Discovering Hidden Treasures: Extracting Secrets from Blazor Apps!
Summary
TLDRIn this video, the presenter discusses a vulnerability found in Microsoft's Blazer applications, particularly on the client-side where web assembly files are delivered through the browser. They reveal how developers sometimes inadvertently expose sensitive information in downloadable dynamic link libraries (DLLs), which can be extracted from local storage. The presenter introduces a nuclei template to identify such vulnerabilities and shares their experience of scanning numerous domains, including private bug bounty programs, to uncover potential security issues. The video concludes with a call to use the template responsibly for enhancing security rather than for malicious purposes.
Takeaways
- 🔍 The video discusses a vulnerability found in Blazer applications, a framework by Microsoft that compiles code into Web Assembly (WASM) files.
- 🛠️ Blazer applications can be built in two ways: server-side execution, which is more secure, and client-side execution, which is less secure and the focus of the vulnerability.
- 📁 Blazer apps use a bootloader in JSON format, which includes dynamic link libraries (DLLs) that are downloaded through the browser and stored in local storage.
- 🕵️♂️ The presenter discovered that developers sometimes inadvertently include sensitive information within these DLLs, which can be extracted and examined.
- 💡 The video provides insight into how to identify and extract sensitive information from DLLs, which can lead to the compromise of other services.
- 🛑 The presenter warns that while the vulnerability exists, it has already been extensively searched in bug bounty domains with no new findings expected soon.
- 📝 A nuclei template has been created by the presenter to automate the search for these JSON files and to differentiate between framework and custom DLLs.
- 🌐 The nuclei template was tested on a list of 10 million domains, revealing around 700 client-side Blazer configurations, but none with active bug bounty programs.
- 🚨 The video emphasizes the importance of using the nuclei template and similar tools for ethical security work to improve the security landscape.
- 🤝 The presenter and their team are proactively contacting domain owners to inform them of the issue, promoting responsible disclosure and collaboration.
- 📈 The video serves as a reminder of the ongoing need for vigilance in software development and security practices to protect against vulnerabilities.
Q & A
What is the main focus of the video?
-The video discusses a vulnerability discovered in Blazer applications and explains how it works, as well as how to use a nuclei template to identify similar issues.
What is Blazer and what does it do?
-Blazer is a framework written by Microsoft that compiles code into a web assembly (wasm) file, which is then delivered to the client and compiled and run there on the fly.
How are Blazer applications typically built and what are the security implications?
-Blazer applications can be built in two ways: server-side, which is more secure as the client doesn't see all the data, or client-side, where the wasm is delivered directly through the browser, which is less secure.
What is the role of the Json bootloader in Blazer applications?
-The Json bootloader in Blazer applications contains instructions and dynamic link libraries (DLLs) that are downloaded and run by the client's browser to execute the application.
Why are the DLLs in Blazer applications a potential security risk?
-The DLLs are downloaded through the browser and kept in local storage, which can be accessed to find sensitive information such as database configurations and passwords if developers mistakenly include them.
What did the video creator do after discovering the vulnerability?
-The creator wrote a nuclei template to automate the process of identifying vulnerable Blazer applications and sensitive information within the DLLs.
What did the video creator and their team do with the nuclei template?
-They used the nuclei template to scan through bug bounty domains and private bug bounty programs to identify any active vulnerabilities.
What was the outcome of the scan using the nuclei template on bug bounty domains?
-They found no active vulnerabilities in bug bounty programs, suggesting that the issue may have been addressed or is not widespread in these domains.
How did the video creator further test the nuclei template?
-They used the nuclei template to scan a list of 10 million live domains derived from the 15 million most popular domains on the internet.
What was the result of scanning the 10 million live domains?
-They identified about 700 client-side Blazer configurations but did not find any with active bug bounty programs.
What is the ethical stance of the video creator regarding the use of the nuclei template?
-The video creator encourages the use of the nuclei template for ethical security work to improve the security of applications, not for malicious purposes.
Outlines
🛠 Exploiting Blazer Application Vulnerabilities
The video discusses a vulnerability found in Blazer applications, a framework by Microsoft that compiles code into web assembly files. The speaker explains two methods of building Blazer apps: one server-side which is more secure, and the other client-side which is less secure and the focus of the vulnerability. The client-side method involves a bootloader in JSON format and dynamic link libraries (DLLs) that are downloaded to the client's local storage. The speaker discovered that developers sometimes inadvertently include sensitive information in these DLLs, which can be extracted and examined. To aid in identifying such issues, a nuclei template was created to scan for custom DLLs among the framework files. The video also mentions that the speaker and colleagues have already used this template to check for vulnerabilities in bug bounty programs, finding none, and suggests that others should use such tools for ethical security work.
Mindmap
Keywords
💡Blazer
💡Vulnerability
💡WebAssembly (Wasm)
💡Dynamic Link Libraries (DLLs)
💡Local Storage
💡Pentest
💡Nuclei Template
💡Bug Bounty
💡Security
💡Compromise
💡Ethical Hacking
Highlights
A vulnerability in Blazer applications was discovered.
Blazer is a Microsoft framework that compiles code into wasm for client-side execution.
There are two ways Blazer apps are built, one being more secure with server-side execution.
Client-side Blazer apps can have security issues as they deliver wasm directly through the browser.
Blazer app's bootloader is a Json file containing instructions and DLS.
DLS or dynamic link libraries are downloaded through the browser and stored in local storage.
Developers sometimes inadvertently include sensitive information in DLS files.
The vulnerability allows extraction of sensitive information from DLS files.
A nuclei template was created to automate the search for sensitive information in DLS files.
The nuclei template can identify both framework and custom DLS files.
The speaker and colleagues have already scanned bug bounty domains with the nuclei template.
No active bug bounty programs were found with the vulnerability using the nuclei template.
A domain list of 10 million live domains was created and scanned for Blazer client-side configuration.
Only 700 Blazer client-side configurations were found, none with active bug bounty programs.
The speaker encourages the use of the nuclei template for ethical security work.
The goal is to make the world a more secure place through responsible use of the nuclei template.
Transcripts
in today's video we are going to be
looking at a vulnerability that I
discovered in Blazer applications not
only are we going to be looking at it
I'm going to show you why it works how
it works and how to use the nucle
template that I released for this issue
a few months ago I was working on a
pentest for a client and one of the
applications they had was built on
Blazer Blazer is a framework written by
Microsoft that basically takes all of
your code and compiles it down into a
wasm or a web assembly file that is then
delivered to the client and the
application e compiles on the Fly and
run there are two ways that Blazer apps
are built the first one more secure is
it is run on the server end and
basically the client doesn't see all the
data it all gets run in the server um it
takes up a lot more resources for that
application but it is a lot more secure
I haven't found any issues with that yet
the one I'm talking about is the client
side where the wasm is delivered
directly through the browser and then
the browser runs all the software that
it needs and then de compil it and then
basically you have your application the
Blazer app is a bootloader in the form
of a Json file and it's uh blazer.
bootstrap.js inside that Json file is a
bunch of instructions some of which are
the DLS or dynamic link libraries that
it also has to download now if you have
watched my video about deleting your
temporary cach if you're doing PS you'll
you'll actually see this in action but
these DLS are also downloaded through
the browser to the client and it's kept
in the local storage you can actually
look into those dlls and you will find
Bunches of information one of the things
that I've noticed is that sometimes
developers don't understand that you can
extract these files directly out and
start to look into them and some of
these uh developers put all of these
nice juicy secrets in so there's lots of
you know database configurations there's
passwords all sorts of things that they
think you won't be able to see because
it's compiled down into asn't I
basically started digging around in
these DLS found these config issues and
that allowed me to extract out really
sensitive information and allowed me to
go on and compromise some other services
now 99% of the time you will find these
files and they will be benign they will
just be framework files but do look
around and see if you can find these
interesting custom files that the
developers are making so in order to
make this more interesting and quick um
I quickly wrote a nuclei template to do
this for me right and it basically looks
for these uh Json files pulls out the
dlls so I can tell if they're framework
ones or custom ones you're probably
thinking you can go away and use this
nucle template to make loads of money on
bug bounties well sorry but we've
already done that my friends death
pirate zish and mate and myself we spend
a lot of time scanning through every
single bug Bounty domain that we could
get our hands- on including some private
by Bounty ones um just to check using
this new CL template if there's any
vulnerab abilities out there and sorry
to say you're probably not going to find
any in any bug bount programs for a
while at least until someone else makes
the next application so don't waste your
your time too much I decided though that
we need to look at this from a different
way to make sure that we've covered
everything so around Christmas time last
year um senta um released a huge list of
Life domains and how we built that
domain list was we took the 15 million
most popular domains on the internet and
we scann them all and basically we found
all the live ones and that live list was
about 10 million domains so I took that
10 million domain list and I used my
nuite template to search through there
so out of the 10 million domains are out
there there was probably about 700 I
think we found of Blazer in the client
side configuration we discovered that
none of those domains had an active bug
battery program unfortunately there's no
way to mass tell loads of people there
are issues with these things so we are
working through them slowly one by one
contacting them and saying look here's
an issue it's a working progress if you
are going to go and use this nuclear
template that I've released please do
use it for decent honest security work
we want to make the world a better place
a more secure place don't use it for
malicious reasons you know it's not why
we build these tools it's to make things
better
Ver Más Videos Relacionados
Running Nuclei On All My Bug Bounty Programs
Server-Side Request Forgery (SSRF) Explained
All-In-One Open Source Security Scanner | Docker Image Analysis with Trivy
أنا مكتشف ثغرات...
Scanning All Vulnerability Disclosure Programs For Automated API Hacking
CompTIA Security+ SY0-701 Course - 4.3 Activities Associated With Vulnerability Management. - PART A
5.0 / 5 (0 votes)