Sebastian recently discovered an interesting CSRF bypass and we would like to share this finding with you.
2014 in review
2014 was another very awesome year. We’ll write about some of the highlights in this article and tell you about why 2014 was important for us and our project @internetwache. Last but not least, we’ll give a sneak preview of our plans for 2015.
Day 3 + Day 4 at the #31C3
First of all: We wish all our readers a happy new year! A special writeup about Internetwache in 2014 and other projects will be published in about a week.
To be honest we planed to publish an article every day of the #31c3, but as you might have read in the other posts: We were very busy meeting cool people, hearing awesome talks and finally being tired as hell :) So we decided to postpone the blogposts after the #31c3. Finally we got some time after New Year’s Eve (without internet) to write down the experiences of the last two days.
Day 2 at the #31c3
Our second day at the #31c3 was also very nice - we want to summarize our impressions of the second day in this blogpost. But before we start we will let you know how we finished the first day.
Day 1 at the #31c3
The winter is the time for us members of @internetwache to meet in one place and there’s no better place to meet than the 31. Chaos Communication Congress in Hamburg. So we did it :) This is a blogpost about our experience of the first day and the intresting talks we listened to.
XSS in Skype’s videomail API
More than a year ago, we discovered a small XSS in Skype’s videomail API which landed us a warm place in Microsoft’s HoF.
Apostrophe encoding and XSS in modern browsers
During a bugbounty hunt Sebastian discovered a script-context XSS with the injection point being a string. As you know, all modern browsers like Firefox, Chromium, IE automatically encode the apostroph. However, this issue still remains exploitable.
RCE on attack-secure.com
More than a year ago, we reported a remote code execution bug to one of our fellow security researcher and trainer Mohamed Ramadan over at attack-secure.com
Bad coding style can lead to XSS in Ruby on Rails
Last year (around the 20th of October), Sebastian was working on a project in Ruby on Rails. While writing some really dirty code, he noticed that it’s possible to run into XSS issues by nesting rails’ form helpers.
A tale of two SQLis at Avira
It has been a long time since we posted a security article. So here we go with two little SQL Injection vulnerabilites that we discovered in an AVIRA product roughly a year ago.