Leap Year for DeteAct
2020 was rough. But to be fair, not for most of the IT companies. We’ve almost managed to triple our revenue (162+% YoY growth) and scaled our team from 3 to 9 people. That kind
Application Security, Penetration Testing, Security Consulting, Vulnerability Management, DDoS Testing, Threat Hunting, Awareness Training, Bug Bounty, Blockchain Security, Security Research
2020 was rough. But to be fair, not for most of the IT companies. We’ve almost managed to triple our revenue (162+% YoY growth) and scaled our team from 3 to 9 people. That kind
Last week the large-scale five-day cyber training The Standoff organized by Positive Technologies ended. Our experts also took part in the competition as a Red Team. Six teams participated on the defense side and 29
Insecure Direct Object Reference (IDOR) is a very common type of weakness in the application authorization logic. The potential damage from IDOR exploitation can be either minimal or critical. Let’s consider some cases when the
During the recent Google CTF competition I solved a curious web security challenge called safehtmlpaste that required to bypass a certain HTML sanitizer. The vulnerable application allows users to create Pastes with HTML-formatted text in
Deteact team has recently conducted a security audit of the blockchain voting service which is a part of Waves Enterprise system. Waves Enterprise system is a blockchain platform combining private and public networks. Waves Enterprise
In Russian: https://blog.deteact.com/ru/csp-bypass/ Content Security Policy (CSP) is an additional security mechanism built into browsers to prevent Cross Site Scripting (XSS). CSP allows to define whitelists of sources for JavaScript, CSS, images, frames, XHR connections.
There’re many different attacks under the name HTTP Request Smuggling. Let’s look at a simple example from the past SpamAndFlags CTF competition (I participated with More Smoked Leet Chicken team and we sadly finished 2nd).
In Russian: https://blog.deteact.com/ru/bitrix-waf-bypass/ UPD: CVE-2020-13758 assigned Sometimes when exploiting reflected XSS the input parameters get injected directly into the body of the <script> tag. Typically, this means that the exploit is trivial: HTML entity encoding
In Russian: https://blog.deteact.com/ru/common-flaws-of-sms-auth/ Many online services use SMS to authenticate users. But subtle implementation mistakes may lead to major problems. This is what we will talk about in this article. Intro This authentication protocol is
This year’s ZeroNights conference was held on 12-13 November in Saint Petersburg. Our team participated in the Web Security Village, where Ramazan Ramazanov, a security researcher at DeteAct, presented his continued research about Doctrine Query