Grab cookies from the VPN session, that could be transmitted to the malicious web site as well Send the stolen content to the malicious web site, that time by _not_ bypassing the filter Bypass the filter in order to fetch content from an internal web site The following proof-of-concept demonstrates what a malicious third-party web site can do: This includes calls to proxy requests to arbitrary servers, including servers from the internal network. Which means that arbitrary AJAX calls can be made to the Secure Access Service. No matter what web site the client is actually browsing, the domain, as seen by the browser, remains the domain of the proxy. It's even possible to just overwrite Dana's wrappers with native methods, so that no further changes is necessary to bypass the filter: The former one is properly rewritten, but the second one successfully bypasses the filter. In addition, a call to a protected method like: However, the proxy filter fails at parsing document. Sensible properties like okies are mangled.
However, the Dana filters can easily be circumvented. These wrappers ensure than no external URL can ever get directly reached by the browser, thus defeating the purpose of the VPN. Javascript methods like open() and eval() are also transformed to secure wrappers like DanaMethodOpen() and DanaEval(). Before sending content to the client, HTML, Javascript and CSS files are parsed and transformed in order to change remote links to local, VPN-aware links.įor example, links to get changed to before being delivered to the client. Remove associated files C:ProgramData and delete Pule Secure folder C:Program FilesCommon Files and remove Juniper Networks and/or Pulse Secure folder(s). The Junos Pulse Secure Access Service provides client-less access to remote web sites.