Compass Security Blog

Offensive Defense

Author: Cyrill Bannwart

Write-up: The Great Continuation

This challenge was web based and contained a mix of XSS, CSRF and CSP bypass. We were given two web pages, admin. and bot.control.insomni.hack, and challenged to break into the administration panel to take the control of the bots. The admin page had a login form containing an obvious reflected Cross-Site Scripting (XSS). However, it […]

Continue reading

Black Hat USA 2016 / DEF CON 24

At the beginning of August, as every year, two of our security analysts attended the most renowned IT security conferences Black Hat USA and DEF CON to learn about the latest trends and research. This year’s Black Hat conference, the 19th edition, took place at the Mandalay Bay Conference Center while DEF CON 24 was located […]

Continue reading

Windows Phone – Security State of the Art?

Compass Security recently presented its Windows Phone and Windows 10 Mobile research at the April 2016 Security Interest Group Switzerland (SIGS) event in Zurich. The short presentation highlights the attempts made by our Security Analysts to bypass the security controls provided by the platform and further explains why bypassing them is not a trivial undertaking. Windows 10 Mobile, which […]

Continue reading

IP-Box – Why a 4 digit passcode is still a bad idea

Up to the iPhone 4, 4 digit passcodes could be brute-forced within a short amount of time – maximum 30 minutes, depending on the passcode. With the iPhone 4s, the Boot ROM vulnerability required to upload a custom RAM disk has been closed thus rendering newer phones immune to this attack. This is where the IP-Box […]

Continue reading