Compass Security Blog

Offensive Defense

OWASP – Toronto January 2020

A write-up of the OWASP Toronto January talk which mainly focused on the correlation and integration of results generated by automated tools in application security such as SAST, DAST and SCA. Alexandre Larocque concludes whether old-fashioned PDF reports are still worth it.

Continue reading

Interview with Jim McKay

“I love hacking can be used for the greater good.” During the Solothurn Film Festival 2020 we had the opportunity to meet Jim McKay, who directed, among others, two episodes for Mr. Robot season one. Jim had also time for a short interview. What is important for you working as a director/writer? Jim McKay: I […]

Continue reading

Finding Active Directory attack paths using BloodHound

As a defender, you want to find and patch attack paths in your Active Directory environment. One cannot easily spot issues by looking at the Active Directory Users and Computers console, GPOs, etc. but here comes BLOODHOUND.

Continue reading

Challenging Your Forensic Readiness with an Application-Level Ransomware Attack

Ransomware focuses on encrypting data on a filesystem-level, either locally on infected client systems or remotely on accessible file servers. However, what if ransomware would start encrypting data on an application-level too?

Continue reading

Hacking Tools Cheat Sheet

Everyone knows: cheat sheets are cool! They are very useful if you already know the basics about a topic but you have to look up details when you are not sure about something.

Continue reading

Introducing Web Vulnerabilities into Native Apps

Mobile applications nowadays make heavy use of WebViews in order to render their user interfaces. Frameworks such as PhoneGap / Apache Cordova are even used to implement most of the application’s functionalities using WebViews only.

While native code, both in Android and in iOS, can quickly be analyzed using dynamic analysis tools like Frida, operations performed in WebViews cannot be easily debugged with the same methods.

Continue reading

There is such thing as a free lunch

Usually you need to pay for lunches with cash or using your credit card. But in some places employees can pay for a lunch using their access badge. And this is the payment method that will be covered in this blogpost.

Continue reading

A Smart Card Odyssey

Black box analysis of a not so smart card in ID-1 form factor that is in use for the billing of washing machines and tumble driers.

Continue reading

enOcean Security

In this post, we are going to take a closer look at the enOcean technology, how security is implemented, and if the security measures and options available are sufficient.

Continue reading

Privilege escalation in Windows Domains (3/3)

In this last article about privilege escalation in Windows domains, we demonstrate how to extract credentials from running systems to compromise high-privileged accounts.

Continue reading

« Older posts