As you might have heard, we recently got our paper on padding oracle attacks accepted to the USENIX Security Conference. In this paper, we describe and evaluate a scanning methodology with which we found several padding oracle vulnerabilities in devices from various vendors. In total, we found that 1.83% of the Alexa Top 1 Million have padding oracle vulnerabilities.
Friday, March 29, 2019
Friday, March 22, 2019
Playing with TLS-Attacker
In the last two years, we changed the TLS-Attacker Project quite a lot but kept silent about most changes we implemented. Since we do not have so much time to keep up with the documentation (we are researchers and not developers in the end), we thought about creating a small series on some of our recent changes to the project on this blog.
We hope this gives you an idea on how to use the most recent version (TLS-Attacker 2.8). If you feel like you found a bug, don't hesitate to contact me via GitHub/Mail/Twitter. This post assumes that you have some idea what this is all about. If you have no idea, checkout the original paper from Juraj or our project on GitHub.
TLDR: TLS-Attacker is a framework which allows you to send arbitrary protocol flows.
We hope this gives you an idea on how to use the most recent version (TLS-Attacker 2.8). If you feel like you found a bug, don't hesitate to contact me via GitHub/Mail/Twitter. This post assumes that you have some idea what this is all about. If you have no idea, checkout the original paper from Juraj or our project on GitHub.
TLDR: TLS-Attacker is a framework which allows you to send arbitrary protocol flows.
Subscribe to:
Posts (Atom)
Beliebte Posts
-
When evaluating the security of XML based services, one should always consider DTD based attack vectors, such as XML External Entities (XXE)...
-
Inspired by James Kettle 's great OWASP AppSec Europe talk on CORS misconfigurations, we decided to fiddle around with CORS security i... -
Printers belong arguably to the most common devices we use. They are available in every household, office, company, governmental, medic... -
One year ago, we received a contract as a PDF file. It was digitally signed. We looked at the document - ignoring the "certificate is n... -
In this post, we provide a security analysis of Microsoft Rights Management Services (RMS) and present two working attacks: We complete...