SAML SP Authentication Bypass Vulnerability in nevisAuth
Two months ago, we wrote about SAML Raider, a Burp extension which allows automating SAML attacks based on manipulations of the intercepted security assertion. Using this tool, we were able to identify...
View ArticleAuthentication Bypass in Netgear WNR1000v4 Router
Three months ago I tested the web interface of the Netgear WNR1000v4 router for some typical vulnerabilities. When playing around with the application by forcefully calling different URLs in contexts...
View ArticleClik here to view.
SAMLRequest Support for SAML Raider
About a year ago, the Burp extension SAML Raider [0] was released as a result of a bachelor thesis [1] in collaboration with Compass Security. This Burp extension automates most of the steps, which are...
View ArticleASP.NET Core 5-RC1 HTTP Header Injection Vulnerability
ASP.NET Core is a open-source and cross-platform framework for building modern cloud based internet connected applications, such as web apps, IoT apps and mobile backends. ASP.NET Core apps can run on...
View ArticleClik here to view.
Wrap-up: Hack-Lab 2017#1
What is a Hack-Lab? Compass Security provides a monthly playful occasion for the security analysts to get-together and try to hack new devices, dive into current technologies and share their skills...
View ArticleClik here to view.
Wrap-up: Hack-Lab 2017#2
What is a Hack-Lab? Compass Security provides a monthly playful occasion for the security analysts to get-together and try to hack new devices, dive into current technologies and share their skills...
View ArticleClik here to view.
SharePoint: How to collaborate with external parties?
Opening up an internal SharePoint farm to the Internet in order to share resources with external parties might seem a good idea, because it helps avoiding expensive infrastructure changes. However, in...
View ArticleClik here to view.
SharePoint: Collaboration vs. XSS
SharePoint is a very popular browser-based collaboration and content management platform. Due to its high complexity, proprietary technology and confusing terminology it is often perceived as a...
View ArticleClik here to view.
No need to break in, use the backdoor
The idea Some time ago I read a tweet about hunting so-called “sticky-keys backdoors”, referencing a presentation at DEFCON 24, https://www.youtube.com/watch?v=EAYtRQKfna0 In addition to the...
View ArticleClik here to view.
Introducing Web Vulnerabilities into Native Apps
Intro Mobile applications nowadays make heavy use of WebViews in order to render their user interfaces. Frameworks such as PhoneGap / Apache Cordova are even used to implement most of the...
View ArticleNew SMBGhost Vulnerability Affects Modern Windows Systems
After the infamous SMBv1 flaw with the name EternalBlue that was discovered some years ago (and all the consequences it had like WannaCry), a new vulnerability (CVE-2020-0796) affecting SMBv3 has been...
View ArticleClik here to view.
Relaying NTLM authentication over RPC
Since a few years, we – as pentesters – (and probably bad guys as well) make use of NTLM relaying a lot for privilege escalation in Windows networks. In this article, we propose adding support for the...
View ArticleClik here to view.
Yet Another Froala 0-Day XSS
Introduction Froala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in JavaScript that enables rich text editing capabilities for web applications [1]. Froala sanitizes the user input...
View ArticleClik here to view.
The Good Old DNS Rebinding
“This application is hosted in our internal network and not exposed to the Internet, why should we invest money and time in securing it? Our employees have access to that data anyway…”If you performed...
View ArticleClik here to view.
Printer Tricks Episode II – Attack of the Clones
TL;DR: We show how to decrypt passwords from the configuration backup of a Xerox WorkCentre and how, during the reverse engineering, a command injection vulnerability was discovered (CVE-2021-27508)....
View ArticleClik here to view.
Relaying NTLM authentication over RPC again…
A little bit over a year ago, I wrote an article on this blog about CVE-2020-1113 and how it enabled code execution on a remote machine through relaying NTLM authentication over RPC triggering a...
View ArticleClik here to view.
Ionic Identity Vault Biometric Authentication Bypass
Ionic Identity Vault is a secure storage solution for Android and iOS mobile apps which can be used to store authentication information like access tokens [1]. This information can be protected, so...
View ArticleClik here to view.
SAML Padding Oracle
ArcGIS [1] is a family of software providing geographic information system services. While testing a customer’s ArcGIS architecture we came across a SAML login flow. In this blogpost we show how we...
View ArticleClik here to view.
A Years Worth of Active Directory Privilege Escalation
The end of the year is a good time to sit back and reflect for a moment on the past year. So let us take a look at the ten most common ways how I got Domain Admin privileges in our Active Directory...
View Article--- Article Not Found! ---
*** *** *** RSSing Note: Article is missing! We don't know where we put it!!. *** ***
View Article