Fine penetration tests for fine websites

Fri 07 Aug 2015, 10:36:21 CEST

Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil

Web-Security Training Event in Berlin,
November 2015

We are happy to announce that our popular training event is being offered in Germany this November! This two-day training will be given by Dr.-Ing. Mario Heiderich and held in the heart of Berlin. This is a highly recommended event for penetration testers and security developers, giving you insights on countless tricks and techniques of exploiting the (seemingly) unexploitable! We will cover a great range of modern website bugs and teach you how to make sure that these issues get fixed properly and smoothly.

Click here for more info!

Mon 23 Feb 2015, 09:59 CET

About DOMPurify 0.6.1 and Pentesters getting Pentested


Together with Frederic Hemberger, the Cure53 team co-maintains a DOM-only HTML, SVG and MathML sanitizer library called DOMPurify. Although it has just last year begun as an experiment, it quickly took off and is now increasingly used by more and more people as well as applications. We even benefit from it ourselves when working on various internal projects.

DOMPurify is a security library and attempts to prevent XSS attacks and other nastiness where a malicious user can control HTML that later is either used or displayed by the targeted application or website. Its task is therefore not a trivial one, especially given the quirky nature of HTML, SVG and most importantly browsers. In fact, we run a good load of unit tests against DOMPurify before each new release, with many of the maintainers having solid background in XSS and/or HTML and extensive knowledge on how browsers work. In addition, we offer a public smoke-test in which people can test the library and try to find bypasses.

Still, we didn't feel overly comfortable about the security of our tool. Browsers are weird, legacy features are legion and other XSS filters get bypassed all the time. Heck, many of them were bypassed by yours truly in the past, which is just yet another reason for why we created the DOMPurify in the first place. A sheer reliance on our own knowledge about how browsers and XSS work combined with frequent help from the community was supposed to give us a good protective umbrella. And indeed, DOMPurify has not been broken in a long time, so we even started to create feature releases that no longer had to rely on fixing bypasses at all.

Nevertheless, a feeling of being ahead of the game – overestimating your safety and security can easily turn you into a sitting duck, prone to birthing the next big attack vector. In our case, that would be a bypass allowing for XSS occurring regardless of DOMPurify being in place. In order to do all in our power to prevent that, we decided to get a paid third-party pentest.

We started to wonder – who do you sign on for such a specific case? We decided to inquire with a fine gentleman known as @filedescriptor. He recently published several amazingly complex and mind-blowing XSS challenges. Not only did he write in great detail about the IE UXSS, but he even found a way to make XSS possible without user interaction. Quite obviously, he has a good level of knowledge about how browsers and especially HTML and JavaScript work. After negotiating a price, reaching a time-line and defining a general scope, the audit started in mid February 2015 and yielded results that we don't want to keep secret from you. The full pentest report created by @filedescriptor can be found here.

DOMPurify 0.6.0 Pentest report

One of the results of the pentest was a decision to completely drop the support for MSIE9. It is simply not possible to secure this browser against XSS in case a user has control over the HTML that an application uses. A nasty class of attacks known as mXSS is mainly to blame here. While MSIE9 does not support CSS expressions anymore, it is still very vulnerable against in-browser HTML mutations which lead to Mutation XSS or mXSS. The report shows several examples for this. After a brief analysis phase, both our team and @filedescriptor decided that it no longer made sense to keep supporting MSIE9 at all cost. But does that mean that DOMPurify will not work with MSIE9 anymore? No. We simply cannot handle the risk of a MSIE9 bypass and therefore proceed the same way that we handle older IE versions. We have the dirty HTML string cleaned by MSIE's toStaticHTML() rather than our own far more content-tolerant code.

Another lesson learnt from the test is that you just cannot trust the DOM. Even if you think you are doing it right, check for types, protect against DOM Clobbering and other attacks, the DOM often acts on its own and does things that at first glance seem to be little glitches but eventually blow up in your face once they take place in a security context. Did you know that typeof document.all yields undefined although document.all is present? Did you know that only the in operator delivers reliable results for property checks? Did you know that Double-Clobbering can function as a multi-stage attack against your DOM by overwriting property after property in several steps until the final payload unfolds and results in XSS? The DOM sucks hard. Persistently. And it will continue to be atrocious and make client-side security very hard to accomplish, in spite of more and more applications residing exclusively in the DOM.

While the third result of the test is in principle not new, we nevertheless experienced it for the first time. Even and perhaps especially security people need to get third-party audits. We are neither free from producing bugs, nor immune to discovering and addressing all the nasty little details that are out there. Our software can be buggy too and we're not exempt from the rules that apply to software that is not written by auditors, pentesters or security researchers. Not seeing the forest for the trees in your own software is not a crime. Ignoring that fact and not getting a pentest when you are close to a release, however, might become one, as it endangers the security of your users. And who knows in which critical context the library is used?

Last but not least we want to thank @filedescriptor for his amazing performance and high-quality pentest. We would embark on it again in a heartbeat and most likely will. The decision to get audited was an important and beneficial one – both for us and everyone in our user-base, including all the people who use DOMPurify in a web-crypto context. So once again, thank you - @filedescriptor, and many thanks to all our users for their trust. We'll try to keep the security level as high as it is right now. Let's make the DOM a safer place by learning how it works and providing tools for working with it safely and securely!

Fri 19 Jul 2013, 12:00:21 CEST

Cure53 Pro-Bono Pentest Summer 2013

Apply for 5 days of free penetration testing!

What's going on?

We are proud to announce a first edition of the Cure53 Pro-Bono Pentest competition. This means that one lucky open source software project with humanitarian, privacy- or security-related focus will win a full work week donated by the Cure53 Team exclusively to their vision.

What's at stake?

Beat the competition and you'll get 5 (that's five!) full days of free penetration testing, including report, fix support and follow-up communication. It is up to you to decide whether the final test report is to be published or not. No strings attached, no small-print. Just five days of our time for your project. Period.

How does it work?

Starting today (19th of July), you can submit an application for a pro-bono pentest of your open source software project by sending us an email with a short description of your idea and an answer to a simple question: What makes your project deserve a free pen-test from us? That's all..

Deadline for applications is set to mid August (the 19th to be precise, 23:59:59 GMT+1). We will then have a look at all applications and chose the one we deem most important, relevant and best fitting in terms of Cure53 strengths and interests. We will notify the applicants and announce the winner right afterwards.

Looking forward to hearing about your projects. Good luck!

Sat 13 Jul 2013, 19:56:29 CEST

HackPra Allstars Conference Track

Offensive security track at OWASP AppSec EU 2013 in Hamburg

General Info

Cure53 will sposor and co-host the HackPra Allstars conference track accompanying the OWASP AppSec EU 2013 in Hamburg, Germany

HackPra Allstars is delivering in one full day what the legendary HackPra does in one semester! HackPra Allstars will present the finest, hand selected talks from prolific speakers and top-tier researchers in the field of web-security (and the lack thereof).

You can think of the HackPra Allstars as a conference inside a conference — offering you one day with the most interesting influencers in today’s web application security and in-security.

The HackPra Allstars is a dedicated invited speakers track at the OWASP Research 2013 conference on August 22. The track will be open to all regular attendees of the main conference.

Speakers

The HackPra Allstars line-up consist of the following gentlemen:


The HackPra Allstars Keynote will be held by Prof. Dr. Jörg Schwenk, NDS, RUB

Top

Learn about the services we offer

Penetration tests for online services

Cure53 offers classic black-box penetration tests (zero-knowledge) as well as white-box tests and code audits. Web application and mobile app developers speak many languages and so do we. From classic languages as PHP, JavaScript, ActionScript, Java, Ruby, Python and Perl to more exotic candidates like web back-ends written in C++ and Delphi – we've seen them. During our assignments we appreciate contact to the development team to be able to discuss bugs, vulnerabilities and fixes as quickly as possible. At the time of report submission, all critical bugs we spotted are usually fixed already – or soon thereafter.

Our assignments don't end with the report submission. Ongoing communication and knowledge transfer are part of the package – we rarely experience the often mentioned gap between development and security.
Since Cure53 was founded in 2007, we have performed several hundreds of penetration tests against all kinds of web applications, online services, hardware interfaces, mobile applications, libraries and crypto tools. We value manual and thorough tests, human interaction and communication and a short yet to-the-point penetration test report without overhead or pie charts no one wants to see.

Security analysis and architectural advice

Sometimes security advice is necessary before a penetration test would even make sense. Especially for young and quickly developing projects, an early security analysis, design help and architectural advice help more than a penetration test close to the launch date. We can help finding out if a chosen 3rd party software is secure enough, a github repo looks trustworthy or a design pattern can resist real-life attacks.

In the past, we helped many projects during the design phase and early development stages by pointing out hidden risks and possible security pitfalls – before any code was written. Getting professional security advice before the majority of code is written often saves a lot of energy and helps especially young projects to focus on what they need to do: code safely without worrying about a bitter end.

Training and consulting

Cure53 delivers a range of web security related training courses that range from a single, intense day to a full five day week. Trainings are available in German and English language and are carried out by one, two or even three members of the team depending on the number of participants.
Cure53 has carried out several dozens of web security trainings in Germany, Belgium, Switzerland, UK and even India. We have trained small startups as well as major telecommunication providers, government institutions, university students as well as full-grown well-experienced web penetration testers.

Our trainings are known to be intense and a fire-hose of knowledge – almost too much to take. needless to say all participants will get a copy of the training slides with examples, links and more. Questions arising after the training event will be answered by our team as part of the package.
We frequently offer training courses on conferences, but focus on corporate trainings for classes of 10 to 25 students (and masters – many trainings end with us learning new things as well). To learn about course contents, get a preview to the training slides or ask for a quote please contact us!

Incident management, web malware analysis

"We got hacked. Do what now?" Cure53 helps answering the most pressing questions after an incident has happened, can help tracking down the root cause and assists in finding ways to make sure it doesn't happen again. We can further help in making your backend a bit safer – to minimize the damage in case the unpleasant event ever happens again. Cure53 has helped migrating millions of user accounts to secure password storage and communicating security fixes to unwilling third-party vendors.

Our team has years of academic and industry experience in web malware analysis, code de-obfuscation and attack detection – heck, we even came up with several obfuscation techniques that are now visible in the wild. If you got stung by something weird and wish to know what it was, we might be the ones to help you quickly and efficiently. A strange JavaScript, a weird PDF or some nasty piece of heavily obfuscated PHP code – we know how to help you find out what it really does!

Top

Download articles and papers

Pentest Reports

Note that all those reports have been proudly published upon explicit request by the project maintainers,
or the party that sponsored the penetration test in coordination with the project maintainer.

Papers

Presentations

Tools & Software

Top

Who are these people?

Meet the Cure53 Team

Top

For business enquiries please contact

mario@cure53.de

+49 1520 8675 782

We speak PGP and S/MIME

Cure53, Dr.-Ing. Mario Heiderich
Rudolf-Reusch Str. 33
D-10367 Berlin
Fon +49 1520 8675782

Tax-ID: 32/336/00536
VAT: DE-275774772

We accept Bitcoin: 1HREftqT3VGRAzFGc3J9JhS2Grjit2rMrf
We use miniLock: 288hMTND7mS8Jc19QeXyUad34Drvicu9RSjJjUmayajHdD

During our assignments we are insured by the Gothaer Allgemeine Versicherung AG






Top