2017 Jan 27
HTTP Strict Transport Security (HSTS)
This article will give a general overview over HTTP Strict Transport Security (HSTS) and discuss what attacks it tries to prevent, as well as how to use it correctly.
Recent Curesec Publications
2017 Jan 26
Plone: XSS
Plone is an open source CMS written in python. In version 5.0.5, the Zope Management Interface (ZMI) component is vulnerable to reflected XSS as it does not properly encode double quotes.
2017 Jan 19
Tap 'n' Sniff
Posted by Marco Lux, Mathis Hagen
This is the first of three articles about a cute sniffing device which can be used for redteam assessments but normal day analysis as well. In this part we will focus of setting up the basics.
2016 Dec 20
Content Security Policy (CSP)
Content Security Policy (CSP) is a HTTP header that can be used as defense in depth to mitigate certain types of attacks, especially Cross-site scripting (XSS) and Clickjacking. This article will explain when and how to use CSP.
2016 Dec 08
Advanced Clickjacking Attacks
It is often assumed that allowing a site to be framed only has minor security implications. Clickjacking in particular is often associated with low-impact issues such as stealing Facebook likes. This article will show that allowing a site to be framed may be a more potent attack vector than often assumed. Framing makes some vulnerabilities easier or more realistic to exploit. Clickjacking can be used for more than just stealing likes, and in some contexts Clickjacking can gain the full power of CSRF - albeit with more user interaction.
2016 Dec 01
Reading Data via CSS Injection
Because modern browsers do not allow the execution of JavaScript via CSS, CSS Injection is often seen as very limited, with the main dangers being defacement by placing images into the vulnerable application, or performing very limited phishing attacks by placing additional content in places a user would not expect user-controlled data to show. This article will show that it is possible to use CSS Injections to read out secret data in a vulnerable web application, independent of the browser used by the victim. With a successful attack, it would for example be possible to read out an anti-CSRF token and thus to perform CSRF attacks.
2016 Nov 24
The HS-110 Smart Plug aka Projekt Kasa
In this article we are going to have a closer look on a Smart Plug from TP-Link together with its control app. In the process of investigating the product, we reverse engineered the firmware and the app, managed to control the Smart Plug and steal login credentials.
2016 Nov 10
MyLittleForum 2.3.6.1: XSS & RPO
MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is vulnerable to reflected cross site scripting as well as relative path overwrite. XSS can be used to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection, and RPO may lead to CSS injection.
2016 Nov 10
SPIP 3.1: XSS & Host Header Injection
SPIP is a content management system written in PHP. In version 3.1, it is vulnerable to a persistent as well as reflected cross site scripting vulnerability as it allows users to enter URLs containing the JavaScript protocol, which an attacker can exploit to steal cookies, inject JavaScript keylogger, or bypass CSRF protection. Additionally, it contains a Host Header Injection which may lead to the leakage of password reset tokens and thus the compromisation of user accounts. Finally, the application discloses httpOnly cookies, making exploitation of XSS issues slightly easier.
2016 Nov 10
Mezzanine 4.2.0: XSS
Mezzanine is an open source CMS written in python. In version 4.2.0, it is vulnerable to two persistent XSS attacks, one of which requires extended privileges, the other one does not. These issues allow an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.