Articles

Salamander/MIME
Just because it's encrypted doesn't mean it's secure

If you remember kobold letters, you already know not to blindly trust emails. But it’s not just HTML emails that can be deceiving. In this article, we’ll take a look at S/MIME and how we can use the concept of invisible salamanders to craft messages that tell each recipient a different story. Let’s talk about Salamander/MIME.

November 10, 2024

HTML Smuggling
How attackers sneak past virtually any web filter (MITRE T1027.006)

What if attackers exploit the very essence of the Internet: HTML, JavaScript and CSS? And bypass practically every filter? This is exactly what so-called HTML Smuggling takes advantage of. Instead of sending phishing victims a file directly as an attachment or download link, the malware is embedded in HTML or JavaScript.

October 22, 2024

Kobold letters
Why HTML emails are a risk to your organization

Anyone who has had to deal with HTML emails on a technical level has probably reached the point where they wanted to quit their job or just set fire to all the mail clients due to their inconsistent implementations. But HTML emails are not just a source of frustration, they can also be a serious security risk.

March 31, 2024

Two-factor authentication
and why it shouldn't be an afterthought

We reported to PayPal a way to bypass their two-factor authentication, and their response was to remove the requirement for two-factor authentication. In this article, we document our findings and explain why 2FA is an important security feature that should be taken seriously.

December 28, 2023

Manifest confusion
Why npm cannot be trusted

Manifest confusion is a problem in the architecture of npm, pointed out by Darcy Clarke: An npm package’s manifest is independently published from its tarball and never fully validated.

July 7, 2023

Thoughts on pentests
A pentester's perspective

Sebastian Rode of djangsters recently wrote about his perspective on pentests as a developer. This article takes the reverse perspective and tries to answer how a pentester experiences a pentest.

June 1, 2023

Open Redirects - A Journey into the Unknown
Why trustworthy sites suddenly want to sell you hookup meetings

Open Redirects are a great thing for attackers: users click on a trustworthy-looking link and think nothing of it. Why should they? They have learned in various repetitive trainings to look for the little lock icon in the URL bar of the browser and to check everything down to the domain extension before clicking on a link (modern browsers even highlight the important part). The boatload of cryptic parameters afterwards won’t bother us any more — we are used to this by now. So why make a fuss about it? The training courses are far too long anyway.

May 31, 2023

Password Validation in Django
A reasonable default

Since NIST updated its password recommendations in 2017, a lot has changed. Although there are still plenty of applications that rely on the old-fashioned complexity-based rules (lower case, upper case, numbers, special characters… you know the drill), a lot has improved.

May 25, 2023

CVE-2023-25392
Finding Vulnerabilities with Static Code Analysis

If we reinvent the wheel, it’s safe to say that initially it probably won’t run as smoothly as the one that’s been around for more than 6,000 years. So if all you need is a wheel and you’re not trying to sell a new wheel, it’s a good idea to stick with the existing design. The same goes for software. If you just need a functionality, the best solution is usually to use something that already exists, a library that has already implemented it.

April 6, 2023

Known Weak Passwords
And how to avoid them

There are already plenty of articles on how to choose a good password. In this article, we will look at the other end of the question: How to identify the most terrible passwords.

March 24, 2023

Passwordless gone wrong
Perfect is the enemy of good (Part 2)

Here we are. Patiently waiting to continue the ride. Finally ready to travel beyond space and time. Ready to explore the mysteries of the unknown. So jump in, fasten your seatbelts. And. Off. We. Go! Note: Where we’re going, we don’t need roads. It might, however, not hurt to read Part One first.

March 3, 2023

Password policies gone wrong
Perfect is the enemy of good (Part 1)

Not a day passes without a new zero day, a reported data leak, a company temporarily shutting down due to a ransomware attack. All of this is garnished with the lingering threat of cyberattacks on critical infrastructure potentially bringing down entire countries. So yes, information security is arguably pretty important right now and in the future. This is why we are doing what we are doing. This is our motivation.

February 17, 2023

How to report a security vulnerability?
Responsible Disclosure

Whether you are a security researcher or an amateur hacker, if you find a security vulnerability in an application or website, you are often faced with the question: What do I do now?

December 20, 2022

Internet censorship in Russia

Internet access in Russia is heavily censored. Ahead of the invasion of Ukraine on February 24, 2022, this censorship has further increased. But how reliable is the censorship and how is the censorship technically implemented?

November 10, 2022

Password rules

Anyone who has ever signed up somewhere knows password rules: 8 characters, uppercase letters, lowercase letters, special characters, …. But are these rules really useful and what are good password rules?

October 18, 2022

CVE-2022-36532
Bolt CMS - Authenticated Remote Code Execution

Bolt is a content management system based on PHP that is a lightweight alternative to Wordpress and is used extensively by agencies. We discovered a vulnerability in version 5.1.12 and below that allows an authenticated user with the ROLE_EDITOR privileges to upload and rename a file to achieve remote code execution.

September 5, 2022

Introduction to OSINT

What is even OSINT? OSINT at its core stands for open-source intelligence and Wikipedia defines it as follows: Open-source intelligence (OSINT) is the collection and analysis of data gathered from open sources (overt and publicly available sources) to produce actionable intelligence. OSINT is used by various entities to gain information or insights on specific topics. Insurance companies, for example, use OSINT to assess the risk of their insurance policies. Other areas where OSINT is used on a daily basis include the military, intelligence agencies, law enforcement, banks and, of course, cyber criminals.

August 30, 2022

Write-up: Dirty Money - Operator
HTB Business CTF 2022

The HackTheBox Business CTF 2022 featured two cloud challenges. The harder one was Operator, which we will present in the following. Fasten your seatbelts as this will be kind of a ride!

July 18, 2022

From zero to cluster
Kubewarden 1.0.0: Yay or Nay? (Part 1)

Kubewarden, an only recently admitted CNCF sandbox project, has had its first stable release on 22nd of June, 2022 — a perfect time to have a quick look at it. What is Kubewarden? In short: Kubewarden is an admission controller for Kubernetes (stylized as K8s), that tries to replace the now deprecated Pod Security Policies and unify the current ecosystem by supporting both versions of Rego policies (used by Open Policy Agent and OPA gatekeeper).

July 12, 2022

Follina (CVE-2022-30190)

Follina is a newly discovered vulnerability that allows to exploit the Microsoft Support Diagnostic Tool (MSDT) via specifically crafted Microsoft Office and Rich Text Format files. It is a RCE vulnerability and therefore enables an attacker to execute code on the exploited Windows system.

June 2, 2022

Was sind Ports und Services?

Was sind Ports? Im Rahmen meines Artikels .de-Domains Healthcheck 2024 ist mir aufgefallen, dass vielen Lesern das Konzept von Ports und Services möglicherweise noch ganz unbekannt ist. Und aus diesem Grund möchte ich hier sehr vereinfacht erklären, was Ports und Services eigentlich sind. Denn auch Sie begegnen Ports und Services nicht nur in spannenden Healthcheck-Artikeln, sondern täglich indirekt bei Netzwerkzugriffen, Remote-Access oder schlicht schon beim Zugriff auf Ihre Lieblings-Website. Wie funktioniert das alles also konkret?

November 8, 2024

Dienstpaket Smishing
Anatomy of a Phish

Phishing begegnet uns heutzutage quasi überall. Egal ob das klassiche Phishing via E-Mail oder sogenanntes Smishing mittels SMS-Nachrichten. Zur Black-Friday-Week haben die Angreifer sich für einen in dem Paketbestellwahn besonders gemeinen Zoll/Paket-Pretext entschieden.

November 28, 2023

Outlook für Windows
Wo gehen meine Daten hin?

Das neue Outlook für Windows – so berichtet heise online – überträgt Passwörter an Microsoft; und zwar auch dann, wenn das E-Mail-Konto bei einem anderen Anbieter besteht. Aber wie kann man so etwas als Nutzer nachvollziehen bzw. wie kann man so etwas selbst überprüfen, wenn niemand darüber berichtet? Dieser Frage gehen wir in diesem Artikel nach. Vorbereitung Was brauchen wird dafür? Zunächst natürlich einen Computer oder eine VM mit Windows 10 oder 11.

November 15, 2023

Nim dir Zeit für Malware Detection!

Heutige Angreifer und mit Ihnen zusammen aktuelle Malware werden immer besser und daher schwieriger zu entdecken. Natürlich verbessern die Verteidiger ihre Werkzeuge ebenso stetig. So kommt es zu dem Wettrüsten, welches wir seit Jahren beobachten. Auch wenn Antivirensoftware versucht bei diesem Katz-und-Maus-Spiel mitzuhalten, ist dies immer nur verzögert möglich und man sollte sich auf keinen Fall zu sehr auf sie verlassen.

September 29, 2022