Compass Security Blog

Offensive Defense

Cyber Resilience Act – Part II

In this second part, we demonstrate how a Cyber Resilience Act (CRA) assessment is performed in practice. Using a low-cost IP camera as an example, we show how a product is classified, how threats are modelled, how hardware and firmware are analysed, and how compliance gaps against IEC 62443-4-2 can be identified. You may want […]

Continue reading

SSH Labs

SSH is a widely used protocol that provides secure access to remote systems. It enables encrypted communication, file transfers, command execution and shell access for system administration.

Visit https://sshlabs.compass-security.training to learn more about SSH security.

Continue reading

Common Entra ID Security Assessment Findings – Part 1: Foreign Enterprise Applications With Privileged API Permissions

This post is part of a small blog series covering common Entra ID security findings observed during real-world assessments. Each article explores selected findings in more detail to support a clearer understanding of the underlying risks and practical implications. Introduction In the vast majority of tenants we review, there are enterprise applications that originate from […]

Continue reading

NTLM Relaying to HTTPS

NTLM is the legacy authentication protocol in Windows environment. In the past few years, I’ve had the opportunity to write on this blog about NTLM Relaying to DCOM (twice), to AD CS (ESC11) and to MSSQL. Today I will look back on relaying to HTTPS and how the tooling improved.

Continue reading

Collaborator Everywhere v2

Collaborator Everywhere is a well-known extension for Burp Suite Professional to probe and detect out-of-band pingbacks. 

We developed an upgrade to the existing extension with several new exiting features. Payloads can now be edited, interactions are displayed in a separate tab and stored with the project file. This makes it easier to detect and analyze any out-of-band communication that typically occurs with SSRF or Host header vulnerabilities.

Continue reading

Introducing EntraFalcon – A Tool to Enumerate Entra ID Objects and Assignments

TL;DR: PowerShell tool to enumerate Entra ID objects, assignments and identify highly privileged objects or risky configurations. https://github.com/CompassSecurity/EntraFalcon Entra ID environments can contain thousands of objects – users, groups, service principals, and more – each with unique properties and complex relationships. While manual reviews through the Entra portal might be feasible in smaller environments, they […]

Continue reading

Bypassing Web Filters Part 4: Host Header Spoofing & Domain Fronting Detection Bypasses

In the previous posts of this series, we looked at different ways to bypass web filters, such as Host header spoofing and domain fronting. As we’ve learned, these techniques can be detected by proxies employing TLS inspection, by checking whether the hostname in the SNI matches the one in the HTTP Host header. If they […]

Continue reading

Bypassing Web Filters Part 3: Domain Fronting

The last two blog posts in this series were about SNI spoofing and Host header spoofing. We also learned that the latter is addressed by some vendors with a technique called “Domain Fronting Detection”. But what exactly is domain fronting? This will be explained in this blog post.

Continue reading

Bypassing Web Filters Part 2: Host Header Spoofing

In the last post about bypassing web filters, I discussed how SNI spoofing works and how this can also be prevented by web filters. This post is about another bypass technique called Host Header spoofing.

Continue reading

Bypassing Web Filters Part 1: SNI Spoofing

This is the first part of a series of blog posts about techniques to bypass web filters, looking at increasingly advanced techniques with each part.

The first part is about how SNI spoofing can be used to bypass web filters.

Continue reading

« Older posts