2020 - Deteact - continuous information security services

Business Press releasesbusiness growth revenueLeave a comment

Leap Year for DeteAct

December 31, 2020February 15, 2021 beched

2020 was rough. But to be fair, not for most of the IT companies. We’ve almost managed to triple our revenue (162+% YoY growth) and scaled our team from 3 to 9 people. That kind

Business News Press releasesLeave a comment

Last week the large-scale five-day cybersecurity training The Standoff ended. Our experts also took part in the competition as a Red Team. Six teams participated on the defense side and 29 teams from different countries

Bug Bounty Research Uncategorized Web SecurityLeave a comment

Account Takeover via IDOR

September 4, 2020September 11, 2020 r0hack

Insecure Direct Object Reference (IDOR) is a very common type of weakness in the application authorization logic. The potential damage from IDOR exploitation can be either minimal or critical. Let’s consider some cases when the

Application Security CTF Research Web SecurityLeave a comment

Defeating Google Closure Library Sanitizer

August 27, 2020August 31, 2020 beched

During the recent Google CTF competition I solved a curious web security challenge called safehtmlpaste that required to bypass a certain HTML sanitizer. The vulnerable application allows users to create Pastes with HTML-formatted text in

Business News Press releasesLeave a comment

Security Audit of Waves Enterprise Voting

July 21, 2020July 21, 2020 beched

Deteact team has recently conducted a security audit of the blockchain voting service which is a part of Waves Enterprise system. Waves Enterprise system is a blockchain platform combining private and public networks. Waves Enterprise

Application Security Research Web SecurityLeave a comment

Content Security Policy Bypass

June 3, 2020June 4, 2020 beched

In Russian: https://blog.deteact.com/ru/csp-bypass/ Content Security Policy (CSP) is an additional security mechanism built into browsers to prevent Cross Site Scripting (XSS). CSP allows to define whitelists of sources for JavaScript, CSS, images, frames, XHR connections.

CTF Research Web SecurityLeave a comment

HTTP Request Smuggling

May 10, 2020May 11, 2020 beched

There’re many different attacks under the name HTTP Request Smuggling. Let’s look at a simple example from the past SpamAndFlags CTF competition (I participated with More Smoked Leet Chicken team and we sadly finished 2nd).

Bug Bounty Research Web SecurityLeave a comment

Bitrix WAF bypass

April 27, 2020June 4, 2020 r0hack

In Russian: https://blog.deteact.com/ru/bitrix-waf-bypass/ UPD: CVE-2020-13758 assigned Sometimes when exploiting reflected XSS the input parameters get injected directly into the body of the <script> tag. Typically, this means that the exploit is trivial: HTML entity encoding

Year: 2020