Our
Research.

Services

Research

Request a brochure

Minded Security Research Lab

Research

Minded Security goal is to deliver high level quality services regarding Software Security Consulting. We want to reach this target through improving continuously our knowledge and doing AppSec research.

Minded Security combines the latest security research with our worldwide recognized testing techniques to meet your business goals and strengthen the security of your products and services.

Since many years we contribute to OWASP (The Open Web Application Security Project) with different leaderships: from the foundation of the OWASP Italy Chapter, to the OWASP Testing Guide, the OWASP Cloud Security and the OWASP 5D Framework leadership. Our experience, our approach and our passion let us to work at a high level with the client to suggest the best solutions that can fit his needs.

The creation of Minded Security Research Lab resulted in some of the most important advancements in software security including the development of the first tool for Flash Security Testing (SWFintruder), and the first tool for Client Side Testing using Dynamic Tainting Analysis (DOMinatorPro).

Minded Security research lab main goals are:

  • Supporting customers to develop more Secure Products and Services;
  • Rise the level of culture in your Company in order to manage all the Software Security domains;
  • Release of ad-hoc security testing tools to identify high risk vulnerabilities;

During the last 13 years we developed many technologies regarding JavaScript Security, Web Injection detection and solutions to Mitigate APT Banking Malware Attacks. The following are the main research projects we did during our experience.

In 2009 DOMinator open source for community was released, then in 2011 Dominator Pro was the first tool able to perform a dynamic tainting analysis of the data flow in the DOM of the browser. Dominator Pro

DOMXSS Wiki (https://code.google.com/archive/p/domxsswiki/wikis/Introduction.wiki) was created with the aim of creating A SHARED Knowledge Base for defining sources of attacker controlled inputs and sinks which potentially could introduce DOM Based XSS issues.

2011: DOMinator Pro

It performs a Real Time Dynamic Data Tainting which represents an innovative approach to identify DOM based Cross Site Scripting vulnerabilities and can help identify client side issues in a very short time while simply navigating.

https://blog.mindedsecurity.com/2011/05/dominator-project.html
We created the DOMXSS domain (www.domxss.com) in order to understand the client side security and to learn how to use BlueClosure to identify this class of new vulnerabilities.

2014 AMT Banking Malware Detector

AMT solution easily detected realtime man in the browser attacks. AMT engine did not look for signatures or known attacks, it did analyze the behavior of the HTML page in the user’s browser and can easily detect new kinds of attacks or new malware variants that are running on customer machines.

2015: RATDET Remote Access Trojan Detection technology.

Using RAT in banking malware features fraudsters can impersonate the banking customers by attacking the online banking site from the trusted banking customer host/PC. This type of subtle remote control allows the fraudsters to bypass the security controls already in place.Firewall policies, strong authentication with browser certificates, IP restrictions, Geo Location controls, Browser and OS fingerprint can be easily bypassed by Dyre Remote Control Module.

Minded Security developed RATDET technology able to detects RATs such as DarkComet, ProRat, VNC and RDP add-ons in banking malware such as Zeus and Citadel. RATDET detects the fraudster use of RAT in banking malware attacks in real-time and the risk score supplemented to AMT by RATDET helps fraud managers in catching real fraud attempts instead of thousands of  false positive alerts that are genuine sessions.

2018: Shhlack

Shhlack is an extension for Slack and brings end-to-end encrypted messages in Slack workspaces.Shhlack is an opensource tool available on GitHub:
https://github.com/mindedsecurity/shhlack

2019: JStillery

Advanced JavaScript Deobfuscation via Partial Evaluation
https://blog.mindedsecurity.com/2015/10/advanced-js-deobfuscation-via-ast-and.html

2020: Behave! A monitoring browser extension for pages acting as “bad boi”

A Minded Security project that monitors and warn if a web page performs any of following actions:

  • Browser based Port Scan
  • Access to Private IPs
  • DNS Rebinding attacks to Private IP

GitHub:
https://github.com/mindedsecurity/behave

Firefox extension:
https://addons.mozilla.org/en-US/firefox/addon/behave/
Chrome Extension:
https://chrome.google.com/webstore/detail/behave/mppjbkhgconmemoeagfbgilblohhcica 

Automation

Implement the right DevSecOps automation and Continuous Web Application Scanning for your needs.

consulting minded security

Consulting

We are a Consultancy Company focused in supporting Companies to develop secure products.

testing minded security

Testing

We performs software security analysis in white box mode and black box mode.

training minded security

Training

Training and awareness in software security is critical for information security.