Fine penetration tests for fine websites

Wed 22 Apr 2020, 10:03:06 CEST

Pro-bono Pentests for COVID-19-related Apps & Software

Pro-bono program helping organizations & developers to secure their applications

What is it?

COVID-19 poses a grave danger to the world due to the high rates of spreading and the virus continuing to affect different geographical locations. A global slowdown appears to be a foregone conclusion to the lockdown.

To assist public health officials in their efforts to reduce the pace of spreading of the disease caused by COVID-19, several companies and independent developers are currently creating new applications and technologies. At the same time, cybercriminals may still try to take advantage of insecure software, seeking gains both despite and because of the crisis. Hence, the infosec community is initiating a pro-bono program aimed at helping healthcare organizations. Through this program, we offer pentesting services as a means to decrease the risks of cyberattacks and data theft.

Whether you are a member or leader of a larger organization or a developer interested in getting a pentest for free while you work on diminishing the effects of the global pandemic, please click the link at the bottom of the article and express your wish to participate in the program.

General Format

We welcome proposals from organizations and developers working on software and technologies aimed at slowing down the virus, limiting negative consequences of the outbreak or helping those affected. Any organization developing an app, website, software or comparable tools for fighting against COVID-19 and its implications can apply for this program to receive a free penetration test, inclusive of a report and additional support services. The program will be accepting applications from 22nd of April 2020 until 11th of May 2020.

Once the Call for Proposal is closed, the Organizers / Project committee will review the proposals on the basis of their suitability, excellence, impact and the COVID-19-related goals. The applicants will be notified by i.e. email about the outcomes of the selection process. The list of winners will be published after the notification was received and confirmed.

The selected organizations or individuals will then sign a legally-binding and mutual NDA with the organizers to make sure that pro-bono work happens in a secure framework. While the Organizers will do their best to accommodate schedules and technical preferences of the selected project-maintainers, they reserve the right to decide on implementation and timelines.

Project Committee

• Sandeep Kamble, Founder of SecureLayer7.
• Dr.-Ing. Mario Heiderich, Founder of Cure53.
• Markus Vervier, Managing Director at X41 D-Sec GmbH.
• Gregor Kopf, Secfault-Security GmbH.

Participate Now!

The organization or individuals interested in this program can use this link to fill in a dedicated application form. Thanks for your interest and good luck!

Wed 16 Oct 2019, 15:15:06 CEST

“Study the Great Nation" Mobile Application: Cure53 Analysis FAQ

In August and September 2019, the Cure53 team was tasked by Open Technology Fund (OTF) with analyzing a mobile app known as “Study the Great Nation”. A report was created by Cure53 and made available to OTF. In October 2019, several news articles were released. By October 2019, the report and app received a wide-spanning media coverage, yet it has come to Cure53's attention that some clarifications on the reported findings are necessary.

This post collects arising questions and seeks to provide some answers. The main intention is to make it possible for the general public and other audiences to get a better overview and understanding of the project. Cure53 wishes to comment on the auditing process, test parameters, as well as the findings communicated to OTF by Cure53. Special attention is given to the possible implications that the spotted technical issues can have on the users of the "Study the Great Nation" app.

Note that this article might be updated if additional questions are submitted to Cure53.

Q1: Where did Cure53 obtain the mobile application?

We used the official website to download the application. Cure53 did not experience any problems downloading the application file.

Q2: Which exact version was inspected?

The following version information was extracted from the inspected APK:
package: name='cn.xuexi.android'
versionCode='2510'
versionName='2.5.1'

Sha256:
ff0494e6d108510cc9782c493323333f8be0a2439d9ab7578295735279d0b6b2

A copy of the analyzed APK can be obtained here.

Q3: Does the application come with a super-power backdoor?

The code snippets Cure53 spotted and documented indicate the possible presence of a functionality that might - under certain conditions - be used as a backdoor against rooted devices or Android devices that have been tampered with. Cure53 found no evidence of a backdoor that would affect off-the-shelf devices.

As with any spotted code fragments, it could be that the code identified has simply remained as leftovers of clumsy development, parts of utilized packages or artifacts that were not malicious by design.

Q4: What tools did Cure53 use for the analysis?

Cure53 made use of jadx dev build (v.1.0.0) and apktool (v.2.3.4)

Q5: What were the analytical strategies? What did Cure53 look for and how?

Cure53 received a set of questions to focus on from OTF. The questions asked by OTF can all be found in the report and determined the structure for the analysis as well as the issue classification used in the report. Cure53 aimed to answer those questions in an unbiased objective way, despite the results that were unveiled in earlier audits also conducted by Cure53 against IJOP and Feng Cai - technologies that were found to be used for repressive surveillance purposes by authorities in China. Cure53 recognizes that it is possible that the findings of these previous audits could lead Cure53 to anticipate similarly malign uses in this different app, given its source.

The Cure53 team attempted to decompile the APK and de-obfuscate the sources. Based on the results, the team focused on the questions posed by OTF, answering them in a technical manner as detailed and as bias-free as possible. It should be noted that there were certain time constraints imposed.

Q6: Did Cure53 investigate the entire code base?

No, significant parts of the code remained obfuscated and resilient to the de-obfuscation attempts used by the team. Given the limited time-frame, further analysis is needed to find out what else the mobile application is doing.


Do you have additional questions regarding the analysis of the app conducted by Cure53? Please send us an email and we will answer either directly or might update this post and let you know when that happens.

Wed 29 May 2019, 11:23:21 CEST

Cure53 Audit of Chinese ‘Police App’

The Feng Cai app appears to be used by police to scan a subject’s phone for specific content, with the captured data then sent to a local file server “without any protections.”

An app that appears to be used by security forces in China scans for and collects a large amount of information from a subject’s phone, with that data then uploaded to a local file server “over clear-text HTTP without any protections,” an audit by Cure53 finds.

The audit, conducted in March 2019, analyzed the “Feng Cai” app to assess its functionality, security features, and whether it appears to violate users’ basic human rights. Cure53’s assessment found that the app gathers information including all phone contacts, stored text messages (SMS), call log history, calendar entries, phone hardware information, all information for various installed apps, and specific data from certain China-specific apps. All of this data is then uploaded to a local server unencrypted.

Compared with previously OTF-supported and Cure53 conducted assessments of known similar apps like JingWang and IJOP, Feng Cai is different in both fashion and function. Feng Cai appears to be used surreptitiously - installed, used, and uninstalled in a single session. The app is very simple in terms of its user interface, with just three available functions: Scan, Upload, and Uninstall. Unlike JingWang or IJOP, the Feng Cai app features no branding, using the default Android icon, for example. This, along with the app’s core functions, informs Cure53’s view that the app is likely used in one-off encounters by security forces.

The app, using the default Android icon

The app, after opening, ready to scan

In terms of functionality, Feng Cai serves a different purpose than the aforementioned apps. The Feng Cai app “requires more permissions than JingWang,” which similar to Feng Cai performs a scan for certain files. However, unlike Feng Cai, JingWang’s design suggests that “it is meant to remain” on a user’s phone. Cure53 assesses that “Feng Cai is more intrusive than JingWang” in part because available evidence suggests that the app is used without the user’s knowledge or consent. “IJOP is the least similar” of the three apps, “merely by being a reporting tool for the police and not a scanning/spy tool,” Cure53 says.

In terms of human rights violations, Cure53 found it “evident and undeniable that the application is capable of collecting and managing vast amounts of very specific data.” Between the large amounts of data collected, the transmission of that data to “a local police file server,” and the apparent scanning of files for specific, “forbidden” content, Cure53’s audit suggests that “violations of human rights indeed take place.” Cure53 utilized the framework provided by the European Convention on Human Rights (ECHR) in making judgements related to the app’s potential to violate human rights.

Read the full report here.

This audit was supported by the Open Technology Fund (OTF). Cure53 is an OTF Red Team Lab partner, carrying out audits of both internet freedom technologies and also tools suspected of violating basic human rights. To learn more or request an audit, visit the Red Team Lab.

Wed 20 Sep 2017, 08:41:21 CEST

Cure53 Browser Security White Paper was released

Almost all we know about Browser Security in one paper

For over 100 days, seven Cure53 researchers dedicated their efforts to a large-scale project resulting in the publication of the Cure53 Browser Security White Paper 2017. It must be mentioned that while the project was funded by Google, Cure53 decided on specific tests and methods, making sure that our verdict can be fair and bias-free.

This BSWP comes at an important moment, just as we witness the browser security landscape becoming increasingly complex and difficult to navigate for decision makers. Therefore, the aim of this work appeared deceivingly simple in that we set out to find out how three modern browsers fare in terms of security in an enterprise context. In other words, we needed to deliver a tripartite comparison of MS Internet Explorer, MS Edge, and Google’s Chrome, as these were the three browsers selected by the funding body.

As you can imagine, the actual work needed to deliver both broad and in-depth overview was tremendously extensive. Cure53 paper authors and researchers involved - namely Mario Heiderich, Alex Inführ, Fabian Fäßler, Nikolai Krein, Masato Kinugawa, Filedescriptor and Dario Weißer, had to craft and use a wide range of testing methodologies. Due to the scope and scale of the project, we worked in dedicated teams, corresponding to the five priority research areas we determined vital for the enterprise context. Specifically, in the first three chapters, the paper showcases findings of our investigations of the browsers in connection to memory safety features, web security in terms of both CSP, XFO, SRI and other features, as well as security linked to DOM. Next, we have dedicated considerable attention to researching security features of browser extensions and plugins. Finally, we addressed the fifth realm of UI security. Quite clearly, all five of these areas must be considered when one seeks to choose the most adequate and apt solution for their specific enterprise context.

We strongly believe that the Cure53 Browser Security White Paper can be of interest to the IT security community, as it provides a much needed update on many issues that various stakeholders encounter in their everyday and work-related browsing experience. We tried to deliver a paper that is as thorough as possible, which resulted in a publication exceeding 300 pages. To facilitate this long read, we also include informative summaries, as well as colorful scoring tables that highlight the three-way comparison of MS Internet Explorer, MS Edge, and Google’s Chrome. We hope that you will find the reading interesting and rewarding, just as we had very much enjoyed the possibility of conducting research not only on the industry-crucial but also our personal favorite IT security topics.

We encourage you get the paper here and take a look.

Fri 07 Aug 2015, 10:36:21 CEST

Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil

Web-Security Training Event in Berlin,
November 2015

We are happy to announce that our popular training event is being offered in Germany this November! This two-day training will be given by Dr.-Ing. Mario Heiderich and held in the heart of Berlin. This is a highly recommended event for penetration testers and security developers, giving you insights on countless tricks and techniques of exploiting the (seemingly) unexploitable! We will cover a great range of modern website bugs and teach you how to make sure that these issues get fixed properly and smoothly.

Click here for more info!

Mon 23 Feb 2015, 09:59 CET

About DOMPurify 0.6.1 and Pentesters getting Pentested


Together with Frederic Hemberger, the Cure53 team co-maintains a DOM-only HTML, SVG and MathML sanitizer library called DOMPurify. Although it has just last year begun as an experiment, it quickly took off and is now increasingly used by more and more people as well as applications. We even benefit from it ourselves when working on various internal projects.

DOMPurify is a security library and attempts to prevent XSS attacks and other nastiness where a malicious user can control HTML that later is either used or displayed by the targeted application or website. Its task is therefore not a trivial one, especially given the quirky nature of HTML, SVG and most importantly browsers. In fact, we run a good load of unit tests against DOMPurify before each new release, with many of the maintainers having solid background in XSS and/or HTML and extensive knowledge on how browsers work. In addition, we offer a public smoke-test in which people can test the library and try to find bypasses.

Still, we didn't feel overly comfortable about the security of our tool. Browsers are weird, legacy features are legion and other XSS filters get bypassed all the time. Heck, many of them were bypassed by yours truly in the past, which is just yet another reason for why we created the DOMPurify in the first place. A sheer reliance on our own knowledge about how browsers and XSS work combined with frequent help from the community was supposed to give us a good protective umbrella. And indeed, DOMPurify has not been broken in a long time, so we even started to create feature releases that no longer had to rely on fixing bypasses at all.

Nevertheless, a feeling of being ahead of the game – overestimating your safety and security can easily turn you into a sitting duck, prone to birthing the next big attack vector. In our case, that would be a bypass allowing for XSS occurring regardless of DOMPurify being in place. In order to do all in our power to prevent that, we decided to get a paid third-party pentest.

We started to wonder – who do you sign on for such a specific case? We decided to inquire with a fine gentleman known as @filedescriptor. He recently published several amazingly complex and mind-blowing XSS challenges. Not only did he write in great detail about the IE UXSS, but he even found a way to make XSS possible without user interaction. Quite obviously, he has a good level of knowledge about how browsers and especially HTML and JavaScript work. After negotiating a price, reaching a time-line and defining a general scope, the audit started in mid February 2015 and yielded results that we don't want to keep secret from you. The full pentest report created by @filedescriptor can be found here.

DOMPurify 0.6.0 Pentest report

One of the results of the pentest was a decision to completely drop the support for MSIE9. It is simply not possible to secure this browser against XSS in case a user has control over the HTML that an application uses. A nasty class of attacks known as mXSS is mainly to blame here. While MSIE9 does not support CSS expressions anymore, it is still very vulnerable against in-browser HTML mutations which lead to Mutation XSS or mXSS. The report shows several examples for this. After a brief analysis phase, both our team and @filedescriptor decided that it no longer made sense to keep supporting MSIE9 at all cost. But does that mean that DOMPurify will not work with MSIE9 anymore? No. We simply cannot handle the risk of a MSIE9 bypass and therefore proceed the same way that we handle older IE versions. We have the dirty HTML string cleaned by MSIE's toStaticHTML() rather than our own far more content-tolerant code.

Another lesson learnt from the test is that you just cannot trust the DOM. Even if you think you are doing it right, check for types, protect against DOM Clobbering and other attacks, the DOM often acts on its own and does things that at first glance seem to be little glitches but eventually blow up in your face once they take place in a security context. Did you know that typeof document.all yields undefined although document.all is present? Did you know that only the in operator delivers reliable results for property checks? Did you know that Double-Clobbering can function as a multi-stage attack against your DOM by overwriting property after property in several steps until the final payload unfolds and results in XSS? The DOM sucks hard. Persistently. And it will continue to be atrocious and make client-side security very hard to accomplish, in spite of more and more applications residing exclusively in the DOM.

While the third result of the test is in principle not new, we nevertheless experienced it for the first time. Even and perhaps especially security people need to get third-party audits. We are neither free from producing bugs, nor immune to discovering and addressing all the nasty little details that are out there. Our software can be buggy too and we're not exempt from the rules that apply to software that is not written by auditors, pentesters or security researchers. Not seeing the forest for the trees in your own software is not a crime. Ignoring that fact and not getting a pentest when you are close to a release, however, might become one, as it endangers the security of your users. And who knows in which critical context the library is used?

Last but not least we want to thank @filedescriptor for his amazing performance and high-quality pentest. We would embark on it again in a heartbeat and most likely will. The decision to get audited was an important and beneficial one – both for us and everyone in our user-base, including all the people who use DOMPurify in a web-crypto context. So once again, thank you - @filedescriptor, and many thanks to all our users for their trust. We'll try to keep the security level as high as it is right now. Let's make the DOM a safer place by learning how it works and providing tools for working with it safely and securely!

Fri 19 Jul 2013, 12:00:21 CEST

Cure53 Pro-Bono Pentest Summer 2013

Apply for 5 days of free penetration testing!

What's going on?

We are proud to announce a first edition of the Cure53 Pro-Bono Pentest competition. This means that one lucky open source software project with humanitarian, privacy- or security-related focus will win a full work week donated by the Cure53 Team exclusively to their vision.

What's at stake?

Beat the competition and you'll get 5 (that's five!) full days of free penetration testing, including report, fix support and follow-up communication. It is up to you to decide whether the final test report is to be published or not. No strings attached, no small-print. Just five days of our time for your project. Period.

How does it work?

Starting today (19th of July), you can submit an application for a pro-bono pentest of your open source software project by sending us an email with a short description of your idea and an answer to a simple question: What makes your project deserve a free pen-test from us? That's all..

Deadline for applications is set to mid August (the 19th to be precise, 23:59:59 GMT+1). We will then have a look at all applications and chose the one we deem most important, relevant and best fitting in terms of Cure53 strengths and interests. We will notify the applicants and announce the winner right afterwards.

Looking forward to hearing about your projects. Good luck!

Sat 13 Jul 2013, 19:56:29 CEST

HackPra Allstars Conference Track

Offensive security track at OWASP AppSec EU 2013 in Hamburg

General Info

Cure53 will sposor and co-host the HackPra Allstars conference track accompanying the OWASP AppSec EU 2013 in Hamburg, Germany

HackPra Allstars is delivering in one full day what the legendary HackPra does in one semester! HackPra Allstars will present the finest, hand selected talks from prolific speakers and top-tier researchers in the field of web-security (and the lack thereof).

You can think of the HackPra Allstars as a conference inside a conference — offering you one day with the most interesting influencers in today’s web application security and in-security.

The HackPra Allstars is a dedicated invited speakers track at the OWASP Research 2013 conference on August 22. The track will be open to all regular attendees of the main conference.

Speakers

The HackPra Allstars line-up consist of the following gentlemen:


The HackPra Allstars Keynote will be held by Prof. Dr. Jörg Schwenk, NDS, RUB

Top

Learn about the services we offer

Penetration tests for online services

Cure53 offers classic black-box penetration tests (zero-knowledge) as well as white-box tests and code audits. Web application and mobile app developers speak many languages and so do we. From classic languages as PHP, JavaScript, ActionScript, Java, Ruby, Python and Perl to more exotic candidates like web back-ends written in C++ and Delphi – we've seen them. During our assignments we appreciate contact to the development team to be able to discuss bugs, vulnerabilities and fixes as quickly as possible. At the time of report submission, all critical bugs we spotted are usually fixed already – or soon thereafter.

Our assignments don't end with the report submission. Ongoing communication and knowledge transfer are part of the package – we rarely experience the often mentioned gap between development and security.
Since Cure53 was founded in 2007, we have performed several hundreds of penetration tests against all kinds of web applications, online services, hardware interfaces, mobile applications, libraries and crypto tools. We value manual and thorough tests, human interaction and communication and a short yet to-the-point penetration test report without overhead or pie charts no one wants to see.

Security analysis and architectural advice

Sometimes security advice is necessary before a penetration test would even make sense. Especially for young and quickly developing projects, an early security analysis, design help and architectural advice help more than a penetration test close to the launch date. We can help finding out if a chosen 3rd party software is secure enough, a github repo looks trustworthy or a design pattern can resist real-life attacks.

In the past, we helped many projects during the design phase and early development stages by pointing out hidden risks and possible security pitfalls – before any code was written. Getting professional security advice before the majority of code is written often saves a lot of energy and helps especially young projects to focus on what they need to do: code safely without worrying about a bitter end.

Training and consulting

Cure53 delivers a range of web security related training courses that range from a single, intense day to a full five day week. Trainings are available in German and English language and are carried out by one, two or even three members of the team depending on the number of participants.
Cure53 has carried out several dozens of web security trainings in Germany, Belgium, Switzerland, UK and even India. We have trained small startups as well as major telecommunication providers, government institutions, university students as well as full-grown well-experienced web penetration testers.

Our trainings are known to be intense and a fire-hose of knowledge – almost too much to take. needless to say all participants will get a copy of the training slides with examples, links and more. Questions arising after the training event will be answered by our team as part of the package.
We frequently offer training courses on conferences, but focus on corporate trainings for classes of 10 to 25 students (and masters – many trainings end with us learning new things as well). To learn about course contents, get a preview to the training slides or ask for a quote please contact us!

Incident management, web malware analysis

"We got hacked. Do what now?" Cure53 helps answering the most pressing questions after an incident has happened, can help tracking down the root cause and assists in finding ways to make sure it doesn't happen again. We can further help in making your backend a bit safer – to minimize the damage in case the unpleasant event ever happens again. Cure53 has helped migrating millions of user accounts to secure password storage and communicating security fixes to unwilling third-party vendors.

Our team has years of academic and industry experience in web malware analysis, code de-obfuscation and attack detection – heck, we even came up with several obfuscation techniques that are now visible in the wild. If you got stung by something weird and wish to know what it was, we might be the ones to help you quickly and efficiently. A strange JavaScript, a weird PDF or some nasty piece of heavily obfuscated PHP code – we know how to help you find out what it really does!

Top

Download articles and papers

Pentest Reports

Note that all those reports have been proudly published upon explicit request by the project maintainers, or the party that sponsored the penetration test in coordination with the project maintainer. The links below are ordered by publication date.

2021

2020

2019

2018

2017

2016

2015 and earlier

White Papers

Academic Papers

Presentations

Tools & Software

Top

Who are these people?

Meet the Cure53 Team

Top

For business enquiries please contact

[email protected]

+49 1520 8675 782

We speak PGP and S/MIME

Cure53, Dr.-Ing. Mario Heiderich
Bielefelder Str. 14
D-10709 Berlin
Fon +49 1520 8675782

Tax-ID: 24/336/01449
VAT: DE-275774772

We accept Bitcoin (BTC), Bitcoin Cash (BCH) and Ethereum (ETH). Bill.com and Veem also work for us.

During our assignments we are insured by the Gothaer Allgemeine Versicherung AG






Top
Impressum Datenschutz