Rapid7 Blog

Google  

Metasploit, Google Summer of Code, and You!

Spend the summer with Metasploit I'm proud to announce that the Metasploit Project has been accepted as a mentor organization in the Google Summer of Code! For those unfamiliar with the program, their about page sums it up nicely: Google Summer of Code is a…

Mobile App & API Security - Application Security's "Where Waldo"

[A version of this blog was originally posted on February, 1 2013] As I have discussed in previous posts and at conferences, like OWASP AppSecUSA, while the number of attacks continue to increase, the attack techniques aren't new at all. They are actually the same…

Disclosure: Android Chrome Address Bar Spoofing (R7-2015-07)

Android Chrome Address Bar Spoofing (R7-2015-07)SummaryDue to a problem in handling 204 "No Content" responses combined with a window.open event, an attacker can cause the stock Chrome browser on Android to render HTML pages in a misleading context. This effect was confirmed on…

R7-2015-02: Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)

Vulnerability Summary Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google's Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal…

Securing the Shadow IT: How to Enable Secure Cloud Services for Your Business

You may fear that cloud services jeopardize your organization's security. Yet, your business relies on cloud services to increase its productivity. Introducing a policy to forbid these cloud services may not be a viable option. The better option is to get visibility into your shadow…

Metasploit Weekly Wrapup: Another Android Universal XSS

Click and Get Owned on Android... AgainThis week, we landed another Metasploit exploit for another Android WebView vulnerability; this time, it's a problem that occurs when replacing the "data" attribute of a given HTML object with a JavaScript URL scheme. Like the last Android security…

Android browser privacy bug explained [VIDEO]: Whiteboard Wednesday

todb's post earlier this week about the flaw in Android's Open Source Platform browser has been getting a lot of attention this week, and for good reason: By the numbers, Android 4.2 and earlier builds have the vulnerable browser in question, and about 75%…

Weekly Update: Apache Struts Exploit, Android Meterpreter, and New Payloads

Apache Struts ExploitThis week's update includes an exploit for a pretty recent vulnerability in Apache Struts, thanks to community contributor Richard @Console Hicks. The struts_include_param module exercises the vulnerability described at OSVDB 93645, disclosed on May 23, 2013, a bare two weeks ago,…

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Featured Research

Quarterly Threat Report

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.

Learn More