Hi all, As you might know, Hacking-Lab is providing free OWASP TOP 10 hands-on challenges to the OWASP community. This is an inner service of GEC (Global Education Commitee) and as part of the Academy Portal project. Vulnerabilities within used frameworks and libraries, like the Apache Struts vulnerability do not have a prominent place with […]
Fridays, I was approaching a win32 reversing challenge. So I transferred the binary into my Windows XP virtual box and fired-up OllyDbg. The goal was to bypass the username and password prompt that occurred on application startup. Hilariously, I was just providing a dummy name and password to the app…. “asdf” “asdf” as probably most […]
JBoss is a popular open-source Java application server which underwent a major rewrite of its code-base for its latest version 7.x. Of this new branch, only version 7.1.0.Final, released a week ago, is certified for the Java EE 6 Full Profile. As part of the code rewrite, the configuration settings also got a global overhaul. […]
Am 1. März 2012 ist es wieder so weit, wir führen den ersten BeerTalk im Jahr 2012 zum Thema Advanced Web Security durch. Das weit verbreitete Struts Framework war im letzten halben Jahr immer wieder auf Remote Code Execution verwundbar, was Angreifern erlaubte, ganze Systeme zu kompromittieren. Philipp Oesch, Leiter Software Entwicklung bei der Compass […]
Ivan Bütler, CEO of Compass Security and board member of ISSS is proud to announce the third ISSS St.Galler Tagung next March 28, 2012 in Saint Gall. Don’t miss this event, where we dig into iPhone security. First, Riccardo Trombini will introduce the threats; a MobileIron and Goods Technology expert answers with the appropriate remedy. […]
Developers increasingly integrate BeanShell support into web applications to provide end users and administrators with a simple extension framework. But be warned! BeanShell support without appropriate access control will put the hosting web server at severe risk. An attacker could easily execute operating system calls and without appropriate system hardening such an attack will immediately result in full system compromise. The […]
As it is known since at least 2006, a website is able to identify the domains a user previously visited, with some simple CSS hacks. This had great privacy implications, and browsers took steps to eliminate this problem. But in December 2011, lcamtuf presented a new proof of concept based on cache timings, which basically does the […]
The Pwnie Express is a device that is designed for remote security testing of corporate and federal facilities and can be used as an “All-In-One” hacking drop box, aiding the pentesters at Compass Security, to conduct “real world” industrial espionage simulations. http://pwnieexpress.com/ The typical penetration testing scenario is: 1) A Compass analyst manages to “social-engineer” […]
© 2025 Compass Security Blog