
+--+
Discovered and advised to the Update Scanner developer
June 2009 by Roberto Suggi Liverani of Security-
Assessment.com. Personal Page: http://malerisch.net/
For full details regarding this vulnerability
(including a detailed proof of concept exploit)
download the PDF from our website:
http://www.security-assessment.com/files/advisories/Update_Scanner_Firefox_Extension_Security_Advisory.pdf
For more details regarding exploitation of Firefox
extensions, refer to our DEFCON 17 presentation at
http://www.security-assessment.com/files/presentations/liverani_freeman_abusing_firefox_extensions_defcon17.pdf
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.
Roberto Suggi Liverani
