Security/Meetings/Automation/2013-11-12

From MozillaWiki
Jump to: navigation, search

Agenda

  • pnh demo
  • personal updates
  • add your items to the agenda

PnH Demo

Mark demoes the content injection he added to Plug'n'Hack and Zap including capabilities to intercept, change and re-send postMessages in the browser

Status Updates

  • Frederik
    • lazy automation week, mostly done websec reviews
  • Jeff
    • fought through instantiating a test environment (python 2.6..RHEL4, no make,yuck)
    • basic elastic search interface in meteor grabbing bunker status
    • Next step; injesting actual logs from syslog1 to test elastic search
  • Tinfoil
    • internet stormcenter like website for mozilla/opsec
  • Psiinon
    • preparations for appsec usa
    • talk
    • ZAP hackathon
  • mgoodwin
    • I've been working on the clients functionality for Plug-n-hack. Progress this week:
      • The 'probe' (content injection) client can now intercept, modify and resend postMessage for on and off origin iframes.punkt
      • This works on Chrome and Firefox. Should (in theory) work in recent webkits (so probably web views on android / iOS too).
      • Started work on the addEventListener proxies for intercept / resend events.
      • I've got an (experimental) ringleader with the postMessage hook built in. No off-origin hackery required but since this is fx only it's not useful for all zap users.
  • ulfr
    • MongoDB storage in MIG. Action completion ratio (% of commands that finished, handle termination, etc..). https://github.com/mozilla/mig/commits/master
    • IOC format discussion in MIG: tight json integration vs accepting any type of IOC format in modules without understanding them. Will be discussed in Q1 2014.
  • stefan