Never Ending Security

It starts all here

Tag Archives: Mozilla

Ra.2 – A DOM-based XSS scanner for Mozilla Firefox


Ra.2: A DOM-based XSS scanner, for the rest of us!

Ra.2 – Blackbox DOM-based XSS Scanner is our approach towards finding a solution to the problem of detecting DOM-based Cross-Site Scripting vulnerabilities in Web-Application automatically, effectively and fast. Ra.2 is basically a lighweight Mozilla Firefox Add-on that uses a very simple yet effective and unique approach to detect most DOM-based XSS vulnerabilities, if not all. Being a browser-add on it is a session-aware tool which can scan a web-application that requires authentication. Ra.2 uses custom collected list of XSS vectors which has been heavily modified to be compatible with its scanning technology. The add-on also implements basic browser intrumentation to simulate a human interaction to trigger some hard to detect DOM-based XSS conditions.


False positive free by design: Vulnerable URLs are saved in DB, if and only if, our payload is executed successfully by the browser. Hence marked exploitable. If isn’t false-positive, it’s a bug! Report us :-)

Large collection of injection vectors, includes “modified” R’Snake’s vectors as well.

Supports transforming Unicode characters for testing content aware application.

Automatically handles JavaScript obfuscation/compression, as it relies on native interpreter.

Fast and light-weight.

Pretty easy learning curve. Point-n-Click.

Basic browser automation support: Simulates some of the browser events that require human interaction to trigger the XSS condition. Example:

<a href="javascript:alert(/XSS/)>Click here</a>
<input type="button" value="Continue" onclick="javascript:alert(/XSS/) />

and similar scenarios.Centralized reporting: Suitable for enterprise standard multi-user environment.

Ra.2 Architecture

Goodness of Automation + Goodness Blackbox Fuzzing = Win!

Ra.2 Internals

More information can be found on:

Mozilla’s take on duo_openvpn


Our own take at duo_openvpn support. Not very happy with the provided duo_openvpn support, we rewrote it to use duo_client_python which is much nicer.

Git submodules

In order to checkout all the modules necessary for this to build, run

git clone --recursive
# Or, if already checked out:
git submodule update --init --recursive


  • Simple. Sort of. The LDAP features are a little more complex – if you don’t use that, it’s fairly simple.
  • Auth caching per login+ip address.
  • Fail open (optional).
  • OTP and Push (use push as password for push, passcode:123456 as password for OTP, where 123456 is your OTP).
  • CEF support.
  • MozDef support.
  • Optional username hack, in case you use emails as certificate CN but only the first part of the email as login.
  • Supports logging with LDAP with or instead-of Duo.
  • Deferred call.


C plugin

Call it from openvpn configuration with:

plugin /usr/lib/openvpn/plugins/ /usr/lib/openvpn/plugins/

This allow making a deferred call for authentication while using a script instead of blocking OpenVPN. This is needed as otherwise Duo will block OpenVPN while waiting for a push reply or OTP input.

Python script

Look at and rename/copy it to duo_openvpn.conf (or /etc/duo_openvpn.conf). Here are some examples & help:

TRY_LDAP_ONLY_AUTH_FIRST=False: Try to auth LDAP first, if succeeds, bypass DuoSec.

:LDAP_URL=”ldap://”: Needed for any LDAP operation, else leave empty. :LDAP_BIND_DN=’mail=%s,o=com,dc=mozilla’: The bind dn for the user auth. %s is replaced by the username. :LDAP_BASE_DN=’dc=mozilla’: The base dn to find the user to auth in.

LDAP control values are mainly used to filter on a group that has DuoSecurity enabled. If you’re in that group, you get DuoSec, else, you get LDAP auth. Basically, we’re looking up the user’s uid from his email (as we’re passed an email as common_name). If the uid == the email, that’s fine too. Then, we lookup for an attribute in LDAP, and we check that the attribute’s value’s value (yeah..) == the uid. Looks like this: User:,o=com,dc=mozilla => uid = hi Attributes: {‘posix_sysadmins’: {‘memberUid’: “user1”, “hi”, “user2, … }}

Bind to that user for attribute checks.
LDAP_CONTROL_PASSWORD=””: The password for the above user.
LDAP_CONTROL_BASE_DN=”ou=groups,dc=mozilla”: The base DN for the above attribute search.
LDAP_DUOSEC_ATTR_VALUE=”cn=posix_sysadmins”: Will look for that attribute, when checking for DuoSecurity users.
LDAP_DUOSEC_ATTR=”memberUid”: Will look for that value in the attribute.

Misc scripts

The /scripts directory contains additional goodies.


If you use reneg-sec 0 as setting so that OpenVPN does not renegociate (or renegociates very rarely should you use another setting than 0 but that is still very high), you might still want to automatically disconnect users that you have disabled in LDAP.

Run this in a crontab periodically, it’ll pool for the users and kill em.

Recommended openvpn server settings:

management /var/run/openvpn-udp-stage.socket unix
management-client-group vpnmgmt


  • use mozlibldap for the duo script

More information can be found on:

Pragmatic-SSL-TLS – Slides from talk: SSL-TLS Infrastructure at Mozilla

Slides from my talk “SSL-TLS Infrastructure at Mozilla”

Grab them from:

libnfldap – A Python module to generate IPTables and IPSet rules from LDAP records


A Python module to generate IPTables and IPSet rules from LDAP records. See for a demo.


Use PyPi:

$ sudo pip install libnfldap

Or build a RPM using:

$ python bdist_rpm

The later will require python-ldap to be installed separately, either using yum install python-ldap or pip install ldap. It’s up to you, the RPM will not attempt to install the ldap dependency.


The script at will build iptables and ipset rules for all users in LDAP. You can provide the script an ldap filter as argv[1] to limit the scope.

$ time python '(uid=jvehent)'
IPTables rules written in /tmp/tmpT7JgOW
IPSet rules written in /tmp/tmpJYtWM5

real    0m0.605s
user    0m0.061s
sys     0m0.014s does something similar but for a single user identified by its uidNumber (unix user ID).

$ python 2297
#Generating rules for user ID 1664
#====== ACL details ======
jvehent has access to .....


Julien Vehent & Guillaume Destuynder (@ mozilla)

More information can be found on:

MIG – Mozilla InvestiGator

System security at the speed of the cloud

MIG: Mozilla InvestiGator

Note: MIG is under heavy development. The code is stable and used in production, but changes may be backward incompatible. Be warned.

Build Status

MIG is OpSec’s platform for investigative surgery of remote endpoints.

MIG is composed of agents installed on all systems of an infrastructure. The agents can be queried in real-time using a messenging protocol implemented in the MIG Scheduler. MIG has an API, a database, RabbitMQ relays and a console client. It allows investigators to send actions to pools of agents, and check for indicator of compromision, verify the state of a configuration, block an account, create a firewall rule, update a blacklist and so on.

MIG logo

For example: an investigator launches an action to search for an apache module that matches a given md5 value. MIG will register the action, find all the relevant targets and send commands to each target agent with the detail of the action. Each agent then individually runs the action using built-in modules, and sends the results back to the MIG platform.

Agents are designed to be lightweight, secure, and easy to deploy. All parameters are built into the agent at compile time, include the list of investigator’s public keys. The agent binary is statically compiled for a target platform and can be shipped without any external dependency. Deploying an agent is as easy as wget -O /sbin/mig-agent https://fileserver/mig-agent && /sbin/mig-agent

MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored on disk cache, and don’t rely on running processes for reliability.

Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run. Larger ones, for example when looking for a hash in a large directory, should run in less than a minute or two.

Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromision from taking over the entire infrastructure.


Join #mig on

Video presentation

Check out this 10 minutes video for a more general presentation and a demo of the console interface.

MIG youtube video


  • Query a pool of endpoints to verify the presence of a specific indicators (similar to IOC, but we use a different format)
  • Provide response mechanisms to lock down compromised endpoints
  • Periodically verify endpoint’s compliance with the security requirements


  • Provide strong authentication of investigators
    • Actions must have a valid GPG signature, each investigator has a different key, for tracking.
  • Provide a way to inspect remote systems for indicators of compromise (IOC). At the moment, this is limited to :
    • file by name
    • file content by regex
    • file hashes: md5, sha1, sha256, sha384, sha512, sha3_224,sha3_256, sha3_384, sha3_512
    • connected IPs
  • Protect data security, investigate without intruding:
    • Raw data must not be readily available to investigators

In the work:

  • More agent modules
    • low level devices (memory, file system blocks, network cards)
    • firewall rules (read & write)
    • network sniffer
    • accounts creation & destruction
    • lots more …
  • Provide response mechanisms, including:
    • dynamic firewall rules additions & removal
    • system password changes
    • process execution (execve) & destruction (kill)
  • Input/Output IOCs, Yara, … through the API
  • Output results in standard format for alerting
  • Investigation console

MIG Console demo


All documentation is available in the ‘doc’ directory.

Bug & Issue tracker

We use Bugzilla to track the work on MIG.

Some modules for MIG:

More Information can be found on: