Last Call for your Web Application Security Training – Break all teh Web and enjoy it!

René Pfeiffer/ November 9, 2018/ Conference, Security

The Internet is full of web applications. Sysadmins used to joke that HTTP is short for Hypertext Tunnelling Protocol, because anything but web content is transported via HTTP these days. It’s the best way to break out of restricted environment, too. So the chances are good that you will need the skills for dealing with all kinds web. Fortunately our training Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation conducted by Dawid Czagan has a few seats left. Don’t get distracted by the title. Focus on the phrase full-stack exploitation. It’s not just about sending HTTP requests and seeing what the application does. It’s all about using the full spectrum of components and technologies used for modern web applications. The training is not only suited for information security researchers. The course addresses REST

Read More

Disclosures, Jenkins, Conferences, and the Joys of 0Days

René Pfeiffer/ November 17, 2016/ Conference, Discussion, High Entropy

DeepSec 2016 was great. We have slightly recovered and deal with the aftermath in terms of administrivia. As announced on Twitter, we would like to publish a few thoughts on the remote code execution issue found by Matthias Kaiser. He mentioned the possibility in this presentation titled Java Deserialization Vulnerabilities – The Forgotten Bug Class. First let’s explain some things about how DeepSec runs the Call for Papers, the submissions, and the conference. During the Call for Papers process our speakers send us title, abstract, and mostly an in-depth description of the presentation’s content. This means that we usually know what’s going to happen, except for the things that are actually said and shown during the presentation slot. Since we do not offer any live video streams and publish all presentation slides after we

Read More

Information Warfare: “Breaking News” considered harmful

René Pfeiffer/ August 31, 2016/ Discussion, High Entropy

Eight years ago the stocks of UAL took a dive. Apparently a six year old news article resurfaced via Google. Googlebot, which is used to index news sites, confused one of the most popular web articles of The Sun-Sentinel with breaking news. The story contained the words United Airlines Files for Bankruptcy. Unfortunately a software error turned the date of the original story from 10 December 2002 to 6 September 2008. And so this little piece of misinformation due to the time travel caused a lot of havoc with UAL’s stock price. A little misunderstanding. Fortunately it was not a cyber attack, because the word was used rarely back then. Breaking news can break things, hence the name. It happens with data leaks, password leaks/breaches (depending on which side you are), incomplete reports, social

Read More

Of Web Apps, Smartphones and Data Leaks

René Pfeiffer/ October 6, 2011/ High Entropy

Just digging through the backlog of the past days. Someone shot me a quick link to a web site showing an administrative interface. I failed to see the significance right away, because the link was sent by chat with an URL obfuscator shortener. I know discovered the corresponding blog post to this issue. Coincidentally I was talking on the phone today about AnonAustria’s latest publications. Apparently they found the addresses of Austrian police staff online. The claim is that the data was sitting on a web server and could be downloaded simply by guessing links. Yesterday the Austrian Chamber of Commerce confirmed a data leak covering more than 6.000 data sets of customers (400 of them complete with bank accounting information). The data leak looks like a web server „glitch“, too. AnonAustria referred to

Read More