[{"data":1,"prerenderedAt":4227},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/can-my-admins-steal-my-cloud-password-manager-secrets":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1296,"synopsis":1297,"hashTags":118,"publishedDate":1298,"slug":1299,"ogImage":1300,"tagsCollection":1302,"relatedBlogPostsCollection":1312,"authorsCollection":3646,"content":3650,"_id":4222,"_type":4223,"_source":4224,"_file":4225,"_stem":4226,"_extension":4223},"/blog/can-my-admins-steal-my-cloud-password-manager-secrets","blog",{"id":1280,"publishedAt":1281},"67rmNM2GcROwaonN9vzAW8","2024-03-21T11:48:25.035Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"We all know admin accounts are powerful and need to be protected - a compromised admin account can do a lot of damage, after all. But can a compromised admin account steal the secrets from your corporate password manager? If so, how does this affect your ability to respond to a hijacked account or malicious insider? Let's dive in.","text","paragraph","document","Can my admins steal my cloud password manager secrets?","Can admins access the secrets from your corporate password manager? If so, how does this affect incident response in a compromised admin account scenario?","2024-03-11T00:00:00.000Z","can-my-admins-steal-my-cloud-password-manager-secrets",{"url":1301},"https://images.ctfassets.net/y1cdw1ablpvd/3PtOPCztNCvolfamtRFInx/954afbab640ca1b6caeed9dc77e6c76c/Heading.jpg",{"items":1303},[1304,1308],{"sys":1305,"name":1307},{"id":1306},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1309,"name":1311},{"id":1310},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"items":1313},[1314,1965,3177],{"__typename":1315,"sys":1316,"content":1318,"title":1945,"synopsis":1946,"hashTags":118,"publishedDate":1947,"slug":1948,"tagsCollection":1949,"authorsCollection":1957},"BlogPosts",{"id":1317},"6ckZjBZzRgvEVpSScGWeZQ",{"json":1319},{"data":1320,"content":1321,"nodeType":1295},{},[1322,1344,1351,1359,1378,1385,1403,1410,1417,1450,1457,1464,1471,1478,1514,1523,1529,1548,1555,1562,1569,1602,1609,1616,1623,1640,1646,1652,1658,1665,1687,1694,1701,1708,1715,1778,1785,1828,1835,1841,1848,1864,1870,1877,1884,1917,1924,1931,1938],{"data":1323,"content":1324,"nodeType":1294},{},[1325,1329,1340],{"data":1326,"marks":1327,"value":1328,"nodeType":1293},{},[],"We have spoken previously about ",{"data":1330,"content":1332,"nodeType":1339},{"uri":1331},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[1333],{"data":1334,"marks":1335,"value":1338,"nodeType":1293},{},[1336],{"type":1337},"underline","SAMLjacking and poisoned tenants","hyperlink",{"data":1341,"marks":1342,"value":1343,"nodeType":1293},{},[],", particularly with regard to clever phishing attacks aimed at gaining initial access to some cloud identities. Today, we’ll look at how Okta’s AD synchronization is pretty much SAMLjacking on steroids. We’ll also consider how it can be used as a stealthy watering-hole style lateral movement attack too.",{"data":1345,"content":1346,"nodeType":1294},{},[1347],{"data":1348,"marks":1349,"value":1350,"nodeType":1293},{},[],"To be clear, this isn't a vulnerability in Okta that circumvents a security boundary and needs to be patched. This is offensive use of a product feature, the SaaS version of living off the land (LOTL). Let's call it living off the cloud (LOTC).",{"data":1352,"content":1353,"nodeType":1358},{},[1354],{"data":1355,"marks":1356,"value":1357,"nodeType":1293},{},[],"What is SAMLjacking?","heading-1",{"data":1360,"content":1361,"nodeType":1294},{},[1362,1365,1374],{"data":1363,"marks":1364,"value":37,"nodeType":1293},{},[],{"data":1366,"content":1368,"nodeType":1339},{"uri":1367},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[1369],{"data":1370,"marks":1371,"value":1373,"nodeType":1293},{},[1372],{"type":1337},"SAMLjacking",{"data":1375,"marks":1376,"value":1377,"nodeType":1293},{},[]," is where an attacker makes use of SAML SSO configuration settings for a SaaS tenant they control in order to redirect users to a malicious link during the authentication process. This can be highly effective for phishing, as the original URL will be a legitimate SaaS URL and users will provide their credentials because they’re expecting that as part of the login process. ",{"data":1379,"content":1380,"nodeType":1358},{},[1381],{"data":1382,"marks":1383,"value":1384,"nodeType":1293},{},[],"What is a poisoned tenant?",{"data":1386,"content":1387,"nodeType":1294},{},[1388,1391,1399],{"data":1389,"marks":1390,"value":37,"nodeType":1293},{},[],{"data":1392,"content":1394,"nodeType":1339},{"uri":1393},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/poisoned_tenants/description.md",[1395],{"data":1396,"marks":1397,"value":1398,"nodeType":1293},{},[],"Poisoned tenants",{"data":1400,"marks":1401,"value":1402,"nodeType":1293},{},[]," involve an adversary registering a tenant for a SaaS app they control and tricking target users to join it, often using built-in invite functionality. The end goal is to have some target users actively using a tenant you (as the adversary) control.",{"data":1404,"content":1405,"nodeType":1358},{},[1406],{"data":1407,"marks":1408,"value":1409,"nodeType":1293},{},[],"What is Oktajacking?",{"data":1411,"content":1412,"nodeType":1294},{},[1413],{"data":1414,"marks":1415,"value":1416,"nodeType":1293},{},[],"This is a name I’ve been using to refer to using Okta to do the credential capture/keylogging for you, without needing to have your own malicious domain hosting your malicious SAML server. This is even more effective than regular SAMLjacking as the user will only ever see legitimate SaaS domains, with the subdomain being the attacker-chosen part (e.g. https://attacker-tenant.okta.com).",{"data":1418,"content":1419,"nodeType":1294},{},[1420,1424,1433,1437,1446],{"data":1421,"marks":1422,"value":1423,"nodeType":1293},{},[],"However, the awesome research that underpins this technique was conducted by Adam Chester (",{"data":1425,"content":1427,"nodeType":1339},{"uri":1426},"https://twitter.com/_xpn_",[1428],{"data":1429,"marks":1430,"value":1432,"nodeType":1293},{},[1431],{"type":1337},"@_xpn_",{"data":1434,"marks":1435,"value":1436,"nodeType":1293},{},[],") and is covered in his excellent article, ",{"data":1438,"content":1440,"nodeType":1339},{"uri":1439},"https://blog.xpnsec.com/okta-for-redteamers/",[1441],{"data":1442,"marks":1443,"value":1445,"nodeType":1293},{},[1444],{"type":1337},"Okta for Red Teamers",{"data":1447,"marks":1448,"value":1449,"nodeType":1293},{},[],". If you haven’t already read that, you absolutely should. ",{"data":1451,"content":1452,"nodeType":1294},{},[1453],{"data":1454,"marks":1455,"value":1456,"nodeType":1293},{},[],"Adam identified that if you compromise a Windows domain that’s linked to Okta and/or compromise an Okta admin account for an Okta instance linked to a Windows domain, you can use the Okta AD agent to capture credentials during logins. There’s lots more, but that’s the key part we’ll build upon for this article. ",{"data":1458,"content":1459,"nodeType":1294},{},[1460],{"data":1461,"marks":1462,"value":1463,"nodeType":1293},{},[],"This attack works because Okta forwards credentials from logins for accounts tied to AD to its own AD agent that runs on the target network. Then, Okta allows the agent to report back to them about whether the login should be successful or not. This enables an attacker who has compromised an AD agent, or is able to emulate one, to both monitor login credentials for Okta users and provide skeleton key-like functionality to authenticate to Okta as any user they like. ",{"data":1465,"content":1466,"nodeType":1294},{},[1467],{"data":1468,"marks":1469,"value":1470,"nodeType":1293},{},[],"The context of this in Adam’s article was primarily a traditional Windows domain compromise scenario where an attacker could use this method as a form of incredibly powerful domain-level persistence or to move laterally to other accounts. This is applicable in late-stage kill chain phases, where the attacker has already achieved a total organization-level compromise. ",{"data":1472,"content":1473,"nodeType":1294},{},[1474],{"data":1475,"marks":1476,"value":1477,"nodeType":1293},{},[],"So, how can this technique be leveraged earlier in the kill chain? We’ll consider the following two scenarios for this article:",{"data":1479,"content":1480,"nodeType":1513},{},[1481,1498],{"data":1482,"content":1483,"nodeType":1497},{},[1484],{"data":1485,"content":1486,"nodeType":1294},{},[1487,1493],{"data":1488,"marks":1489,"value":1492,"nodeType":1293},{},[1490],{"type":1491},"bold","Oktajacking for initial access",{"data":1494,"marks":1495,"value":1496,"nodeType":1293},{},[]," - directly phishing credentials via a valid Okta tenant we create","list-item",{"data":1499,"content":1500,"nodeType":1497},{},[1501],{"data":1502,"content":1503,"nodeType":1294},{},[1504,1509],{"data":1505,"marks":1506,"value":1508,"nodeType":1293},{},[1507],{"type":1491},"Oktajacking for lateral movement ",{"data":1510,"marks":1511,"value":1512,"nodeType":1293},{},[],"- capturing credentials via a watering hole attack when having admin-level compromised a SaaS application in use by the target organization","unordered-list",{"data":1515,"content":1521,"nodeType":1522},{"target":1516},{"sys":1517},{"id":1518,"type":1519,"linkType":1520},"6iKFd9Qys2SSuNqKVQB7ka","Link","Entry",[],"embedded-entry-block",{"data":1524,"content":1525,"nodeType":1358},{},[1526],{"data":1527,"marks":1528,"value":1492,"nodeType":1293},{},[],{"data":1530,"content":1531,"nodeType":1294},{},[1532,1536,1545],{"data":1533,"marks":1534,"value":1535,"nodeType":1293},{},[],"The most common way someone might attack Okta-protected organizations would be to conduct traditional phishing attacks hosted on an attacker-controlled domain that emulate an Okta login page. A great article to check out on this would be Nick Vangilder’s article, ",{"data":1537,"content":1539,"nodeType":1339},{"uri":1538},"https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23",[1540],{"data":1541,"marks":1542,"value":1544,"nodeType":1293},{},[1543],{"type":1337},"Okta for Red Teamers - Perimeter Edition. ",{"data":1546,"marks":1547,"value":37,"nodeType":1293},{},[],{"data":1549,"content":1550,"nodeType":1294},{},[1551],{"data":1552,"marks":1553,"value":1554,"nodeType":1293},{},[],"However, as with most phishing attacks this involves the use of a malicious domain to host the phishing server. Okta AD synchronization allows us to use legitimate Okta domains to do the phishing for us. This attack can catch out even the most security conscious users.",{"data":1556,"content":1557,"nodeType":1294},{},[1558],{"data":1559,"marks":1560,"value":1561,"nodeType":1293},{},[],"To do this, we set up an attacker-controlled Okta tenant as a poisoned tenant and configure it for AD integration, using Adam Chester’s python script to harvest credentials. This enables actual Okta-owned domains to be used in phishing attacks to target users. A careful attacker would likely use a tenant name similar to the target organization’s real Okta tenant name. This is incredibly powerful and is likely to be effective against even the most security conscious users. ",{"data":1563,"content":1564,"nodeType":1294},{},[1565],{"data":1566,"marks":1567,"value":1568,"nodeType":1293},{},[],"A few prerequisites and tweaks are required in order to make this attack successful:",{"data":1570,"content":1571,"nodeType":1513},{},[1572,1582,1592],{"data":1573,"content":1574,"nodeType":1497},{},[1575],{"data":1576,"content":1577,"nodeType":1294},{},[1578],{"data":1579,"marks":1580,"value":1581,"nodeType":1293},{},[],"Import and activate accounts from AD that match the emails of users you want to target - this will ensure these emails are mapped to AD for authentication and cause Okta to send the credentials to the monitoring script.",{"data":1583,"content":1584,"nodeType":1497},{},[1585],{"data":1586,"content":1587,"nodeType":1294},{},[1588],{"data":1589,"marks":1590,"value":1591,"nodeType":1293},{},[],"Make a small modification to the python script to accept any password as valid, rather than a specific skeleton key. ",{"data":1593,"content":1594,"nodeType":1497},{},[1595],{"data":1596,"content":1597,"nodeType":1294},{},[1598],{"data":1599,"marks":1600,"value":1601,"nodeType":1293},{},[],"Modify the default authentication policy for Okta to allow single-factor password authentication for the target users - this will prevent them being prompted to use Okta Verify as part of the login process.",{"data":1603,"content":1604,"nodeType":1294},{},[1605],{"data":1606,"marks":1607,"value":1608,"nodeType":1293},{},[],"The goal for the last two actions above is to allow target users to authenticate legitimately and then redirect them elsewhere, while capturing their credentials. This is better achieved by having their first password accepted rather than them continually failing to authenticate, which may eventually raise alarm bells. ",{"data":1610,"content":1611,"nodeType":1294},{},[1612],{"data":1613,"marks":1614,"value":1615,"nodeType":1293},{},[],"In this case, we’ll use Okta’s bug bounty system as a test for our poisoned tenant, but in practice an attacker could set up a legitimate Okta tenant, pay for it and name it whatever they like. ",{"data":1617,"content":1618,"nodeType":1294},{},[1619],{"data":1620,"marks":1621,"value":1622,"nodeType":1293},{},[],"The end result is a legitimate Okta domain and login page that will capture credentials for the attacker, which can then be used in highly convincing phishing attacks. In this example, the following URL will capture credentials for us:",{"data":1624,"content":1625,"nodeType":1294},{},[1626,1629,1637],{"data":1627,"marks":1628,"value":37,"nodeType":1293},{},[],{"data":1630,"content":1632,"nodeType":1339},{"uri":1631},"https://bugcrowd-oie-lukejennings-1.oktapreview.com/",[1633],{"data":1634,"marks":1635,"value":1631,"nodeType":1293},{},[1636],{"type":1337},{"data":1638,"marks":1639,"value":37,"nodeType":1293},{},[],{"data":1641,"content":1645,"nodeType":1522},{"target":1642},{"sys":1643},{"id":1644,"type":1519,"linkType":1520},"2KBgFSFnmIdKqfpp8sPGb1",[],{"data":1647,"content":1651,"nodeType":1522},{"target":1648},{"sys":1649},{"id":1650,"type":1519,"linkType":1520},"5ef3me94SCAdM5vYXodqbF",[],{"data":1653,"content":1657,"nodeType":1522},{"target":1654},{"sys":1655},{"id":1656,"type":1519,"linkType":1520},"3OFjwQRQTJynaPme8WY9cp",[],{"data":1659,"content":1660,"nodeType":1358},{},[1661],{"data":1662,"marks":1663,"value":1664,"nodeType":1293},{},[],"Oktajacking for lateral movement",{"data":1666,"content":1667,"nodeType":1294},{},[1668,1672,1683],{"data":1669,"marks":1670,"value":1671,"nodeType":1293},{},[],"In both the previous section and our article on ",{"data":1673,"content":1677,"nodeType":1682},{"target":1674},{"sys":1675},{"id":1676,"type":1519,"linkType":1520},"3F96pyn4qqkbVctSOH69vm",[1678],{"data":1679,"marks":1680,"value":1373,"nodeType":1293},{},[1681],{"type":1337},"entry-hyperlink",{"data":1684,"marks":1685,"value":1686,"nodeType":1293},{},[],", we focused on conducting highly convincing phishing attacks by sending URLs for legitimate SaaS domains that capture credentials. ",{"data":1688,"content":1689,"nodeType":1294},{},[1690],{"data":1691,"marks":1692,"value":1693,"nodeType":1293},{},[],"But what if we achieve an admin-level compromise of a SaaS app used by a target organization that authenticates via Okta already? How can we leverage that access to perform lateral movement?",{"data":1695,"content":1696,"nodeType":1294},{},[1697],{"data":1698,"marks":1699,"value":1700,"nodeType":1293},{},[],"We can change the SAML configuration in the compromised SaaS application to point to a different Okta instance that we control and then conduct the same credential capture attack we saw in the previous section. ",{"data":1702,"content":1703,"nodeType":1294},{},[1704],{"data":1705,"marks":1706,"value":1707,"nodeType":1293},{},[],"In other words, we can then authenticate to the target SaaS application as any user we like and also capture Okta credentials for all legitimate users also using that application without needing to send any phishing links. ",{"data":1709,"content":1710,"nodeType":1294},{},[1711],{"data":1712,"marks":1713,"value":1714,"nodeType":1293},{},[],"We’re going to use Datadog as a demo example for this - just because we need something real to target. To be crystal clear, this will work for basically any app that supports SAML. This is not a bug in SAML, or in Okta, or Datadog - it's the consequence of having privileged administrative access to an app, and the ability to change SSO configuration.\n\nTo set up the attack, we need to first:",{"data":1716,"content":1717,"nodeType":1513},{},[1718,1728,1738,1748,1758,1768],{"data":1719,"content":1720,"nodeType":1497},{},[1721],{"data":1722,"content":1723,"nodeType":1294},{},[1724],{"data":1725,"marks":1726,"value":1727,"nodeType":1293},{},[],"Compromise the organization’s Datadog tenant at admin-level",{"data":1729,"content":1730,"nodeType":1497},{},[1731],{"data":1732,"content":1733,"nodeType":1294},{},[1734],{"data":1735,"marks":1736,"value":1737,"nodeType":1293},{},[],"Create a malicious Okta tenant and connect it to an active directory instance with the same email domain as the target organization",{"data":1739,"content":1740,"nodeType":1497},{},[1741],{"data":1742,"content":1743,"nodeType":1294},{},[1744],{"data":1745,"marks":1746,"value":1747,"nodeType":1293},{},[],"Create AD accounts for all users that will be targeted so they can be imported into Okta as AD account - in practice, it would be best to copy the list of users from Datadog and replicate this in AD and Okta",{"data":1749,"content":1750,"nodeType":1497},{},[1751],{"data":1752,"content":1753,"nodeType":1294},{},[1754],{"data":1755,"marks":1756,"value":1757,"nodeType":1293},{},[],"Run Adam Chester’s python script to harvest credentials for Okta AD authentication and modify it to accept any password ",{"data":1759,"content":1760,"nodeType":1497},{},[1761],{"data":1762,"content":1763,"nodeType":1294},{},[1764],{"data":1765,"marks":1766,"value":1767,"nodeType":1293},{},[],"Modify the Datadog SAML configuration to point to the malicious Okta tenant, instead of the original legitimate Okta tenant",{"data":1769,"content":1770,"nodeType":1497},{},[1771],{"data":1772,"content":1773,"nodeType":1294},{},[1774],{"data":1775,"marks":1776,"value":1777,"nodeType":1293},{},[],"Sit back, relax, and watch the credentials coming in",{"data":1779,"content":1780,"nodeType":1294},{},[1781],{"data":1782,"marks":1783,"value":1784,"nodeType":1293},{},[],"Now we’ll explain what happens from the perspective of other users of the target organization’s Datadog tenant that has been compromised:",{"data":1786,"content":1787,"nodeType":1513},{},[1788,1798,1808,1818],{"data":1789,"content":1790,"nodeType":1497},{},[1791],{"data":1792,"content":1793,"nodeType":1294},{},[1794],{"data":1795,"marks":1796,"value":1797,"nodeType":1293},{},[],"Their Datadog session expires and they’re redirected back to the SAML login provider for re-authentication - in this case, to our malicious Okta tenant we have substituted for the real Okta tenant",{"data":1799,"content":1800,"nodeType":1497},{},[1801],{"data":1802,"content":1803,"nodeType":1294},{},[1804],{"data":1805,"marks":1806,"value":1807,"nodeType":1293},{},[],"The user enters their credentials into the login page for our malicious Okta tenant. Our instance of Adam Chester’s AD synchronization script harvests the user’s login credentials.",{"data":1809,"content":1810,"nodeType":1497},{},[1811],{"data":1812,"content":1813,"nodeType":1294},{},[1814],{"data":1815,"marks":1816,"value":1817,"nodeType":1293},{},[],"The user is already accustomed to using Okta to access Datadog, the Okta login page they are directed to is on a legitimate Okta domain and they haven’t clicked any links in emails/IM messages so there is no reason for suspicion.",{"data":1819,"content":1820,"nodeType":1497},{},[1821],{"data":1822,"content":1823,"nodeType":1294},{},[1824],{"data":1825,"marks":1826,"value":1827,"nodeType":1293},{},[],"The modification we made to accept any credentials means the script returns true to Okta and causes Okta to accept the authentication attempt. This causes the user to be logged into the legitimate Datadog tenant again, where they can carry on their work, unaware they have just had their Okta credentials stolen.",{"data":1829,"content":1830,"nodeType":1294},{},[1831],{"data":1832,"marks":1833,"value":1834,"nodeType":1293},{},[],"The following video shows what a login attempt to Datadog looks like after the SAML configuration has been modified to point to our malicious Okta tenant. You can see how all the URLs observed are legitimate Datadog and Okta domains, any password will be accepted and harvested and the target user will be logged into the legitimate Datadog tenant successfully at the end.",{"data":1836,"content":1840,"nodeType":1522},{"target":1837},{"sys":1838},{"id":1839,"type":1519,"linkType":1520},"dHVOdvHLdVzOEGai6qtSl",[],{"data":1842,"content":1843,"nodeType":1294},{},[1844],{"data":1845,"marks":1846,"value":1847,"nodeType":1293},{},[],"This type of attack sits somewhere in the middle of the kill chain between the initial access phishing we covered in the previous section and the full active directory/Okta domain compromise Adam Chester covered in his article. In this instance, we are looking at leveraging a more limited admin-level compromise of a single SaaS application to extend our access much further. ",{"data":1849,"content":1850,"nodeType":1294},{},[1851,1855,1860],{"data":1852,"marks":1853,"value":1854,"nodeType":1293},{},[],"When an organization relies on SaaS apps, it’s likely there may be some apps that are not considered particularly security critical and also may have “admins” that are actually just members of non-technical teams in the business. An admin-level compromise of ",{"data":1856,"marks":1857,"value":1859,"nodeType":1293},{},[1858],{"type":312},"any",{"data":1861,"marks":1862,"value":1863,"nodeType":1293},{},[]," SaaS application used by the organization can be used to conduct highly stealthy Okta credential capturing for all users. With those credentials, an attacker can expand their access and move laterally to other accounts and applications. ",{"data":1865,"content":1869,"nodeType":1522},{"target":1866},{"sys":1867},{"id":1868,"type":1519,"linkType":1520},"2y0INxqAi594O7rCAVKhTI",[],{"data":1871,"content":1872,"nodeType":1358},{},[1873],{"data":1874,"marks":1875,"value":1876,"nodeType":1293},{},[],"Impact",{"data":1878,"content":1879,"nodeType":1294},{},[1880],{"data":1881,"marks":1882,"value":1883,"nodeType":1293},{},[],"Let’s take a step back and consider the key points of impact here:",{"data":1885,"content":1886,"nodeType":1513},{},[1887,1897,1907],{"data":1888,"content":1889,"nodeType":1497},{},[1890],{"data":1891,"content":1892,"nodeType":1294},{},[1893],{"data":1894,"marks":1895,"value":1896,"nodeType":1293},{},[],"Attackers can send phishing links pointing to legitimate Okta domains and use those to capture credentials due to the way Okta AD synchronization works - this bypasses common user security training around checking domains are legitimate",{"data":1898,"content":1899,"nodeType":1497},{},[1900],{"data":1901,"content":1902,"nodeType":1294},{},[1903],{"data":1904,"marks":1905,"value":1906,"nodeType":1293},{},[],"If an attacker compromises a legitimate SaaS tenant in use by an organization protected by Okta, they can modify the SAML configuration to point to their own malicious Okta tenant and thus capture credentials using the same method",{"data":1908,"content":1909,"nodeType":1497},{},[1910],{"data":1911,"content":1912,"nodeType":1294},{},[1913],{"data":1914,"marks":1915,"value":1916,"nodeType":1293},{},[],"It would be extremely unlikely legitimate users would notice as it is part of the normal authentication flow, all domains observed would be legitimate SaaS and Okta domains, and they would be logged in successfully to the real SaaS tenant after entering their password",{"data":1918,"content":1919,"nodeType":1358},{},[1920],{"data":1921,"marks":1922,"value":1923,"nodeType":1293},{},[],"Conclusion",{"data":1925,"content":1926,"nodeType":1294},{},[1927],{"data":1928,"marks":1929,"value":1930,"nodeType":1293},{},[],"Okta is an identity management service that can help manage and protect access to a large number of applications used by an organization. However, due to the manner in which Okta AD synchronization works, it’s possible to use phishing links pointing to legitimate Okta domains to capture users credentials.",{"data":1932,"content":1933,"nodeType":1294},{},[1934],{"data":1935,"marks":1936,"value":1937,"nodeType":1293},{},[],"Additionally, admin access to any application in use with Okta needs to be carefully considered even if the application itself is not particularly sensitive. This is because a compromise of that application, or of a user account with admin access to it, can be used to modify the existing Okta SAML configuration to point to a malicious Okta tenant and conduct an extremely stealthy credential harvesting attack of all users of the application. ",{"data":1939,"content":1940,"nodeType":1294},{},[1941],{"data":1942,"marks":1943,"value":1944,"nodeType":1293},{},[],"Defenders should carefully monitor user access to Okta URLs that do not match their own legitimate tenant as it could be a sign of credential capturing attacks.","Oktajacking","In this article, we'll show you how to use Okta to do keylogging for you, without needing to have your own malicious domain hosting your malicious SAML server. ","2023-12-06T00:00:00.000Z","oktajacking",{"items":1950},[1951,1955],{"sys":1952,"name":1954},{"id":1953},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1956,"name":1311},{"id":1310},{"items":1958},[1959],{"fullName":1960,"firstName":1961,"jobTitle":1962,"profilePicture":1963},"Luke Jennings","Luke","Vice President, R&D",{"url":1964},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1315,"sys":1966,"content":1968,"title":3163,"synopsis":3164,"hashTags":118,"publishedDate":3165,"slug":3166,"tagsCollection":3167,"authorsCollection":3173},{"id":1967},"1te7lpcknxuN73jdCdkXjd",{"json":1969},{"data":1970,"content":1971,"nodeType":1295},{},[1972,1979,1986,1993,2000,2007,2014,2020,2027,2034,2041,2135,2140,2147,2154,2161,2194,2201,2208,2215,2222,2228,2235,2242,2265,2272,2278,2284,2291,2298,2305,2313,2320,2327,2334,2340,2346,2354,2361,2368,2375,2382,2389,2396,2403,2410,2417,2424,2431,2438,2443,2450,2457,2464,2471,2477,2483,2490,2497,2504,2527,2534,2540,2546,2553,2559,2566,2573,2584,2591,2598,2605,2612,2619,2639,2747,2754,2761,2809,2815,2822,2829,2836,2843,2850,2857,2863,2870,2889,2896,2903,2910,2917,2924,2931,2974,2981,3039,3045,3052,3115,3121,3128,3135,3142,3149,3156],{"data":1973,"content":1974,"nodeType":1294},{},[1975],{"data":1976,"marks":1977,"value":1978,"nodeType":1293},{},[],"This blog post covers the implications of using SWA as an authentication method in Okta, with a particular focus on what security teams need to consider in an account breach and subsequent incident response scenario. ",{"data":1980,"content":1981,"nodeType":1294},{},[1982],{"data":1983,"marks":1984,"value":1985,"nodeType":1293},{},[],"Spoiler alert: we’ll make the case that the true value of an SSO solution like Okta is in the use of SAML and OIDC authentication methods, not convenience features like SWA.",{"data":1987,"content":1988,"nodeType":1358},{},[1989],{"data":1990,"marks":1991,"value":1992,"nodeType":1293},{},[],"Introduction",{"data":1994,"content":1995,"nodeType":1294},{},[1996],{"data":1997,"marks":1998,"value":1999,"nodeType":1293},{},[],"To facilitate SSO logins to web applications, Okta allows the industry standard SAML and OIDC protocols for federated logins to be used with applications that support it. These represent the most secure and recommended options. However, Okta also offers a proprietary system called SWA to support apps that don’t support these protocols, or where they are otherwise unavailable due to licensing restrictions.     ",{"data":2001,"content":2002,"nodeType":1294},{},[2003],{"data":2004,"marks":2005,"value":2006,"nodeType":1293},{},[],"While SWA is referred to as an SSO login mechanism, functionally it’s a password manager. SWA stores username and password combinations for individual applications on a per-user basis and makes use of a browser extension to automate the login process on behalf of the user. ",{"data":2008,"content":2009,"nodeType":1294},{},[2010],{"data":2011,"marks":2012,"value":2013,"nodeType":1293},{},[],"The screenshot below shows an example of an application being configured to use SWA as opposed to SAML, in this case Salesforce:",{"data":2015,"content":2019,"nodeType":1522},{"target":2016},{"sys":2017},{"id":2018,"type":1519,"linkType":1520},"4wrRez2VpTG1vjsvNFlklK",[],{"data":2021,"content":2022,"nodeType":1294},{},[2023],{"data":2024,"marks":2025,"value":2026,"nodeType":1293},{},[],"From this configuration screen it’s not obvious that there is a fundamental difference between some login methods like SWA and true federated identity methods like SAML 2.0. To better understand the difference and the risks of SWA, let’s look at it from an attacker’s perspective.",{"data":2028,"content":2029,"nodeType":1358},{},[2030],{"data":2031,"marks":2032,"value":2033,"nodeType":1293},{},[],"How are Okta accounts compromised?",{"data":2035,"content":2036,"nodeType":1294},{},[2037],{"data":2038,"marks":2039,"value":2040,"nodeType":1293},{},[],"While it’s common for Okta accounts to be protected using MFA, and sometimes device trust, there are still viable attack vectors. The two most prevalent attacks would be: ",{"data":2042,"content":2043,"nodeType":1513},{},[2044,2059],{"data":2045,"content":2046,"nodeType":1497},{},[2047],{"data":2048,"content":2049,"nodeType":1294},{},[2050,2055],{"data":2051,"marks":2052,"value":2054,"nodeType":1293},{},[2053],{"type":1491},"Endpoint compromise",{"data":2056,"marks":2057,"value":2058,"nodeType":1293},{},[]," - In a traditional endpoint compromise scenario, an attacker will generally have full access to the user’s browser. This means they can hijack existing Okta sessions by stealing authentication tokens, which bypass all device trust and MFA protections. For persistent access, they can keylog credentials when the user next logs in and add MFA methods or enrol a new endpoint with device trust.",{"data":2060,"content":2061,"nodeType":1497},{},[2062],{"data":2063,"content":2064,"nodeType":1294},{},[2065,2070,2074,2083,2087,2096,2101,2105,2114,2119,2123,2132],{"data":2066,"marks":2067,"value":2069,"nodeType":1293},{},[2068],{"type":1491},"Phishing attacks/MFA proxying",{"data":2071,"marks":2072,"value":2073,"nodeType":1293},{},[]," - Traditional phishing attacks can be launched against Okta users to obtain credentials and/or authenticated sessions. Attacker-in-the-middle (AITM) attacks can be used to bypass common MFA mechanisms, and attacks against Okta users are typically carried out using tools such as ",{"data":2075,"content":2077,"nodeType":1339},{"uri":2076},"https://github.com/kgretzky/evilginx2",[2078],{"data":2079,"marks":2080,"value":2082,"nodeType":1293},{},[2081],{"type":1337},"evilginx",{"data":2084,"marks":2085,"value":2086,"nodeType":1293},{},[],", ",{"data":2088,"content":2090,"nodeType":1339},{"uri":2089},"https://mrd0x.com/bypass-2fa-using-novnc/",[2091],{"data":2092,"marks":2093,"value":2095,"nodeType":1293},{},[2094],{"type":1337},"noVNC",{"data":2097,"marks":2098,"value":2100,"nodeType":1293},{},[2099],{"type":1491}," ",{"data":2102,"marks":2103,"value":2104,"nodeType":1293},{},[],"or ",{"data":2106,"content":2108,"nodeType":1339},{"uri":2107},"https://github.com/fkasler/cuddlephish",[2109],{"data":2110,"marks":2111,"value":2113,"nodeType":1293},{},[2112],{"type":1337},"cuddlephish",{"data":2115,"marks":2116,"value":2118,"nodeType":1293},{},[2117],{"type":1491},".",{"data":2120,"marks":2121,"value":2122,"nodeType":1293},{},[]," We’ve even seen groups using tooling specifically crafted to target Okta such as the notorious ",{"data":2124,"content":2126,"nodeType":1339},{"uri":2125},"https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/",[2127],{"data":2128,"marks":2129,"value":2131,"nodeType":1293},{},[2130],{"type":1337},"0ktapus group/campaign.",{"data":2133,"marks":2134,"value":37,"nodeType":1293},{},[],{"data":2136,"content":2139,"nodeType":1522},{"target":2137},{"sys":2138},{"id":1518,"type":1519,"linkType":1520},[],{"data":2141,"content":2142,"nodeType":1358},{},[2143],{"data":2144,"marks":2145,"value":2146,"nodeType":1293},{},[],"What is Okta SWA?",{"data":2148,"content":2149,"nodeType":1294},{},[2150],{"data":2151,"marks":2152,"value":2153,"nodeType":1293},{},[],"Okta Secure Web Authentication (SWA) provides SSO-like functionality to web applications that don’t support federated protocols and is intended to be used only when SAML or OIDC federated logins cannot be used. ",{"data":2155,"content":2156,"nodeType":1294},{},[2157],{"data":2158,"marks":2159,"value":2160,"nodeType":1293},{},[],"It is SSO-like in the sense that:",{"data":2162,"content":2163,"nodeType":1513},{},[2164,2174,2184],{"data":2165,"content":2166,"nodeType":1497},{},[2167],{"data":2168,"content":2169,"nodeType":1294},{},[2170],{"data":2171,"marks":2172,"value":2173,"nodeType":1293},{},[],"A user enters their single Okta password to login to Okta, ",{"data":2175,"content":2176,"nodeType":1497},{},[2177],{"data":2178,"content":2179,"nodeType":1294},{},[2180],{"data":2181,"marks":2182,"value":2183,"nodeType":1293},{},[],"SWA then stores username/password combinations ",{"data":2185,"content":2186,"nodeType":1497},{},[2187],{"data":2188,"content":2189,"nodeType":1294},{},[2190],{"data":2191,"marks":2192,"value":2193,"nodeType":1293},{},[],"SWA then makes use of a browser extension to automatically login to applications using the credentials. ",{"data":2195,"content":2196,"nodeType":1294},{},[2197],{"data":2198,"marks":2199,"value":2200,"nodeType":1293},{},[],"In that sense, it’s essentially a password manager. Like any password manager, it can be a big security improvement over a user manually managing their accounts or reusing the same password everywhere.",{"data":2202,"content":2203,"nodeType":1294},{},[2204],{"data":2205,"marks":2206,"value":2207,"nodeType":1293},{},[],"There’s a good reason that true SSO is considered more secure than password managers, and this comes down to the identity. An SSO uses a single identity that is federated to other apps, where a password manager just better manages many discrete identities. So, when an employee leaves an organization and they’re using an SSO, a single identity needs to be disabled, but disabling access to a password manager does nothing to disable the identities inside it.",{"data":2209,"content":2210,"nodeType":1294},{},[2211],{"data":2212,"marks":2213,"value":2214,"nodeType":1293},{},[],"In the case of SWA, the use of a browser extension and a long list of supported applications with custom login scripts already written is a key value add. This means users don’t need to copy/paste credentials like they might with some password managers. ",{"data":2216,"content":2217,"nodeType":1294},{},[2218],{"data":2219,"marks":2220,"value":2221,"nodeType":1293},{},[],"However, unlike typical password managers, there isn’t just one type of SWA, administrators can actually pick between one of five configuration options. This is shown in the screenshot below:",{"data":2223,"content":2227,"nodeType":1522},{"target":2224},{"sys":2225},{"id":2226,"type":1519,"linkType":1520},"42kt5hDFjjVYLf85HnjlU8",[],{"data":2229,"content":2230,"nodeType":1294},{},[2231],{"data":2232,"marks":2233,"value":2234,"nodeType":1293},{},[],"So, it’s possible to configure SWA like a traditional password manager scenario where the user sets their own username and password. However, as you can see above, you can set it up so that administrators can fully control the credentials, including the use of shared credentials used by multiple users.",{"data":2236,"content":2237,"nodeType":1294},{},[2238],{"data":2239,"marks":2240,"value":2241,"nodeType":1293},{},[],"SWA can also control the default configuration of the password reveal capability:",{"data":2243,"content":2244,"nodeType":1513},{},[2245,2255],{"data":2246,"content":2247,"nodeType":1497},{},[2248],{"data":2249,"content":2250,"nodeType":1294},{},[2251],{"data":2252,"marks":2253,"value":2254,"nodeType":1293},{},[],"When configured to allow users to set their own credentials, password reveal is enabled by default. ",{"data":2256,"content":2257,"nodeType":1497},{},[2258],{"data":2259,"content":2260,"nodeType":1294},{},[2261],{"data":2262,"marks":2263,"value":2264,"nodeType":1293},{},[],"When administrators control the credentials, password reveal is disabled by default. ",{"data":2266,"content":2267,"nodeType":1294},{},[2268],{"data":2269,"marks":2270,"value":2271,"nodeType":1293},{},[],"Since Okta SWA performs logins automatically on behalf of the user, the user doesn’t technically need to be able to view or copy/paste the credentials. This makes it possible for Okta to support disabling password reveal. ",{"data":2273,"content":2277,"nodeType":1522},{"target":2274},{"sys":2275},{"id":2276,"type":1519,"linkType":1520},"3IE8neYJbh0H8Vc7Hd9p5W",[],{"data":2279,"content":2283,"nodeType":1522},{"target":2280},{"sys":2281},{"id":2282,"type":1519,"linkType":1520},"5C1lhoJtBEgdndiL9gSUbd",[],{"data":2285,"content":2286,"nodeType":1358},{},[2287],{"data":2288,"marks":2289,"value":2290,"nodeType":1293},{},[],"What are the security risks of using SWA?",{"data":2292,"content":2293,"nodeType":1294},{},[2294],{"data":2295,"marks":2296,"value":2297,"nodeType":1293},{},[],"While SWA may be a step up from users performing manual logins to a range of apps, it carries the same risk that any password manager solution has. If your account is compromised then all your usernames and passwords can be stolen in one go.",{"data":2299,"content":2300,"nodeType":1294},{},[2301],{"data":2302,"marks":2303,"value":2304,"nodeType":1293},{},[],"But how can that be if password reveal has been disabled",{"data":2306,"content":2307,"nodeType":2312},{},[2308],{"data":2309,"marks":2310,"value":2311,"nodeType":1293},{},[],"1. Bypassing password reveal restrictions","heading-2",{"data":2314,"content":2315,"nodeType":1294},{},[2316],{"data":2317,"marks":2318,"value":2319,"nodeType":1293},{},[],"Even if users don’t directly interact with their passwords themselves (e.g. via copy/paste), their browser needs access otherwise it wouldn’t be possible to login to apps. ",{"data":2321,"content":2322,"nodeType":1294},{},[2323],{"data":2324,"marks":2325,"value":2326,"nodeType":1293},{},[],"The Okta browser extension uses the user’s active Okta login session to request credentials in the background, then automatically logs in to apps without the user ever directly seeing those credentials. So, while disabling password reveal may defeat a low-skill attacker or normal user scenarios, it’s essentially a client-side control, and isn’t going to stop a more determined attacker or technical user from getting at the credentials. This isn’t a bug, it’s a technical limitation of how a password manager works.",{"data":2328,"content":2329,"nodeType":1294},{},[2330],{"data":2331,"marks":2332,"value":2333,"nodeType":1293},{},[],"For example, let’s say a user has Salesforce configured as an app with SWA and clicks the app tile in the extension to login. The browser extension will use the active user session to make a request like the following (headers and irrelevant data removed for clarity):",{"data":2335,"content":2339,"nodeType":1522},{"target":2336},{"sys":2337},{"id":2338,"type":1519,"linkType":1520},"2tiqg9EUoa9KxkTCduZoVe",[],{"data":2341,"content":2345,"nodeType":1522},{"target":2342},{"sys":2343},{"id":2344,"type":1519,"linkType":1520},"4ApkgD7IwPRC3jC09Jf2SJ",[],{"data":2347,"content":2348,"nodeType":1294},{},[2349],{"data":2350,"marks":2351,"value":2353,"nodeType":1293},{},[2352],{"type":312},"This response to the browser extension’s web request contains the username and password for Salesforce",{"data":2355,"content":2356,"nodeType":1294},{},[2357],{"data":2358,"marks":2359,"value":2360,"nodeType":1293},{},[],"This is the Salesforce-specific login script that allows the extension to automatically log the user in to Salesforce and includes their credentials. This request will include the credentials even if password reveal is disabled - the request above was captured using an intercepting proxy like Burp Suite.",{"data":2362,"content":2363,"nodeType":2312},{},[2364],{"data":2365,"marks":2366,"value":2367,"nodeType":1293},{},[],"2. Cross-account shared passwords",{"data":2369,"content":2370,"nodeType":1294},{},[2371],{"data":2372,"marks":2373,"value":2374,"nodeType":1293},{},[],"An additional risk with SWA is an operational one. Administrators can set passwords for users and also disable password reveal, which can encourage the use of shared passwords, since they don’t expect the users to see them. ",{"data":2376,"content":2377,"nodeType":1294},{},[2378],{"data":2379,"marks":2380,"value":2381,"nodeType":1293},{},[],"If administrators are auto-generating complex passwords for every single user account they create as a strong operational process, then there may be no issue. However, breach history would tell us that rarely do organizations have operational security practices as stringent as that.",{"data":2383,"content":2384,"nodeType":1294},{},[2385],{"data":2386,"marks":2387,"value":2388,"nodeType":1293},{},[],"An attacker compromising an Okta user account can not only extract valid credentials for all configured SWA apps for that user, but may uncover passwords that are valid for other user accounts configured by administrators, making this a likely vector for lateral movement.",{"data":2390,"content":2391,"nodeType":2312},{},[2392],{"data":2393,"marks":2394,"value":2395,"nodeType":1293},{},[],"3. Shared Okta passwords",{"data":2397,"content":2398,"nodeType":1294},{},[2399],{"data":2400,"marks":2401,"value":2402,"nodeType":1293},{},[],"One SWA option administrators can configure is to require the user to use their Okta password for the application (see earlier screenshot of configuration options). In this case, Okta lets the user set the password for the application, but it will confirm it matches the user’s Okta password and reject it otherwise.",{"data":2404,"content":2405,"nodeType":1294},{},[2406],{"data":2407,"marks":2408,"value":2409,"nodeType":1293},{},[],"This is a dangerous option, since it means the user’s Okta password is shared with other applications. So, if one of those applications is compromised, then their Okta password could be breached as well, which could allow both other applications and the user’s core Okta account to be compromised. It’s essentially enforcing password re-use, the exact opposite of what you want from an identity security perspective.",{"data":2411,"content":2412,"nodeType":2312},{},[2413],{"data":2414,"marks":2415,"value":2416,"nodeType":1293},{},[],"4. Persistent access to connected apps",{"data":2418,"content":2419,"nodeType":1294},{},[2420],{"data":2421,"marks":2422,"value":2423,"nodeType":1293},{},[],"Okta acts as an authentication gateway for access to other applications. Ideally, strong authentication policies will be in place such as strong password policies, MFA, account lockout and detection and response controls.",{"data":2425,"content":2426,"nodeType":1294},{},[2427],{"data":2428,"marks":2429,"value":2430,"nodeType":1293},{},[],"However, if even a temporary compromise of an Okta account is achieved (for example through an Okta session theft), an attacker extracting all credentials for SWA apps does not need to maintain access to Okta any further. Instead, they can maintain persistent access to all the downstream SWA apps by logging in manually, using the credentials they have extracted without using Okta. ",{"data":2432,"content":2433,"nodeType":1294},{},[2434],{"data":2435,"marks":2436,"value":2437,"nodeType":1293},{},[],"This greatly complicates incident response playbooks. Where an otherwise simple recovery action like disabling an Okta account, resetting the password and MFA methods, et cetera, would kick an attacker out of the Okta account - for a user using SWA the attacker will still have all the access to downstream SWA applications unless every single SWA app user account is recovered as well. This is where the value of a federated identity becomes clear.",{"data":2439,"content":2442,"nodeType":1522},{"target":2440},{"sys":2441},{"id":1868,"type":1519,"linkType":1520},[],{"data":2444,"content":2445,"nodeType":1358},{},[2446],{"data":2447,"marks":2448,"value":2449,"nodeType":1293},{},[],"Dumping SWA credentials",{"data":2451,"content":2452,"nodeType":1294},{},[2453],{"data":2454,"marks":2455,"value":2456,"nodeType":1293},{},[],"Since Okta SWA functions as a password manager, and it’s also possible to bypass password reveal restrictions, an attacker who has gained temporary access to an Okta session can automate the extraction of all credentials stored via SWA for that account.",{"data":2458,"content":2459,"nodeType":2312},{},[2460],{"data":2461,"marks":2462,"value":2463,"nodeType":1293},{},[],"Using the password reveal API",{"data":2465,"content":2466,"nodeType":1294},{},[2467],{"data":2468,"marks":2469,"value":2470,"nodeType":1293},{},[],"One method would be to automate the password reveal API call in the dashboard for every app configured. This is the simplest, direct way to get credentials but has the disadvantage that it will not return credentials that have had password reveal disabled. The following screenshots show an example of the API call that is made:",{"data":2472,"content":2476,"nodeType":1522},{"target":2473},{"sys":2474},{"id":2475,"type":1519,"linkType":1520},"27xCaphfwy6zSNU7QDQZ1g",[],{"data":2478,"content":2482,"nodeType":1522},{"target":2479},{"sys":2480},{"id":2481,"type":1519,"linkType":1520},"begENC8Oxq4rwprZ0fGpG",[],{"data":2484,"content":2485,"nodeType":2312},{},[2486],{"data":2487,"marks":2488,"value":2489,"nodeType":1293},{},[],"Using the browser extension API",{"data":2491,"content":2492,"nodeType":1294},{},[2493],{"data":2494,"marks":2495,"value":2496,"nodeType":1293},{},[],"The more effective way for an attacker to dump credentials, and bypass password reveal restrictions, is to emulate the API calls made by the browser extension to retrieve the login scripts for each SWA application. ",{"data":2498,"content":2499,"nodeType":1294},{},[2500],{"data":2501,"marks":2502,"value":2503,"nodeType":1293},{},[],"For an attacker to make these calls, a valid Okta session is needed. Specifically, the tokens that need to be extracted from the browser for these calls are:",{"data":2505,"content":2506,"nodeType":1513},{},[2507,2517],{"data":2508,"content":2509,"nodeType":1497},{},[2510],{"data":2511,"content":2512,"nodeType":1294},{},[2513],{"data":2514,"marks":2515,"value":2516,"nodeType":1293},{},[],"The access token in “okta-token-storage” in browser local storage",{"data":2518,"content":2519,"nodeType":1497},{},[2520],{"data":2521,"content":2522,"nodeType":1294},{},[2523],{"data":2524,"marks":2525,"value":2526,"nodeType":1293},{},[],"The “idx” token in cookies",{"data":2528,"content":2529,"nodeType":1294},{},[2530],{"data":2531,"marks":2532,"value":2533,"nodeType":1293},{},[],"These can be seen below:",{"data":2535,"content":2539,"nodeType":1522},{"target":2536},{"sys":2537},{"id":2538,"type":1519,"linkType":1520},"4ooNI3TmnxqCAtw9MZuuVI",[],{"data":2541,"content":2545,"nodeType":1522},{"target":2542},{"sys":2543},{"id":2544,"type":1519,"linkType":1520},"6rbgLXHewT34SPH3qA24Fu",[],{"data":2547,"content":2548,"nodeType":1294},{},[2549],{"data":2550,"marks":2551,"value":2552,"nodeType":1293},{},[],"The following screenshot shows the use of a simple internal PoC we created to investigate logging detection opportunities. It gives a sense of the type of information that can be retrieved for a test Okta user account: ",{"data":2554,"content":2558,"nodeType":1522},{"target":2555},{"sys":2556},{"id":2557,"type":1519,"linkType":1520},"5lYhdtWKVqIch6CpksR7Dd",[],{"data":2560,"content":2561,"nodeType":1358},{},[2562],{"data":2563,"marks":2564,"value":2565,"nodeType":1293},{},[],"So if SWA can be risky, is SAML and OIDC safe?",{"data":2567,"content":2568,"nodeType":1294},{},[2569],{"data":2570,"marks":2571,"value":2572,"nodeType":1293},{},[],"In general, much more so, but as is unfortunately so often the case in security, the answer is “it depends.” The threat profile for federated SSO like SAML and OIDC is very different, and they don’t suffer from the risks highlighted with SWA use given above. ",{"data":2574,"content":2575,"nodeType":1294},{},[2576,2581],{"data":2577,"marks":2578,"value":2580,"nodeType":1293},{},[2579],{"type":1491},"Any organization using Okta should strive to use SAML/OIDC for as many applications as possible - this is the true power of a federated identity solution",{"data":2582,"marks":2583,"value":2118,"nodeType":1293},{},[],{"data":2585,"content":2586,"nodeType":1294},{},[2587],{"data":2588,"marks":2589,"value":2590,"nodeType":1293},{},[],"However, it’s important to remember that not even SAML/OIDC isn't a silver bullet.",{"data":2592,"content":2593,"nodeType":1294},{},[2594],{"data":2595,"marks":2596,"value":2597,"nodeType":1293},{},[],"For example, it’s still possible for an attacker achieving a temporary compromise of an Okta account to click every single SAML/OIDC application to establish authenticated sessions with all of them. While some sessions may be short-lived, depending on the application, these sessions may stay alive for longer periods such as 30 days or for some apps even indefinitely. ",{"data":2599,"content":2600,"nodeType":1294},{},[2601],{"data":2602,"marks":2603,"value":2604,"nodeType":1293},{},[],"While it may be simple for incident responders to disable an Okta account temporarily, it’s certainly much more difficult to disable all connected SaaS accounts and/or kill active sessions for all of them. ",{"data":2606,"content":2607,"nodeType":1294},{},[2608],{"data":2609,"marks":2610,"value":2611,"nodeType":1293},{},[],"Additionally, while active sessions won’t generally allow an attacker long-term access to an application like stolen SWA credentials often will, many different SaaS applications support methods that can be used to effectively backdoor access to them - though this is a risk to both SWA and federated identities.",{"data":2613,"content":2614,"nodeType":1294},{},[2615],{"data":2616,"marks":2617,"value":2618,"nodeType":1293},{},[],"This is another big challenge for incident responders to deal with, as it can allow attacks to maintain persistence without requiring valid credentials or active sessions. In other words, there are many ways to turn that short term access into persistent access outside Okta. ",{"data":2620,"content":2621,"nodeType":1294},{},[2622,2626,2635],{"data":2623,"marks":2624,"value":2625,"nodeType":1293},{},[],"While the full details of these persistence attacks are outside the scope of this article, more details on some key attacks can be found in a resource we created called the ",{"data":2627,"content":2629,"nodeType":1339},{"uri":2628},"https://github.com/pushsecurity/saas-attacks",[2630],{"data":2631,"marks":2632,"value":2634,"nodeType":1293},{},[2633],{"type":1337},"SaaS attacks matrix",{"data":2636,"marks":2637,"value":2638,"nodeType":1293},{},[],". Some of the most common techniques that apply here are:",{"data":2640,"content":2641,"nodeType":1513},{},[2642,2663,2684,2705,2726],{"data":2643,"content":2644,"nodeType":1497},{},[2645],{"data":2646,"content":2647,"nodeType":1294},{},[2648,2651,2660],{"data":2649,"marks":2650,"value":37,"nodeType":1293},{},[],{"data":2652,"content":2654,"nodeType":1339},{"uri":2653},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/api_keys/description.md",[2655],{"data":2656,"marks":2657,"value":2659,"nodeType":1293},{},[2658],{"type":1337},"SAT1004 - API keys",{"data":2661,"marks":2662,"value":37,"nodeType":1293},{},[],{"data":2664,"content":2665,"nodeType":1497},{},[2666],{"data":2667,"content":2668,"nodeType":1294},{},[2669,2672,2681],{"data":2670,"marks":2671,"value":37,"nodeType":1293},{},[],{"data":2673,"content":2675,"nodeType":1339},{"uri":2674},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/link_sharing/description.md",[2676],{"data":2677,"marks":2678,"value":2680,"nodeType":1293},{},[2679],{"type":1337},"SAT1022 - Link sharing",{"data":2682,"marks":2683,"value":37,"nodeType":1293},{},[],{"data":2685,"content":2686,"nodeType":1497},{},[2687],{"data":2688,"content":2689,"nodeType":1294},{},[2690,2693,2702],{"data":2691,"marks":2692,"value":37,"nodeType":1293},{},[],{"data":2694,"content":2696,"nodeType":1339},{"uri":2695},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[2697],{"data":2698,"marks":2699,"value":2701,"nodeType":1293},{},[2700],{"type":1337},"SAT1017 - Ghost logins",{"data":2703,"marks":2704,"value":37,"nodeType":1293},{},[],{"data":2706,"content":2707,"nodeType":1497},{},[2708],{"data":2709,"content":2710,"nodeType":1294},{},[2711,2714,2723],{"data":2712,"marks":2713,"value":37,"nodeType":1293},{},[],{"data":2715,"content":2717,"nodeType":1339},{"uri":2716},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/oauth_tokens/description.md",[2718],{"data":2719,"marks":2720,"value":2722,"nodeType":1293},{},[2721],{"type":1337},"SAT1027 - OAuth tokens",{"data":2724,"marks":2725,"value":37,"nodeType":1293},{},[],{"data":2727,"content":2728,"nodeType":1497},{},[2729],{"data":2730,"content":2731,"nodeType":1294},{},[2732,2735,2744],{"data":2733,"marks":2734,"value":37,"nodeType":1293},{},[],{"data":2736,"content":2738,"nodeType":1339},{"uri":2737},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/shadow_workflows/description.md",[2739],{"data":2740,"marks":2741,"value":2743,"nodeType":1293},{},[2742],{"type":1337},"SAT1033 - Shadow workflows",{"data":2745,"marks":2746,"value":37,"nodeType":1293},{},[],{"data":2748,"content":2749,"nodeType":1358},{},[2750],{"data":2751,"marks":2752,"value":2753,"nodeType":1293},{},[],"Investigating and detecting an Okta account compromise",{"data":2755,"content":2756,"nodeType":1294},{},[2757],{"data":2758,"marks":2759,"value":2760,"nodeType":1293},{},[],"The good news is there are multiple Okta log events that can be used for either investigating a breach or providing some detection mechanisms via a SIEM. Three key log events are as follows:",{"data":2762,"content":2763,"nodeType":1513},{},[2764,2779,2794],{"data":2765,"content":2766,"nodeType":1497},{},[2767],{"data":2768,"content":2769,"nodeType":1294},{},[2770,2775],{"data":2771,"marks":2772,"value":2774,"nodeType":1293},{},[2773],{"type":1491},"Show password event",{"data":2776,"marks":2777,"value":2778,"nodeType":1293},{},[]," - indicates when a user has clicked the reveal password button",{"data":2780,"content":2781,"nodeType":1497},{},[2782],{"data":2783,"content":2784,"nodeType":1294},{},[2785,2790],{"data":2786,"marks":2787,"value":2789,"nodeType":1293},{},[2788],{"type":1491},"Evaluation of sign-on policy",{"data":2791,"marks":2792,"value":2793,"nodeType":1293},{},[]," - occurs when the browser extension requests credentials",{"data":2795,"content":2796,"nodeType":1497},{},[2797],{"data":2798,"content":2799,"nodeType":1294},{},[2800,2805],{"data":2801,"marks":2802,"value":2804,"nodeType":1293},{},[2803],{"type":1491},"User single sign on to app",{"data":2806,"marks":2807,"value":2808,"nodeType":1293},{},[]," - occurs when a full app login is performed",{"data":2810,"content":2814,"nodeType":1522},{"target":2811},{"sys":2812},{"id":2813,"type":1519,"linkType":1520},"23G5QvwzgyTEJBJ33Ut7NJ",[],{"data":2816,"content":2817,"nodeType":1294},{},[2818],{"data":2819,"marks":2820,"value":2821,"nodeType":1293},{},[],"Using these events in a post-compromise situation could potentially significantly reduce the response actions required. If there is clear evidence that the attacker only accessed a limited number of applications, focus can be placed on disabling those accounts and removing potential backdoors, as opposed to having to perform containment procedures for every single application the user has access to.",{"data":2823,"content":2824,"nodeType":2312},{},[2825],{"data":2826,"marks":2827,"value":2828,"nodeType":1293},{},[],"Short time-window detection",{"data":2830,"content":2831,"nodeType":1294},{},[2832],{"data":2833,"marks":2834,"value":2835,"nodeType":1293},{},[],"While the events above are great for investigation, they are all expected events during normal use of Okta by a user. Perhaps the “show password” event may be rarer, but it would still not be completely unusual to see. ",{"data":2837,"content":2838,"nodeType":1294},{},[2839],{"data":2840,"marks":2841,"value":2842,"nodeType":1293},{},[],"This makes detection more difficult as defenders need to separate malicious logins from legitimate logins, a notoriously difficult task.",{"data":2844,"content":2845,"nodeType":1294},{},[2846],{"data":2847,"marks":2848,"value":2849,"nodeType":1293},{},[],"For proactive detection, one option would be to detect unusually large numbers of these events in a short time window for the same user account. This would be especially effective against automated tools. It would be much more unusual to see a legitimate user login to every app or reveal every password all in one go, or even all in one day. On the other hand, an attacker may seek to compromise all applications in a short time window.",{"data":2851,"content":2852,"nodeType":1294},{},[2853],{"data":2854,"marks":2855,"value":2856,"nodeType":1293},{},[],"Given below is an example of the flurry of logs generated by running our internal SWA password dumping tool shown earlier. You can see they are all generated in a very short time window:",{"data":2858,"content":2862,"nodeType":1522},{"target":2859},{"sys":2860},{"id":2861,"type":1519,"linkType":1520},"2PaCRx02gpTyYOiuJ85x9Y",[],{"data":2864,"content":2865,"nodeType":1294},{},[2866],{"data":2867,"marks":2868,"value":2869,"nodeType":1293},{},[],"The only difficulty here is picking sensible numbers for the minimum number of apps and maximum time window required in order to generate a detection event. This would likely need customizing to individual environments based on what number of applications are typical for a user to have access to.",{"data":2871,"content":2872,"nodeType":1294},{},[2873,2877,2886],{"data":2874,"marks":2875,"value":2876,"nodeType":1293},{},[],"For more general Okta detection rule options, consider checking out the Okta rules contained in the open-source ",{"data":2878,"content":2880,"nodeType":1339},{"uri":2879},"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta",[2881],{"data":2882,"marks":2883,"value":2885,"nodeType":1293},{},[2884],{"type":1337},"Sigma rule repository on GitHub",{"data":2887,"marks":2888,"value":2118,"nodeType":1293},{},[],{"data":2890,"content":2891,"nodeType":1358},{},[2892],{"data":2893,"marks":2894,"value":2895,"nodeType":1293},{},[],"Guidance for incident response",{"data":2897,"content":2898,"nodeType":1294},{},[2899],{"data":2900,"marks":2901,"value":2902,"nodeType":1293},{},[],"If there is one key takeaway from this article, it’s that responding to an Okta account compromise isn’t as simple as disabling the user’s Okta account and/or resetting passwords and MFA factors.",{"data":2904,"content":2905,"nodeType":1294},{},[2906],{"data":2907,"marks":2908,"value":2909,"nodeType":1293},{},[],"Once an attacker has compromised an Okta account, it should be initially assumed that all connected application accounts are also compromised, whether they use SAML, OIDC or SWA. ",{"data":2911,"content":2912,"nodeType":1294},{},[2913],{"data":2914,"marks":2915,"value":2916,"nodeType":1293},{},[],"If SWA is used, incident responders should also explore whether those passwords are compromised and whether any other accounts that potentially share those passwords are compromised. ",{"data":2918,"content":2919,"nodeType":1294},{},[2920],{"data":2921,"marks":2922,"value":2923,"nodeType":1293},{},[],"We’re going to assume all applications/credentials were accessed for the following containment advice, as it’s likely that even moderately-skilled attackers would have tools to automate this. ",{"data":2925,"content":2926,"nodeType":1294},{},[2927],{"data":2928,"marks":2929,"value":2930,"nodeType":1293},{},[],"A full belt and braces containment exercise would involve the following activities:",{"data":2932,"content":2933,"nodeType":1513},{},[2934,2944,2954,2964],{"data":2935,"content":2936,"nodeType":1497},{},[2937],{"data":2938,"content":2939,"nodeType":1294},{},[2940],{"data":2941,"marks":2942,"value":2943,"nodeType":1293},{},[],"Disabling/resetting the Okta account",{"data":2945,"content":2946,"nodeType":1497},{},[2947],{"data":2948,"content":2949,"nodeType":1294},{},[2950],{"data":2951,"marks":2952,"value":2953,"nodeType":1293},{},[],"Disabling/resetting every single connected application account",{"data":2955,"content":2956,"nodeType":1497},{},[2957],{"data":2958,"content":2959,"nodeType":1294},{},[2960],{"data":2961,"marks":2962,"value":2963,"nodeType":1293},{},[],"Identifying any other accounts that may share compromised SWA passwords for investigation and disabling/resetting",{"data":2965,"content":2966,"nodeType":1497},{},[2967],{"data":2968,"content":2969,"nodeType":1294},{},[2970],{"data":2971,"marks":2972,"value":2973,"nodeType":1293},{},[],"Investigating every connected application account for signs of backdooring through multiple persistence techniques",{"data":2975,"content":2976,"nodeType":1294},{},[2977],{"data":2978,"marks":2979,"value":2980,"nodeType":1293},{},[],"The last point on investigating potential backdoors is particularly important because of the following reasons:",{"data":2982,"content":2983,"nodeType":1513},{},[2984,3017],{"data":2985,"content":2986,"nodeType":1497},{},[2987],{"data":2988,"content":2989,"nodeType":1294},{},[2990,2994,3002,3006,3014],{"data":2991,"marks":2992,"value":2993,"nodeType":1293},{},[],"Even if every application user account is temporarily disabled while passwords are reset etc, re-enabling the account could re-activate the attacker’s access if they have made use of persistence techniques like ",{"data":2995,"content":2996,"nodeType":1339},{"uri":2653},[2997],{"data":2998,"marks":2999,"value":3001,"nodeType":1293},{},[3000],{"type":1337},"API keys",{"data":3003,"marks":3004,"value":3005,"nodeType":1293},{},[]," and ",{"data":3007,"content":3008,"nodeType":1339},{"uri":2695},[3009],{"data":3010,"marks":3011,"value":3013,"nodeType":1293},{},[3012],{"type":1337},"ghost logins",{"data":3015,"marks":3016,"value":37,"nodeType":1293},{},[],{"data":3018,"content":3019,"nodeType":1497},{},[3020],{"data":3021,"content":3022,"nodeType":1294},{},[3023,3027,3035],{"data":3024,"marks":3025,"value":3026,"nodeType":1293},{},[],"Even if all application user accounts are disabled, even permanently, techniques like ",{"data":3028,"content":3029,"nodeType":1339},{"uri":2674},[3030],{"data":3031,"marks":3032,"value":3034,"nodeType":1293},{},[3033],{"type":1337},"link sharing",{"data":3036,"marks":3037,"value":3038,"nodeType":1293},{},[]," can enable attackers to maintain access to data because link sharing decouples the access from being reliant on control of a user account.",{"data":3040,"content":3041,"nodeType":1358},{},[3042],{"data":3043,"marks":3044,"value":1876,"nodeType":1293},{},[],{"data":3046,"content":3047,"nodeType":1294},{},[3048],{"data":3049,"marks":3050,"value":3051,"nodeType":1293},{},[],"We’ve covered a lot of ground here, so let’s take a quick step back to understand the key points of impact:",{"data":3053,"content":3054,"nodeType":1513},{},[3055,3065,3075,3085,3095,3105],{"data":3056,"content":3057,"nodeType":1497},{},[3058],{"data":3059,"content":3060,"nodeType":1294},{},[3061],{"data":3062,"marks":3063,"value":3064,"nodeType":1293},{},[],"Attackers can extract passwords for SWA apps, even if password reveal has been disabled - to be clear, this is not a bug, it’s just a technical limitation on how this style of password manager login has to work",{"data":3066,"content":3067,"nodeType":1497},{},[3068],{"data":3069,"content":3070,"nodeType":1294},{},[3071],{"data":3072,"marks":3073,"value":3074,"nodeType":1293},{},[],"SWA passwords set by administrators should not be considered secret from the users as they can be accessed via the extension API",{"data":3076,"content":3077,"nodeType":1497},{},[3078],{"data":3079,"content":3080,"nodeType":1294},{},[3081],{"data":3082,"marks":3083,"value":3084,"nodeType":1293},{},[],"Attackers gaining temporary control of an Okta user account can establish authenticated sessions with SAML/OIDC applications. ",{"data":3086,"content":3087,"nodeType":1497},{},[3088],{"data":3089,"content":3090,"nodeType":1294},{},[3091],{"data":3092,"marks":3093,"value":3094,"nodeType":1293},{},[],"These sessions won’t automatically be revoked if the Okta user account is disabled/reset in response to compromise",{"data":3096,"content":3097,"nodeType":1497},{},[3098],{"data":3099,"content":3100,"nodeType":1294},{},[3101],{"data":3102,"marks":3103,"value":3104,"nodeType":1293},{},[],"There are multiple common attack techniques to gain persistent access to SaaS applications.  ",{"data":3106,"content":3107,"nodeType":1497},{},[3108],{"data":3109,"content":3110,"nodeType":1294},{},[3111],{"data":3112,"marks":3113,"value":3114,"nodeType":1293},{},[],"An attacker can potentially gain permanent access to many connected Okta applications even if efforts are made to reset individual application accounts",{"data":3116,"content":3117,"nodeType":1358},{},[3118],{"data":3119,"marks":3120,"value":1923,"nodeType":1293},{},[],{"data":3122,"content":3123,"nodeType":1294},{},[3124],{"data":3125,"marks":3126,"value":3127,"nodeType":1293},{},[],"While many of these attacks are not unique to Okta, it is one of the most widely used products because it supports many apps, but it supports these apps using methods that have very different risk profiles. ",{"data":3129,"content":3130,"nodeType":1294},{},[3131],{"data":3132,"marks":3133,"value":3134,"nodeType":1293},{},[],"From a security perspective (and whatever your chosen identity platform), our recommendation would be to use SAML (the strongest auth method) where possible. If that isn’t available, use OIDC. If neither is an option, use password managers (like SWA), which in practise leads to far less reused passwords. ",{"data":3136,"content":3137,"nodeType":1294},{},[3138],{"data":3139,"marks":3140,"value":3141,"nodeType":1293},{},[],"Unfortunately the state of modern cloud app landscape means that you will be paying a lot more to get many apps using federated SSO, and even then many will still not support this at any license tier, so the use of passwords is still going to be part of the solution.",{"data":3143,"content":3144,"nodeType":1294},{},[3145],{"data":3146,"marks":3147,"value":3148,"nodeType":1293},{},[],"As we have seen in this article, an attacker can use a compromised SSO session to perform a number of follow-up attacks. Whether using SWA or SAML/OIDC it’s possible to gain authenticated sessions on connected apps and also potentially backdoor access to them.",{"data":3150,"content":3151,"nodeType":1294},{},[3152],{"data":3153,"marks":3154,"value":3155,"nodeType":1293},{},[],"When using SWA, it’s additionally possible to extract SWA passwords even when password reveal is disabled and potentially gain access to passwords shared with other accounts. This requires additional actions as part of your breach recovery processes/play-books.",{"data":3157,"content":3158,"nodeType":1294},{},[3159],{"data":3160,"marks":3161,"value":3162,"nodeType":1293},{},[],"There are multiple log events that can be used by security teams to investigate and respond to Okta account compromises and potentially detect them too. Additionally, strong incident response procedures need to be in place for dealing with compromised Okta or any other SSO accounts that factor in the ability for an attacker to laterally move to all the connected applications. Therefore, plans need to include revoking their access to those as well and investigating them for signs of backdoor persistence techniques.","Abusing Okta's SWA authentication","We'll cover the implications of using Okta's SWA authentication method. Learn what security teams need to know in an account breach and IR scenario. ","2023-11-30T00:00:00.000Z","okta-swa",{"items":3168},[3169,3171],{"sys":3170,"name":1311},{"id":1310},{"sys":3172,"name":1307},{"id":1306},{"items":3174},[3175],{"fullName":1960,"firstName":1961,"jobTitle":1962,"profilePicture":3176},{"url":1964},{"__typename":1315,"sys":3178,"content":3179,"title":3632,"synopsis":3633,"hashTags":118,"publishedDate":3634,"slug":3635,"tagsCollection":3636,"authorsCollection":3642},{"id":1676},{"json":3180},{"data":3181,"content":3182,"nodeType":1295},{},[3183,3202,3209,3216,3222,3238,3245,3262,3269,3276,3283,3290,3297,3304,3311,3331,3338,3345,3351,3358,3365,3372,3378,3384,3390,3397,3404,3410,3417,3424,3431,3437,3444,3451,3458,3465,3472,3478,3485,3492,3498,3505,3512,3518,3524,3531,3598,3605,3611,3618,3625],{"data":3184,"content":3185,"nodeType":1294},{},[3186,3190,3198],{"data":3187,"marks":3188,"value":3189,"nodeType":1293},{},[],"We published the ",{"data":3191,"content":3192,"nodeType":1339},{"uri":2628},[3193],{"data":3194,"marks":3195,"value":3197,"nodeType":1293},{},[3196],{"type":1337},"SaaS attack matrix",{"data":3199,"marks":3200,"value":3201,"nodeType":1293},{},[]," on GitHub, which is an open-source research project to demonstrate the multitude of attacks that are possible against SaaS-native and hybrid SaaS organizations. On release day it contained 38 different techniques. ",{"data":3203,"content":3204,"nodeType":1294},{},[3205],{"data":3206,"marks":3207,"value":3208,"nodeType":1293},{},[],"However, we know it’s not just individual attack techniques and the phases of the cyber kill chain that matter - it’s also how you chain attacks together. Two lower risk vulnerabilities chained together could be a critical issue.",{"data":3210,"content":3211,"nodeType":1294},{},[3212],{"data":3213,"marks":3214,"value":3215,"nodeType":1293},{},[],"In this article, we’re going to demonstrate that by combining two of our favorite new SaaS attack techniques, poisoned tenants and SAMLjacking, you can make a simple, but effective attack chain.",{"data":3217,"content":3218,"nodeType":1358},{},[3219],{"data":3220,"marks":3221,"value":1384,"nodeType":1293},{},[],{"data":3223,"content":3224,"nodeType":1294},{},[3225,3228,3235],{"data":3226,"marks":3227,"value":37,"nodeType":1293},{},[],{"data":3229,"content":3230,"nodeType":1339},{"uri":1393},[3231],{"data":3232,"marks":3233,"value":1398,"nodeType":1293},{},[3234],{"type":1337},{"data":3236,"marks":3237,"value":1402,"nodeType":1293},{},[],{"data":3239,"content":3240,"nodeType":1358},{},[3241],{"data":3242,"marks":3243,"value":3244,"nodeType":1293},{},[],"What the hell is SAMLjacking?",{"data":3246,"content":3247,"nodeType":1294},{},[3248,3251,3258],{"data":3249,"marks":3250,"value":37,"nodeType":1293},{},[],{"data":3252,"content":3253,"nodeType":1339},{"uri":1367},[3254],{"data":3255,"marks":3256,"value":1373,"nodeType":1293},{},[3257],{"type":1337},{"data":3259,"marks":3260,"value":3261,"nodeType":1293},{},[]," is where an attacker makes use of SAML SSO configuration settings for a SaaS tenant they control in order to redirect users to a malicious link of their choosing during the authentication process. This can be highly effective for phishing as the original URL will be a legitimate SaaS URL and users are expecting to provide credentials.",{"data":3263,"content":3264,"nodeType":1358},{},[3265],{"data":3266,"marks":3267,"value":3268,"nodeType":1293},{},[],"What’s the benefit of combining them?",{"data":3270,"content":3271,"nodeType":1294},{},[3272],{"data":3273,"marks":3274,"value":3275,"nodeType":1293},{},[],"A poisoned tenant on its own could be an epic supply chain attack if you get really lucky. Imagine discovering an organization was wanting to migrate to Slack and then catching some key teams with a Slack poisoned tenant and gradually getting the whole organization migrated over. You’d have a goldmine of information as an administrator of the platform.",{"data":3277,"content":3278,"nodeType":1294},{},[3279],{"data":3280,"marks":3281,"value":3282,"nodeType":1293},{},[],"However, it might be hard to trick a whole organization into using an attacker controlled slack instance without anyone realizing, but it could be a lot easier to successfully invite e.g. a marketing team into using/adopting a new marketing app that helps them do SEO. This might be easier to perform, but it doesn't really give the attacker valuable data in the poisoned tenant of the marketing app, so it seems a bit pointless.",{"data":3284,"content":3285,"nodeType":1294},{},[3286],{"data":3287,"marks":3288,"value":3289,"nodeType":1293},{},[],"On the other hand, what about SAMLjacking? It’s a great technique on its own, but you still need to get users to login to the app. Sure, you’ll be sending them a legitimate SaaS URL with a valid TLS certificate etc and so it’s going to pass the sniff test for many people and also bypass email security appliances and similar security tools. However, you’re still effectively phishing them for credentials, the one thing we train users to be most suspicious about, so there is still a possibility they will spot the attack. ",{"data":3291,"content":3292,"nodeType":1294},{},[3293],{"data":3294,"marks":3295,"value":3296,"nodeType":1293},{},[],"But what if you could combine these techniques so that a poisoned tenant didn’t need to be a big, juicy target to be useful and a SAMLjacking attack didn’t even necessarily require phishing someone directly? What if the attack could be successful just from a target accessing their own bookmarks or open tabs for an app they already use?",{"data":3298,"content":3299,"nodeType":1294},{},[3300],{"data":3301,"marks":3302,"value":3303,"nodeType":1293},{},[],"In a combination scenario, a user doesn't need to be phished for SAMLjacking. One day they go back to their tab and it's logged out and they get SAMLjacked while logging back in. They don't have to click a link in an email. That’s what we are talking about here, so let’s consider an example of this making use of the SaaS-based wiki, Nuclino.",{"data":3305,"content":3306,"nodeType":1358},{},[3307],{"data":3308,"marks":3309,"value":3310,"nodeType":1293},{},[],"An example attack - Nuclino",{"data":3312,"content":3313,"nodeType":1294},{},[3314,3318,3327],{"data":3315,"marks":3316,"value":3317,"nodeType":1293},{},[],"Before moving on, I’d just like to point out that this isn’t a vulnerability with ",{"data":3319,"content":3321,"nodeType":1339},{"uri":3320},"https://www.nuclino.com/",[3322],{"data":3323,"marks":3324,"value":3326,"nodeType":1293},{},[3325],{"type":1337},"Nuclino",{"data":3328,"marks":3329,"value":3330,"nodeType":1293},{},[]," per se and it won’t be limited to Nuclino either. I’ve used Nuclino as an example because it’s a great wiki platform we use at Push Security, so I’m familiar with it. ",{"data":3332,"content":3333,"nodeType":1294},{},[3334],{"data":3335,"marks":3336,"value":3337,"nodeType":1293},{},[],"It also allows custom SAML authentication, both as part of its free trial and as part of its lowest tier paid plan. This should be commended as many SaaS apps don’t support SAML or other forms of SSO, and many of those that do charge a huge premium via enterprise plans to gain access to it. We love you Nuclino, sorry!",{"data":3339,"content":3340,"nodeType":1294},{},[3341],{"data":3342,"marks":3343,"value":3344,"nodeType":1293},{},[],"We'll take a walkthrough of how the attack chain works now. However, if you'd like to jump straight to a demo of the attack then checkout the video here:",{"data":3346,"content":3350,"nodeType":1522},{"target":3347},{"sys":3348},{"id":3349,"type":1519,"linkType":1520},"3y6ZMPPsbh6PYlQ7IOxOzS",[],{"data":3352,"content":3353,"nodeType":1294},{},[3354],{"data":3355,"marks":3356,"value":3357,"nodeType":1293},{},[],"Next, we'll do a full walkthrough of the attack.",{"data":3359,"content":3360,"nodeType":2312},{},[3361],{"data":3362,"marks":3363,"value":3364,"nodeType":1293},{},[],"Step 1 - Setup a poisoned tenant and invite target users",{"data":3366,"content":3367,"nodeType":1294},{},[3368],{"data":3369,"marks":3370,"value":3371,"nodeType":1293},{},[],"The first step for an adversary is to set up their poisoned tenant and then make use of the invite functionality to target some employees of the target organization. With Nuclino, you can either do this by sending sharing links directly to the target or invite them through the Nuclino app, and it will send out legit email invitations on your behalf.",{"data":3373,"content":3377,"nodeType":1522},{"target":3374},{"sys":3375},{"id":3376,"type":1519,"linkType":1520},"740nQhGSFp2nFU1b4DP7Mp",[],{"data":3379,"content":3383,"nodeType":1522},{"target":3380},{"sys":3381},{"id":3382,"type":1519,"linkType":1520},"4GFL1L7Mmp3nnBODwC9SbH",[],{"data":3385,"content":3389,"nodeType":1522},{"target":3386},{"sys":3387},{"id":3388,"type":1519,"linkType":1520},"7KUWKFFlDyvBVoM3MEhPwR",[],{"data":3391,"content":3392,"nodeType":2312},{},[3393],{"data":3394,"marks":3395,"value":3396,"nodeType":1293},{},[],"Step 2 - Target responds to the invitation or later signs up for Nuclino",{"data":3398,"content":3399,"nodeType":1294},{},[3400],{"data":3401,"marks":3402,"value":3403,"nodeType":1293},{},[],"The interesting thing here is that whether the target signs up for Nuclino directly from the joining link or they sign up for an account separately in future, they get mapped to the workspace they have been invited to by default.",{"data":3405,"content":3409,"nodeType":1522},{"target":3406},{"sys":3407},{"id":3408,"type":1519,"linkType":1520},"2GlTHcT1cpQ44jb5lN9dr4",[],{"data":3411,"content":3412,"nodeType":2312},{},[3413],{"data":3414,"marks":3415,"value":3416,"nodeType":1293},{},[],"Step 3 - Configure a malicious SAML server",{"data":3418,"content":3419,"nodeType":1294},{},[3420],{"data":3421,"marks":3422,"value":3423,"nodeType":1293},{},[],"Once the adversary has a critical mass of users on their poisoned tenant, they can later engage the SAMLjacking attack. ",{"data":3425,"content":3426,"nodeType":1294},{},[3427],{"data":3428,"marks":3429,"value":3430,"nodeType":1293},{},[],"To do this, they need to configure a custom SAML server. You can point this to a fake authentication provider they control that mirrors the appearance of the SSO provider the target users are accustomed to using in order to capture credentials.",{"data":3432,"content":3436,"nodeType":1522},{"target":3433},{"sys":3434},{"id":3435,"type":1519,"linkType":1520},"1RbhUTZd5Ak4UvjiZhub4V",[],{"data":3438,"content":3439,"nodeType":1294},{},[3440],{"data":3441,"marks":3442,"value":3443,"nodeType":1293},{},[],"If you toggle the setting to require SSO, existing users will be sent emails prompting them to link their accounts to SSO. That leads to two possible paths to a user compromise.",{"data":3445,"content":3446,"nodeType":1358},{},[3447],{"data":3448,"marks":3449,"value":3450,"nodeType":1293},{},[],"Paths to user compromise ",{"data":3452,"content":3453,"nodeType":2312},{},[3454],{"data":3455,"marks":3456,"value":3457,"nodeType":1293},{},[],"The first possibility",{"data":3459,"content":3460,"nodeType":1294},{},[3461],{"data":3462,"marks":3463,"value":3464,"nodeType":1293},{},[],"This compromise occurs when the target sees the email that SSO has been configured and clicks the link in order to link their account to SSO. A smart adversary may improve the social engineering quality with an email sent out in advance informing users that the internal security team has requested Nuclino be linked to SSO. This makes the target expect the email and consider it legitimate. ",{"data":3466,"content":3467,"nodeType":1294},{},[3468],{"data":3469,"marks":3470,"value":3471,"nodeType":1293},{},[],"Even though the email is an official email from Nuclino and the link contained is an official Nuclino URL, it will immediately redirect to the malicious SAML server that has been configured, where credentials can then be captured.",{"data":3473,"content":3477,"nodeType":1522},{"target":3474},{"sys":3475},{"id":3476,"type":1519,"linkType":1520},"6zWiAfBx7aaUeo6t04AtUl",[],{"data":3479,"content":3480,"nodeType":2312},{},[3481],{"data":3482,"marks":3483,"value":3484,"nodeType":1293},{},[],"Second compromise possibility",{"data":3486,"content":3487,"nodeType":1294},{},[3488],{"data":3489,"marks":3490,"value":3491,"nodeType":1293},{},[],"If the user ignores the email, the other potential outcome occurs when their session expires and they need to login again to regain access. This is similar to a watering hole attack. When their session expires, the target’s open tabs or bookmarks will redirect back to the workspace specific login page, which will now look like this:",{"data":3493,"content":3497,"nodeType":1522},{"target":3494},{"sys":3495},{"id":3496,"type":1519,"linkType":1520},"580CvVtdyEpqdiK8T1lSfQ",[],{"data":3499,"content":3500,"nodeType":1294},{},[3501],{"data":3502,"marks":3503,"value":3504,"nodeType":1293},{},[],"Clicking the button to login with SSO will immediately redirect to the malicious SAML server and launch the attack. Alternatively, if the target attempts to login without SSO, the login will fail with an error message telling them to login with SSO.",{"data":3506,"content":3507,"nodeType":1294},{},[3508],{"data":3509,"marks":3510,"value":3511,"nodeType":1293},{},[],"Either way, once the SAMLjacking has taken effect, they’ll be faced with a familiar-looking SSO login page from a trusted source at a point they are expecting to enter their credentials - something even the most paranoid of users could easily fall for unknowingly. ",{"data":3513,"content":3517,"nodeType":1522},{"target":3514},{"sys":3515},{"id":3516,"type":1519,"linkType":1520},"5eFctGgFywtmhhjaXVraqN",[],{"data":3519,"content":3520,"nodeType":1358},{},[3521],{"data":3522,"marks":3523,"value":1876,"nodeType":1293},{},[],{"data":3525,"content":3526,"nodeType":1294},{},[3527],{"data":3528,"marks":3529,"value":3530,"nodeType":1293},{},[],"At this point, having compromised multiple user’s Google credentials, an adversary has a lot of options available:",{"data":3532,"content":3533,"nodeType":1513},{},[3534,3544,3554,3576],{"data":3535,"content":3536,"nodeType":1497},{},[3537],{"data":3538,"content":3539,"nodeType":1294},{},[3540],{"data":3541,"marks":3542,"value":3543,"nodeType":1293},{},[],"Access all data in Google apps like GMail, Google Drive etc",{"data":3545,"content":3546,"nodeType":1497},{},[3547],{"data":3548,"content":3549,"nodeType":1294},{},[3550],{"data":3551,"marks":3552,"value":3553,"nodeType":1293},{},[],"Access other SaaS apps that use SSO with the same Google account",{"data":3555,"content":3556,"nodeType":1497},{},[3557],{"data":3558,"content":3559,"nodeType":1294},{},[3560,3564,3573],{"data":3561,"marks":3562,"value":3563,"nodeType":1293},{},[],"Access other SaaS apps that use ",{"data":3565,"content":3567,"nodeType":1339},{"uri":3566},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/passwordless_logins/description.md",[3568],{"data":3569,"marks":3570,"value":3572,"nodeType":1293},{},[3571],{"type":1337},"passwordless logins",{"data":3574,"marks":3575,"value":37,"nodeType":1293},{},[],{"data":3577,"content":3578,"nodeType":1497},{},[3579],{"data":3580,"content":3581,"nodeType":1294},{},[3582,3586,3595],{"data":3583,"marks":3584,"value":3585,"nodeType":1293},{},[],"Access other SaaS apps via email ",{"data":3587,"content":3589,"nodeType":1339},{"uri":3588},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/account_recovery/description.md",[3590],{"data":3591,"marks":3592,"value":3594,"nodeType":1293},{},[3593],{"type":1337},"account recovery",{"data":3596,"marks":3597,"value":37,"nodeType":1293},{},[],{"data":3599,"content":3600,"nodeType":1294},{},[3601],{"data":3602,"marks":3603,"value":3604,"nodeType":1293},{},[],"Essentially, this can potentially lead to a compromise of every SaaS application accessible by the compromised user - all from the use of a poisoned tenant for an app with no particularly sensitive data or permissions.",{"data":3606,"content":3607,"nodeType":2312},{},[3608],{"data":3609,"marks":3610,"value":1923,"nodeType":1293},{},[],{"data":3612,"content":3613,"nodeType":1294},{},[3614],{"data":3615,"marks":3616,"value":3617,"nodeType":1293},{},[],"We have seen how two new SaaS-focused attack techniques can be combined into one more effective attack chain. This shows how a successful poisoned tenant attack for even a low risk app can still be a significant threat when combined with a SAMLjacking attack. ",{"data":3619,"content":3620,"nodeType":1294},{},[3621],{"data":3622,"marks":3623,"value":3624,"nodeType":1293},{},[],"This demonstrates even the least sensitive edge cases of SaaS sprawl can represent a vector to laterally move to compromise much more valuable assets. History taught us that protecting core production assets was not enough. Adversaries often achieved compromises via test systems and unsecured development resources. What we are seeing now is that this parallel exists in the SaaS-native world too. Therefore, we need to be protecting all SaaS resources with greater vigilance than their standalone sensitivity would indicate.",{"data":3626,"content":3627,"nodeType":1294},{},[3628],{"data":3629,"marks":3630,"value":3631,"nodeType":1293},{},[],"So what can be done about it? Well, like much in security, there is no silver bullet solution to this issue. SaaS apps are here to stay and are designed to be flexible, easy to sign up for and use. The key first step is always to get good visibility into the SaaS sprawl across your organization. If certain employees or teams start making use of a new SaaS app (or a new tenant for an existing one), that’s probably something your security team should be aware of so they can make sure it’s legitimate and being used as securely as possible. ","SAMLjacking a poisoned tenant","In this article, we’re going to demo combining two of our favorite new SaaS attack techniques to make a simple, but effective attack chain.\n","2023-08-17T00:00:00.000Z","samljacking-a-poisoned-tenant",{"items":3637},[3638,3640],{"sys":3639,"name":1954},{"id":1953},{"sys":3641,"name":1307},{"id":1306},{"items":3643},[3644],{"fullName":1960,"firstName":1961,"jobTitle":1962,"profilePicture":3645},{"url":1964},{"items":3647},[3648],{"fullName":1960,"firstName":1961,"jobTitle":1962,"profilePicture":3649},{"url":1964},{"json":3651,"links":4153},{"nodeType":1295,"data":3652,"content":3653},{},[3654,3661,3668,3675,3682,3689,3696,3703,3710,3717,3724,3740,3747,3754,3770,3777,3784,3791,3807,3814,3820,3827,3834,3840,3847,3854,3861,3868,3875,3882,3889,3896,3902,3909,3916,3922,3928,3934,3941,3948,3967,3974,3981,3988,4019,4026,4032,4039,4046,4053,4060,4067,4072,4079,4086,4119,4125,4132,4139,4146],{"nodeType":1358,"data":3655,"content":3656},{},[3657],{"nodeType":1293,"value":3658,"marks":3659,"data":3660},"Admin accounts - the keys to the kingdom?",[],{},{"nodeType":1294,"data":3662,"content":3663},{},[3664],{"nodeType":1293,"value":3665,"marks":3666,"data":3667},"Traditionally, admin accounts have tended to be pretty all-powerful in terms of the infrastructure they control access to, a kind of master key. An admin of a file server? Can see any files on that server they like. A windows domain admin? Can access any system connected to that domain, access password equivalents for every domain account, and even deploy code remotely to all connected systems. Necessary and practical for admins, but a nightmare for blue teamers.",[],{},{"nodeType":1294,"data":3669,"content":3670},{},[3671],{"nodeType":1293,"value":3672,"marks":3673,"data":3674},"In the realm of cloud identities and SaaS apps, the situation has changed a bit. An account with administrative access for a given SaaS app is limited by what that particular app does and what administrative features it offers. This means the traditional “all-powerful” admin account isn’t always really all-powerful in practice. ",[],{},{"nodeType":1294,"data":3676,"content":3677},{},[3678],{"nodeType":1293,"value":3679,"marks":3680,"data":3681},"For example, an administrator of a file storage SaaS app may not automatically have rights to view all personally stored files for an individual user. Similarly, an administrator of a corporate password manager app does not automatically have the ability to view the secrets their users are storing in the application. This is desirable as passwords, and thus password managers, are a key part of identity infrastructure - even admins shouldn’t be able to easily access passwords and secrets stored within. ",[],{},{"nodeType":1294,"data":3683,"content":3684},{},[3685],{"nodeType":1293,"value":3686,"marks":3687,"data":3688},"This is a good thing as it limits the reach of a compromised account and creates additional steps for a user with malicious intent. But like anything password managers can be targeted, bypassed, and misused, particularly in the context of Cloud identities and SaaS.",[],{},{"nodeType":1358,"data":3690,"content":3691},{},[3692],{"nodeType":1293,"value":3693,"marks":3694,"data":3695},"How do password managers work?",[],{},{"nodeType":1294,"data":3697,"content":3698},{},[3699],{"nodeType":1293,"value":3700,"marks":3701,"data":3702},"Well, it depends! ",[],{},{"nodeType":1294,"data":3704,"content":3705},{},[3706],{"nodeType":1293,"value":3707,"marks":3708,"data":3709},"Typical password manager functionality involves a “password vault” being encrypted with a password/secret that only the user knows - commonly known as a “master password”. This vault might just be a file that can be stored anywhere, such as locally on a user’s laptop or remotely on a managed file server.  ",[],{},{"nodeType":1294,"data":3711,"content":3712},{},[3713],{"nodeType":1293,"value":3714,"marks":3715,"data":3716},"Therefore, an admin of a file server might be able to see the password vaults, but won’t be able to recover the passwords inside without knowing the correct master password to decrypt them. However, a domain or desktop admin might be able to deploy malicious code to a user’s endpoint to keylog, or otherwise steal, their master password. This is more difficult than merely accessing an encrypted vault but is a viable attack technique.",[],{},{"nodeType":1294,"data":3718,"content":3719},{},[3720],{"nodeType":1293,"value":3721,"marks":3722,"data":3723},"For cloud-based password managers this concept is simply ported to the world of SaaS. Here, the vault is stored securely on the vendor’s servers and access is via a web app or browser extension, rather than a desktop application opening a stored file. Often the password a user uses to login to the app doubles up as their master password, but in other solutions they might be two separate concepts. ",[],{},{"nodeType":1294,"data":3725,"content":3726},{},[3727,3731,3736],{"nodeType":1293,"value":3728,"marks":3729,"data":3730},"So how does this change the threat? Well, it’s possible that domain/desktop admins might still be able to go the malicious code deployment route to steal master passwords. However, admins of the password manager app (or any app) should not ",[],{},{"nodeType":1293,"value":3732,"marks":3733,"data":3735},"typically",[3734],{"type":312},{},{"nodeType":1293,"value":3737,"marks":3738,"data":3739}," be able to just access any passwords they like.",[],{},{"nodeType":1358,"data":3741,"content":3742},{},[3743],{"nodeType":1293,"value":3744,"marks":3745,"data":3746},"Why even use password managers when you could use SSO?",[],{},{"nodeType":1294,"data":3748,"content":3749},{},[3750],{"nodeType":1293,"value":3751,"marks":3752,"data":3753},"Strong SSO mechanisms such as SAML are good security controls and should be encouraged. But there are many reasons why they can’t always be used. Not all apps support them, some apps require much more expensive license tiers in order to enable SSO support, many apps will be self-acquired by users rather than centralized IT, some secrets are recovery codes that need to be stored somewhere… the list goes on!",[],{},{"nodeType":1294,"data":3755,"content":3756},{},[3757,3761,3766],{"nodeType":1293,"value":3758,"marks":3759,"data":3760},"Put simply, ",[],{},{"nodeType":1293,"value":3762,"marks":3763,"data":3765},"you will never have all your apps on SSO",[3764],{"type":1491},{},{"nodeType":1293,"value":3767,"marks":3768,"data":3769}," and there are many other use cases for secure storage of secrets, so it’s best to provide a secure password management solution to your users rather than having them use shared passwords everywhere, use easily guessed passwords, or generally record them in less secure ways. ",[],{},{"nodeType":1294,"data":3771,"content":3772},{},[3773],{"nodeType":1293,"value":3774,"marks":3775,"data":3776},"But what happens when a large organization adopts a SaaS-based password manager solution? As a key app, it definitely needs the highest levels of security protection, right? So the password manager itself should definitely be on SSO with a robust form of MFA applied. Users shouldn't be able to use any old single-factor password to access a store for important secrets that are tied to so many other sensitive corporate assets.",[],{},{"nodeType":1294,"data":3778,"content":3779},{},[3780],{"nodeType":1293,"value":3781,"marks":3782,"data":3783},"This leads us on to our next question - how does SSO impact the relationship between accessibility of stored secrets and the use of decryption keys only known to the users?",[],{},{"nodeType":1358,"data":3785,"content":3786},{},[3787],{"nodeType":1293,"value":3788,"marks":3789,"data":3790},"Controlling password manager access via SSO",[],{},{"nodeType":1294,"data":3792,"content":3793},{},[3794,3798,3803],{"nodeType":1293,"value":3795,"marks":3796,"data":3797},"Many solutions will allow administrators to control login to accounts via an SSO mechanism instead of the vendor’s own authentication mechanism. In this case, we’ll be using Dashlane as an example. This is not a specific vulnerability in Dashlane, we’re just ",[],{},{"nodeType":1293,"value":3799,"marks":3800,"data":3802},"creatively",[3801],{"type":312},{},{"nodeType":1293,"value":3804,"marks":3805,"data":3806}," (ab-)using a legitimate feature. We haven’t picked on Dashlane for any particular reason and there are many more examples of this.",[],{},{"nodeType":1294,"data":3808,"content":3809},{},[3810],{"nodeType":1293,"value":3811,"marks":3812,"data":3813},"In this case, we’ve configured Dashlane SSO to use their confidential SSO mechanism that applies SAML as the SSO mechanism. We've then configured the supplied SAML details as an app in Okta and saved the resulting IdP metadata link in Dashlane. This allows Okta to now act as an identity provider for Dashlane.",[],{},{"nodeType":1522,"data":3815,"content":3819},{"target":3816},{"sys":3817},{"id":3818,"type":1519,"linkType":1520},"19DCAdVfW2MwRQXfeVEIiR",[],{"nodeType":1294,"data":3821,"content":3822},{},[3823],{"nodeType":1293,"value":3824,"marks":3825,"data":3826},"This means that for verified domains that have been configured to use SSO in Dashlane, the Dashlane login process will now automatically relay to the given Okta tenant to handle authentication via SAML.",[],{},{"nodeType":1294,"data":3828,"content":3829},{},[3830],{"nodeType":1293,"value":3831,"marks":3832,"data":3833},"It’s worth noting that Dashlane only allows this for verified domains. An administrator setting this up the first time or later changing the SSO settings will need control of the DNS domain(s) their users use, or at least have the ability to request other DNS admins verify the domain on their behalf.",[],{},{"nodeType":1522,"data":3835,"content":3839},{"target":3836},{"sys":3837},{"id":3838,"type":1519,"linkType":1520},"3kZknbwaOVWMTPdaEECyER",[],{"nodeType":1294,"data":3841,"content":3842},{},[3843],{"nodeType":1293,"value":3844,"marks":3845,"data":3846},"That’s it - it’s really that simple. Now your Dashlane instance benefits from whatever strong authentication policies you have in place on your centralized IdP, in this case Okta. That may include strong password policies, multi-factor authentication, auditing of all logon events for your account, etc. What could be bad about that?",[],{},{"nodeType":1358,"data":3848,"content":3849},{},[3850],{"nodeType":1293,"value":3851,"marks":3852,"data":3853},"Password stealing and lateral movement",[],{},{"nodeType":1294,"data":3855,"content":3856},{},[3857],{"nodeType":1293,"value":3858,"marks":3859,"data":3860},"As we covered earlier, the original security contract of traditional password managers was that only the creating user should have access via a master password - admin accounts should have no access beyond seeing the encrypted vault files. ",[],{},{"nodeType":1294,"data":3862,"content":3863},{},[3864],{"nodeType":1293,"value":3865,"marks":3866,"data":3867},"However, the SaaS-ification of password managers over time and integration with other parts of the identity management stack means that they are prone to the same weaknesses as many other apps - only in this case the prize is the secrets and passwords used to gain access to a huge number of other systems that those admins wouldn’t otherwise have direct access to. For an attacker looking to move laterally, this is a goldmine! ",[],{},{"nodeType":1294,"data":3869,"content":3870},{},[3871],{"nodeType":1293,"value":3872,"marks":3873,"data":3874},"We’ll now consider how two different types of admin accounts can use this functionality to gain access to password secrets for lateral movement elsewhere, in the event of a compromised admin account or insider threat.",[],{},{"nodeType":2312,"data":3876,"content":3877},{},[3878],{"nodeType":1293,"value":3879,"marks":3880,"data":3881},"SaaS admin - modifying SSO settings",[],{},{"nodeType":1294,"data":3883,"content":3884},{},[3885],{"nodeType":1293,"value":3886,"marks":3887,"data":3888},"Continuing the Dashlane scenario, an administrator of the app can simply modify the SSO settings in order to point to a different IdP that they control. This could be a different Okta tenant they have set up themselves, or it could be an entirely different IdP. ",[],{},{"nodeType":1294,"data":3890,"content":3891},{},[3892],{"nodeType":1293,"value":3893,"marks":3894,"data":3895},"In this case, we can simply change the IdP metadata to point to a different SAML endpoint. Pointing to a different Okta tenant means we can now login to Dashlane using a different identity provider as before. ",[],{},{"nodeType":1522,"data":3897,"content":3901},{"target":3898},{"sys":3899},{"id":3900,"type":1519,"linkType":1520},"5hXZ4NogWGdCj18LalxVQl",[],{"nodeType":1294,"data":3903,"content":3904},{},[3905],{"nodeType":1293,"value":3906,"marks":3907,"data":3908},"The implication here is that the malicious/compromised admin account can simply configure their own malicious IdP in a way that they can authenticate with any account. They can then use this to login to Dashlane as any user they like. The only caveat in the case of Dashlane is that Dashlane admin accounts cannot use SSO and so the malicious admin cannot access other admin accounts' secrets so easily. ",[],{},{"nodeType":1294,"data":3910,"content":3911},{},[3912],{"nodeType":1293,"value":3913,"marks":3914,"data":3915},"Our malicious admin can then simply login to access their account of choice and view the secrets as they please. They can do this manually, or they can even use the export functionality to export the entire password vault into a CSV file. The latter is disabled by default in Dashlane, but we’re an admin, right? So we can just enable the security policy to allow it!",[],{},{"nodeType":1522,"data":3917,"content":3921},{"target":3918},{"sys":3919},{"id":3920,"type":1519,"linkType":1520},"64ttjHyIDYKJ7gXAugT84f",[],{"nodeType":1522,"data":3923,"content":3927},{"target":3924},{"sys":3925},{"id":3926,"type":1519,"linkType":1520},"2tm9koiqywJtrEOuRbazFd",[],{"nodeType":1522,"data":3929,"content":3933},{"target":3930},{"sys":3931},{"id":3932,"type":1519,"linkType":1520},"3gAbFuYpJxbYhmeaph9e7e",[],{"nodeType":1294,"data":3935,"content":3936},{},[3937],{"nodeType":1293,"value":3938,"marks":3939,"data":3940},"Fortunately, a simple implementation of this attack will break logins by other users, as all users will be directed to the new malicious IdP. This means the attack is more likely to be quickly detected once users begin questioning why they cannot login to their Dashlane account. ",[],{},{"nodeType":1294,"data":3942,"content":3943},{},[3944],{"nodeType":1293,"value":3945,"marks":3946,"data":3947},"Unfortunately, attackers can take steps to avoid this by building a more sophisticated malicious IdP that accepts any password or performs some other clever redirect. This means that legitimate users can still successfully access their Dashlane accounts while the admin simultaneously hijacks their target accounts. ",[],{},{"nodeType":1294,"data":3949,"content":3950},{},[3951,3955,3963],{"nodeType":1293,"value":3952,"marks":3953,"data":3954},"One method is to use the Oktajacking technique discussed ",[],{},{"nodeType":1339,"data":3956,"content":3958},{"uri":3957},"https://pushsecurity.com/blog/oktajacking/",[3959],{"nodeType":1293,"value":3960,"marks":3961,"data":3962},"in this article",[],{},{"nodeType":1293,"value":3964,"marks":3965,"data":3966}," to accept any credentials the user enters, while also keylogging them for further use. This enables the attacker to login as any user they like while also ensuring the real user can still login, whatever credentials they enter. This would allow the attack to go unnoticed for longer, giving the attacker the time and space to achieve their objectives without being hounded by incident responders (and in some cases persisting indefinitely).",[],{},{"nodeType":2312,"data":3968,"content":3969},{},[3970],{"nodeType":1293,"value":3971,"marks":3972,"data":3973},"Okta admin - external IdPs and routing rules",[],{},{"nodeType":1294,"data":3975,"content":3976},{},[3977],{"nodeType":1293,"value":3978,"marks":3979,"data":3980},"OK, obviously an admin account for Okta (or any type of IdP) is a very powerful tool for an attacker and there are plenty of malicious actions they could take. In this case we’ll consider how they could use it to gain access to Dashlane as any user, assuming Okta was being used as a SAML IdP as in the example above.",[],{},{"nodeType":1294,"data":3982,"content":3983},{},[3984],{"nodeType":1293,"value":3985,"marks":3986,"data":3987},"The simplest path here would be to use an external IdP, along with a routing rule, to allow the admin to login to Okta using a separate IdP they control, whilst continuing to allow the user to authenticate. This way, the user themselves would have no idea anything else had changed, but the attacker could easily impersonate any user they choose.",[],{},{"nodeType":1294,"data":3989,"content":3990},{},[3991,3995,4003,4007,4015],{"nodeType":1293,"value":3992,"marks":3993,"data":3994},"Adam Chester’s iconic post on ",[],{},{"nodeType":1339,"data":3996,"content":3998},{"uri":3997},"https://trustedsec.com/blog/okta-for-red-teamers",[3999],{"nodeType":1293,"value":4000,"marks":4001,"data":4002},"Okta for red teamers ",[],{},{"nodeType":1293,"value":4004,"marks":4005,"data":4006},"covers the user of a malicious SAML provider for authenticating as any user and he even includes a ",[],{},{"nodeType":1339,"data":4008,"content":4010},{"uri":4009},"https://github.com/xpn/OktaPostExToolkit",[4011],{"nodeType":1293,"value":4012,"marks":4013,"data":4014},"simple python based SAML IdP",[],{},{"nodeType":1293,"value":4016,"marks":4017,"data":4018}," that allows for this.",[],{},{"nodeType":1294,"data":4020,"content":4021},{},[4022],{"nodeType":1293,"value":4023,"marks":4024,"data":4025},"If we combine this with Okta routing rules, then we can create a targeted backdoor that allows the attacker to utilize their Okta admin account to login as any user they like in order to access their Dashlane password vault, while being completely transparent to the real users. We can do this by ensuring the external identity provider is only used when logins are performed from the admin’s IP address and/or specific devices.",[],{},{"nodeType":1522,"data":4027,"content":4031},{"target":4028},{"sys":4029},{"id":4030,"type":1519,"linkType":1520},"4vmkiiONUur1cxGWhvTNoY",[],{"nodeType":1358,"data":4033,"content":4034},{},[4035],{"nodeType":1293,"value":4036,"marks":4037,"data":4038},"So what?",[],{},{"nodeType":1294,"data":4040,"content":4041},{},[4042],{"nodeType":1293,"value":4043,"marks":4044,"data":4045},"Shock, horror, admin accounts can be used to do bad things! Of course that’s the case, but it is important that as security practitioners we fully understand the implications of security decisions we make and have plans in place for if/when incidents arise.",[],{},{"nodeType":1294,"data":4047,"content":4048},{},[4049],{"nodeType":1293,"value":4050,"marks":4051,"data":4052},"We’ve known for many years that an attacker compromising a Windows desktop or Linux server can potentially steal passwords and other secrets from that system. We’ve also known that if an attacker compromises an entire Windows domain, then we should consider every single user’s password compromised. ",[],{},{"nodeType":1294,"data":4054,"content":4055},{},[4056],{"nodeType":1293,"value":4057,"marks":4058,"data":4059},"While incident responders would much prefer to contain an incident before a complete domain compromise is achieved, we at least know we have to have a plan in place for how to deal with all domain passwords having been compromised, plus golden tickets, silver tickets and all other manner of backdoors.  ",[],{},{"nodeType":1294,"data":4061,"content":4062},{},[4063],{"nodeType":1293,"value":4064,"marks":4065,"data":4066},"Of course, password managers are important to protect generally, but are we considering the true consequences and impact of either a malicious admin or a compromised admin account potentially allowing all password secrets to be stolen? Do we have a plan in place for how to recover from that like we would in the event of a windows domain compromise? These are the questions we need to be asking ourselves.",[],{},{"nodeType":1522,"data":4068,"content":4071},{"target":4069},{"sys":4070},{"id":1518,"type":1519,"linkType":1520},[],{"nodeType":1358,"data":4073,"content":4074},{},[4075],{"nodeType":1293,"value":4076,"marks":4077,"data":4078},"Impact summary",[],{},{"nodeType":1294,"data":4080,"content":4081},{},[4082],{"nodeType":1293,"value":4083,"marks":4084,"data":4085},"We’ve covered a lot of ground so let’s quickly take a step back and consider the key points of impact here:",[],{},{"nodeType":1513,"data":4087,"content":4088},{},[4089,4099,4109],{"nodeType":1497,"data":4090,"content":4091},{},[4092],{"nodeType":1294,"data":4093,"content":4094},{},[4095],{"nodeType":1293,"value":4096,"marks":4097,"data":4098},"SaaS-based password managers often allow SSO mechanisms with MFA which can provide stronger authentication, instead of the passwords being stored in a file encrypted with a single factor master password, which changes the risk profile",[],{},{"nodeType":1497,"data":4100,"content":4101},{},[4102],{"nodeType":1294,"data":4103,"content":4104},{},[4105],{"nodeType":1293,"value":4106,"marks":4107,"data":4108},"That said, compromised admin accounts for either password manager apps, or their SSO IdPs, can be abused by attackers to steal passwords at scale by hijacking the SSO process",[],{},{"nodeType":1497,"data":4110,"content":4111},{},[4112],{"nodeType":1294,"data":4113,"content":4114},{},[4115],{"nodeType":1293,"value":4116,"marks":4117,"data":4118},"This technique could become the windows domain hash dumping equivalent in the new cloud identity and SaaS-based world",[],{},{"nodeType":1358,"data":4120,"content":4121},{},[4122],{"nodeType":1293,"value":1923,"marks":4123,"data":4124},[],{},{"nodeType":1294,"data":4126,"content":4127},{},[4128],{"nodeType":1293,"value":4129,"marks":4130,"data":4131},"Password managers have quickly become an increasingly important part of identity security infrastructure. Passwords, and more generally secrets, are not going anywhere. So it makes sense for security-conscious organizations to provide their employees with a good password management solution.",[],{},{"nodeType":1294,"data":4133,"content":4134},{},[4135],{"nodeType":1293,"value":4136,"marks":4137,"data":4138},"Consequently, this means they will increasingly become a crown jewels target within modern cloud and SaaS-based organizations going forwards, much like windows domain controllers have often been the crown jewels in the past.",[],{},{"nodeType":1294,"data":4140,"content":4141},{},[4142],{"nodeType":1293,"value":4143,"marks":4144,"data":4145},"There are many methods by which different types of compromised admin accounts can be used to gain access to password manager secrets at scale by abusing SSO mechanisms and so security practitioners need to be aware of these attacks and plan for recovery actions in the event of a major incident. ",[],{},{"nodeType":1294,"data":4147,"content":4148},{},[4149],{"nodeType":1293,"value":4150,"marks":4151,"data":4152},"The defensive plans we’ve historically relied upon weren't designed for these new attacker methods, which effectively creates a blind spot. The attacker's goal hasn’t changed, but the environment (and how it can be targeted) has evolved - which means defenders need to adapt. ",[],{},{"entries":4154},{"hyperlink":4155,"inline":4156,"block":4157},[],[],[4158,4167,4175,4183,4191,4199,4207,4215],{"sys":4159,"__typename":4160,"title":4161,"caption":4162,"layoutMode":118,"file":4163},{"id":3818},"Image","Dashlane SSO","Configuring SSO authentication in Dashlane by using SAML to allow Okta to act as an IdP",{"url":4164,"width":4165,"height":4166},"https://images.ctfassets.net/y1cdw1ablpvd/3AdVyWovacNCkP23xyACB3/b7a6064aebac0ca251b276626748bef7/image1.png",1094,911,{"sys":4168,"__typename":4160,"title":4169,"caption":4170,"layoutMode":118,"file":4171},{"id":3838},"Dashlane SSO Popup","Login prompt for Dashlane when using SSO authentication",{"url":4172,"width":4173,"height":4174},"https://images.ctfassets.net/y1cdw1ablpvd/7KpuYaCuKdWfpkrHc1gdQG/65507c178bcef3217aad455547f1d83c/image6.png",688,1176,{"sys":4176,"__typename":4160,"title":4177,"caption":4178,"layoutMode":118,"file":4179},{"id":3900},"IdP metadata","Modifying Dashlane SSO IdP metadata settings to hijack the SSO process by pointing to a different Okta tenant that the attacker controls",{"url":4180,"width":4181,"height":4182},"https://images.ctfassets.net/y1cdw1ablpvd/6NDvy4ySxNnUB8vQyToycU/7af8c8fc9a82851ddd734fc730487bc0/image7.png",796,283,{"sys":4184,"__typename":4160,"title":4185,"caption":4186,"layoutMode":118,"file":4187},{"id":3920},"Enable the security policy ","Accessing clear text passwords in Dashlane in an authenticated session",{"url":4188,"width":4189,"height":4190},"https://images.ctfassets.net/y1cdw1ablpvd/3audb7ABsy1fN7dqXY81h0/657f9c2b48b36b116fd81a1b15da0cf4/image3.png",1999,981,{"sys":4192,"__typename":4160,"title":4193,"caption":4194,"layoutMode":118,"file":4195},{"id":3926},"Enable the security policy #2","Exporting Dashlane passwords in CSV format",{"url":4196,"width":4197,"height":4198},"https://images.ctfassets.net/y1cdw1ablpvd/7MnLtbQ0A0obog8ishdaOF/b55fb2d0e7af8052c784f10666a69768/image5.png",686,1020,{"sys":4200,"__typename":4160,"title":4201,"caption":4202,"layoutMode":118,"file":4203},{"id":3932},"Enable the security policy #3","Configuring Dashlane to allow export of passwords",{"url":4204,"width":4205,"height":4206},"https://images.ctfassets.net/y1cdw1ablpvd/3YAdW74nAGrHvHOMO5VlHI/6f16c492b00c4bcd11f7a73ba40f2292/image2.png",971,153,{"sys":4208,"__typename":4160,"title":4209,"caption":4210,"layoutMode":118,"file":4211},{"id":4030},"Identity Providers","Configuring Okta routing rules to use an external malicious identity provider when accessed using an attacker’s IP address. This can be used to access any application connected to Okta - not just Dashlane. ",{"url":4212,"width":4213,"height":4214},"https://images.ctfassets.net/y1cdw1ablpvd/77ukND4FQYghlzQPOtg7BK/e381508f376b03967f12ef70539b6d27/image4.png",1024,719,{"sys":4216,"__typename":4217,"type":4218,"ctaText":4219,"buttonLabel":4220,"buttonColour":4221,"buttonUrl":118},{"id":1518},"CtaWidget","Demo","Learn how Push can help you secure identities across your org","Book a demo!","sunny orange","content:blog:can-my-admins-steal-my-cloud-password-manager-secrets.json","json","content","blog/can-my-admins-steal-my-cloud-password-manager-secrets.json","blog/can-my-admins-steal-my-cloud-password-manager-secrets",1776359989558]