2014 in review

2014 was another very awesome year. We’ll write about some of the highlights in this article and tell you about why 2014 was important for us and our project @internetwache. Last but not least, we’ll give a sneak preview of our plans for 2015.

Day 3 + Day 4 at the #31C3

First of all: We wish all our readers a happy new year! A special writeup about Internetwache in 2014 and other projects will be published in about a week.

To be honest we planed to publish an article every day of the #31c3, but as you might have read in the other posts: We were very busy meeting cool people, hearing awesome talks and finally being tired as hell :) So we decided to postpone the blogposts after the #31c3. Finally we got some time after New Year’s Eve (without internet) to write down the experiences of the last two days.

Day 2 at the #31c3

Our second day at the #31c3 was also very nice - we want to summarize our impressions of the second day in this blogpost. But before we start we will let you know how we finished the first day.

Day 1 at the #31c3

The winter is the time for us members of @internetwache to meet in one place and there’s no better place to meet than the 31. Chaos Communication Congress in Hamburg. So we did it :) This is a blogpost about our experience of the first day and the intresting talks we listened to.

Apostrophe encoding and XSS in modern browsers

During a bugbounty hunt Sebastian discovered a script-context XSS with the injection point being a string. As you know, all modern browsers like Firefox, Chromium, IE automatically encode the apostroph. However, this issue still remains exploitable.

RCE on attack-secure.com

More than a year ago, we reported a remote code execution bug to one of our fellow security researcher and trainer Mohamed Ramadan over at attack-secure.com

Bad coding style can lead to XSS in Ruby on Rails

Last year (around the 20th of October), Sebastian was working on a project in Ruby on Rails. While writing some really dirty code, he noticed that it’s possible to run into XSS issues by nesting rails’ form helpers.

A tale of two SQLis at Avira

It has been a long time since we posted a security article. So here we go with two little SQL Injection vulnerabilites that we discovered in an AVIRA product roughly a year ago.

Review of the last months

A lot of time has passed since we published the last blog post. We want to give a brief status update and an overview of the events of the recent months.