Recent research on web security and related topics. Provided and maintained by members and friends of the Chair for Network and Data Security at the Ruhr University Bochum, Faculty of Electrical Engineering and Information Technology, Horst Görtz Institute for IT-Security.
We found out that many TLS implementations are still vulnerable to different variations of a 19-year old Bleichenbacher's attack. Since Hanno argued to have an attack name, we called it ROBOT: https://robotattack.org
Given the new attack variants, we released a new version of TLS-Attacker 2.2, which covers our vulnerabilities.
In this post we will show why Gridcoin is insecure and probably will never achieve better security. Therefore, we are going to explain two critical implementation vulnerabilities and our experience with the core developer in the process of the responsible disclosure.
In this post we will take an in depth look at the cryptocurrency Gridcoin, we show how we found two critical design vulnerabilities and how we fixed them.
In the last past years we saw many scientific publications about cryptocurrencies. Some focused on theoretical parts [Source] and some on practical attacks against specific well-known cryptocurrencies, like Bitcoin [Source]. But in general there is a lack of practical research against alternative coins. Or did you know that there are currently over 830 currencies listed online? So we asked ourselves how secure are these currencies, and if they are not just re-branded forks of the Bitcoin source code?
Gridcoin is an Altcoin, which is in active development since 2013. It claims to provide a high sustainability, as it has very low energy requirements in comparison to Bitcoin. It rewards users for contributing computation power to scientific projects, published on the BOINC project platform. Although Gridcoin is…
Recently, the theoretical and practical analysis of secure instant messenger protocols received much attention, but the focus of prior evaluations mostly lay in one-to-one communication. In this blog post we want to presents the results of our work that focuses on group chat protocols of three major instant messenger applications; namely Signal, WhatsApp, and Threema.
In this blog post, we aim to focus on the practical impact and the found weaknesses identified by our analysis. The interested reader may also look into our paper for more details.
Inspired by James Kettle's great OWASP AppSec Europe talk on CORS misconfigurations, we decided to fiddle around with CORS security issues a bit. We were curious how many websites out there are actually vulnerable because of dynamically generated or misconfigured CORS headers.
The issue: CORS misconfiguration
Cross-Origin Resource Sharing (CORS) is a technique to punch holes into the Same-Origin Policy (SOP) – on purpose. It enables web servers to explicitly allow cross-site access to a certain resource by returning an Access-Control-Allow-Origin (ACAO) header. Sometimes, the value is even dynamically generated based on user-input such as the Origin header send by the browser. If misconfigured, an unintended website can access the resource. Furthermore, if the Access-Control-Allow-Credentials (ACAC) server header is set, an attacker can potentially leak sensitive information from a logged in user – which is almost as bad as XSS on the actual website. Below is a list of CORS misc…
When we published our research on network printer security at the beginning of the year, one major point of criticism was that the tested printers models had been quite old. This is a legitimate argument. Most of the evaluated devices had been in use at our university for years and one may raise the question if new printers share the same weaknesses. 35 year old bugs features
The key point here is that we exploited PostScript and PJL interpreters. Both printer languages are ancient, de-facto standards and still supported by almost any laser printer out there. And as it seems, they are not going to disappear anytime soon. Recently, we got the chance to test a $2,799 HP PageWide Color Flow MFP 586 brand-new high-end printer. Like its various predecessors, the device was vulnerable to the following attacks:
arguably to the most common devices we use. They are available in
every household, office, company, governmental, medical, or education
From a security
point of view, these machines are quite interesting since they are
located in internal networks and have direct access to sensitive
information like confidential reports, contracts or patient recipes.
TL;DR: In this blog
post we give an overview of attack scenarios based on network
printers, and show the possibilities of an attacker who has access to
a vulnerable printer. We present our evaluation of 20 different
printer models and show that each of these is vulnerable to multiple
attacks. We release an open-source tool that supported our analysis:
PRinter Exploitation Toolkit (PRET)
Full results are
available in the master thesis of Jens Müller and our paper.
Furthermore, we have
set up a wiki (http://hacking-printers.net/) to share knowledge on
This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization
code interception attack.
At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from
the so called „App Impersonation“ attacks. Considering our ideas
and after a short discussion with the authors of the PKCE
specification, we found out that PKCE does not address this issue.
In other words, the
protection of PKCE can be bypassed on public clients (mobile and
native apps) by using a maliciously acting app.