Compass Security Blog

Offensive Defense

Page 3 of 4

Presentation at BSidesVienna

On the last Saturday the 22nd of November, I attended BSidesVienna 2014 to deliver a talk about BurpSentinel. This tool is a Burp Suite extension giving better control over semi-automated requests sent to a given web application page. The presentation also covered aspects on automated Cross-Site Scripting and SQL injection detection. Despite talking early in the day (10 am), […]

Continue reading

Keep your secrets really secret

Nowadays, we all relentlessly use search engines and developers extensively use version and source code control systems to keep track of their source code. Services such as Google or GitHub are great to search and retrieve information they gathered and stored. But when it comes to public indexing services, one big problem raises up: your whole […]

Continue reading

Security Advisories for SAP BusinessObjects Explorer and neuroML

Compass Security employees identify and report on a regular basis security vulnerabilities as part of their daily assessments (or just out curiosity). Stefan Horlacher identified and reported back in June 2013 several flaws in SAP BusinessObjects Explorer. We’re happy to publish today the details as the flaws have been patched and a reasonable grace period […]

Continue reading

Disabling Viewstate’s MAC: why you deserve having now a broken ASP.NET web application

Lots of things happened since my first (and unique) blog post about ASP.NET Viewstate and its related weakness. This blog post will not yet disclose all the details or contain tools to exploit applications, but give some ideas why it’s really mandatory to both correct your web applications and install the ASP.NET patch. Back in […]

Continue reading

Advisories regarding Leed and Secure Entry Server (SES)

Today I’m happy to release the following security advisories: SQL injection in Leed (CSNC-2013-005 / CVE-2013-2627) Cross-site request forgery in Leed (CSNC-2013-006 / CVE-2013-2628 Authentication bypass in Leed (CSNC-2013-007 / CVE-2013-2629) URL redirection in Secure Entry Server (SES) I would take the opportunity to thanks Valentin CARRUESCO aka Idleman for the timely patches he implemented […]

Continue reading

ASFWS slides and OWASP meeting tomorrow

As announced a while ago, I had the chance to organize both a workshop about our hacking-lab.com and present my talk “Advances in secure (ASP).NET development – break the hackers’ spirit” at the AppSec Forum Western Switzerland in Yverdon-les-Bains last week. I hope to soon summarize the conferences I attended in an upcoming blog article. […]

Continue reading

Compass Security at ASFWS in Yverdon-les-Bains

Compass Security is proud to be part and sponsor of the Application Security Forum – Western Switzerland (ASFWS), a conference about application, identity and cyber security which will be take place in a week’s time in Yverdon-les-Bains (15-16 October 2013). I will run the AppSec Lab 1 (featuring the Hacking-Lab), on Wednesday 16 October in the […]

Continue reading

Bypass File Download Restrictions in Content Filters

Companies battle with users who download files from the Internet at work and then execute them. Unsuspicious files are often infected with malware. A common procedure to decrease the amount of infections is to block common bad file types (for example .exe, .scr or .zip), before the files can enter the internal network. The preconditions […]

Continue reading

Microsoft Security Bulletin MS13-067 – Critical

As part of today’s monthly patch day, Microsoft fixed an issue I reported in September 2012 around (ASP).NET and SharePoint. The vulnerability opens a new type of attack surface on ASP.NET if a given precondition regarding the Viewstate field is met. The impact is at least a breach of data integrity on the server side resulting […]

Continue reading

XSS – The never ending story

Cross-Site Scripting (XSS) has lost one rank in the newly released OWASP Top Ten 2013 candidate. Compared to the 2010 version, it’s now on rank three, overtaken by “Broken Authentication and Session Management”. Has XSS become less common then? No, I don’t think so. Compass Security has always been strong in web application security testing […]

Continue reading

« Older posts Newer posts »