Compass Security Blog

Offensive Defense

Hacking Tools Cheat Sheet

Everyone knows: cheat sheets are cool! They are very useful if you already know the basics about a topic but you have to look up details when you are not sure about something.

Continue reading

Introducing Web Vulnerabilities into Native Apps

Mobile applications nowadays make heavy use of WebViews in order to render their user interfaces. Frameworks such as PhoneGap / Apache Cordova are even used to implement most of the application’s functionalities using WebViews only.

While native code, both in Android and in iOS, can quickly be analyzed using dynamic analysis tools like Frida, operations performed in WebViews cannot be easily debugged with the same methods.

Continue reading

There is such thing as a free lunch

Usually you need to pay for lunches with cash or using your credit card. But in some places employees can pay for a lunch using their access badge. And this is the payment method that will be covered in this blogpost.

Continue reading

A Smart Card Odyssey

Black box analysis of a not so smart card in ID-1 form factor that is in use for the billing of washing machines and tumble driers.

Continue reading

enOcean Security

In this post, we are going to take a closer look at the enOcean technology, how security is implemented, and if the security measures and options available are sufficient.

Continue reading

Privilege escalation in Windows Domains (3/3)

In this last article about privilege escalation in Windows domains, we demonstrate how to extract credentials from running systems to compromise high-privileged accounts.

Continue reading

Privilege escalation in Windows Domains (2/3)

This second article about privilege escalation in Windows domains describes how to propagate by aiming for passwords that are lying around.

Continue reading

Privilege escalation in Windows Domains (1/3)

This first article of our series about privilege escalation in Windows domains demonstrates how to get a foothold by relaying credentials from users.

Continue reading

From Open Wi-Fi to WPA3

Security in Wi-Fi networks has been, at some point non-existent, then questioned, improved and questioned again over the last two decades. This post provides an overview over the latest developments in Wi-Fi and outlines attacks and defenses.

Continue reading

Practical OpenID Connect Pentesting

This post is intended to explain what you typically want to check for during an OpenID Connect assessment and also provide you with a guide to setup your own OpenID Connect test environment.

Continue reading

« Older posts