Fridays, I was approaching a win32 reversing challenge. So I transferred the binary into my Windows XP virtual box and fired-up OllyDbg. The goal was to bypass the username and password prompt that occurred on application startup. Hilariously, I was just providing a dummy name and password to the app…. “asdf” “asdf” as probably most […]
JBoss is a popular open-source Java application server which underwent a major rewrite of its code-base for its latest version 7.x. Of this new branch, only version 7.1.0.Final, released a week ago, is certified for the Java EE 6 Full Profile. As part of the code rewrite, the configuration settings also got a global overhaul. […]
Am 1. März 2012 ist es wieder so weit, wir führen den ersten BeerTalk im Jahr 2012 zum Thema Advanced Web Security durch. Das weit verbreitete Struts Framework war im letzten halben Jahr immer wieder auf Remote Code Execution verwundbar, was Angreifern erlaubte, ganze Systeme zu kompromittieren. Philipp Oesch, Leiter Software Entwicklung bei der Compass […]
Ivan Bütler, CEO of Compass Security and board member of ISSS is proud to announce the third ISSS St.Galler Tagung next March 28, 2012 in Saint Gall. Don’t miss this event, where we dig into iPhone security. First, Riccardo Trombini will introduce the threats; a MobileIron and Goods Technology expert answers with the appropriate remedy. […]
Developers increasingly integrate BeanShell support into web applications to provide end users and administrators with a simple extension framework. But be warned! BeanShell support without appropriate access control will put the hosting web server at severe risk. An attacker could easily execute operating system calls and without appropriate system hardening such an attack will immediately result in full system compromise. The […]
As it is known since at least 2006, a website is able to identify the domains a user previously visited, with some simple CSS hacks. This had great privacy implications, and browsers took steps to eliminate this problem. But in December 2011, lcamtuf presented a new proof of concept based on cache timings, which basically does the […]
The Pwnie Express is a device that is designed for remote security testing of corporate and federal facilities and can be used as an “All-In-One” hacking drop box, aiding the pentesters at Compass Security, to conduct “real world” industrial espionage simulations. http://pwnieexpress.com/ The typical penetration testing scenario is: 1) A Compass analyst manages to “social-engineer” […]
The analysis of Social Media apps gets more and more weight as these applications gain momentum with end users. Thus, forensic analysts must not only understand how to grab files and content from a suspects computer but also from its online services (not to use the damn Cloud word). Therefore, it is crucial to understand […]
© 2025 Compass Security Blog