On the last Saturday the 22nd of November, I attended BSidesVienna 2014 to deliver a talk about BurpSentinel. This tool is a Burp Suite extension giving better control over semi-automated requests sent to a given web application page. The presentation also covered aspects on automated Cross-Site Scripting and SQL injection detection. Despite talking early in the day (10 am), […]
Nowadays, we all relentlessly use search engines and developers extensively use version and source code control systems to keep track of their source code. Services such as Google or GitHub are great to search and retrieve information they gathered and stored. But when it comes to public indexing services, one big problem raises up: your whole […]
Compass Security employees identify and report on a regular basis security vulnerabilities as part of their daily assessments (or just out curiosity). Stefan Horlacher identified and reported back in June 2013 several flaws in SAP BusinessObjects Explorer. We’re happy to publish today the details as the flaws have been patched and a reasonable grace period […]
Lots of things happened since my first (and unique) blog post about ASP.NET Viewstate and its related weakness. This blog post will not yet disclose all the details or contain tools to exploit applications, but give some ideas why it’s really mandatory to both correct your web applications and install the ASP.NET patch. Back in […]
Today I’m happy to release the following security advisories: SQL injection in Leed (CSNC-2013-005 / CVE-2013-2627) Cross-site request forgery in Leed (CSNC-2013-006 / CVE-2013-2628 Authentication bypass in Leed (CSNC-2013-007 / CVE-2013-2629) URL redirection in Secure Entry Server (SES) I would take the opportunity to thanks Valentin CARRUESCO aka Idleman for the timely patches he implemented […]
As announced a while ago, I had the chance to organize both a workshop about our hacking-lab.com and present my talk “Advances in secure (ASP).NET development – break the hackers’ spirit” at the AppSec Forum Western Switzerland in Yverdon-les-Bains last week. I hope to soon summarize the conferences I attended in an upcoming blog article. […]
Compass Security is proud to be part and sponsor of the Application Security Forum – Western Switzerland (ASFWS), a conference about application, identity and cyber security which will be take place in a week’s time in Yverdon-les-Bains (15-16 October 2013). I will run the AppSec Lab 1 (featuring the Hacking-Lab), on Wednesday 16 October in the […]
Companies battle with users who download files from the Internet at work and then execute them. Unsuspicious files are often infected with malware. A common procedure to decrease the amount of infections is to block common bad file types (for example .exe, .scr or .zip), before the files can enter the internal network. The preconditions […]
As part of today’s monthly patch day, Microsoft fixed an issue I reported in September 2012 around (ASP).NET and SharePoint. The vulnerability opens a new type of attack surface on ASP.NET if a given precondition regarding the Viewstate field is met. The impact is at least a breach of data integrity on the server side resulting […]
Cross-Site Scripting (XSS) has lost one rank in the newly released OWASP Top Ten 2013 candidate. Compared to the 2010 version, it’s now on rank three, overtaken by “Broken Authentication and Session Management”. Has XSS become less common then? No, I don’t think so. Compass Security has always been strong in web application security testing […]
© 2024 Compass Security Blog