We are hiring yet again - pentester job

We are looking for a penetration tester again. The business has been growing steadily and we need more people.

We will prefer somebody from Belgium or EU, but will consider applications from other countries also. We are located in Brussels, Belgium. The job is full time, mostly on customer sites in Belgium.

qsslcaudit release v0.4.0

Our tool designed to assess TLS clients security (certificates validation, protocols and ciphers support) got several updates and achieved version v0.4.0.

TLS clients are now analyzed more precisely, summary table is now colored, few bugs were fixed.

Give it a try. Github's issue tracker is at your service.

qsslcaudit repository

Man-in-the-Conference-Room - Part II (Hardware Hacking)

In this post I'll describe how I used hardware hacking techniques to get more information about the device and dump its internal storage. If you missed the introductory post you can find it here Man-in-the-conference room - Part I (Introduction). Let's start right away !

If we remove the two enclosure screws and open it up, we immediately identify two pinout slots:


Back in 2017 a small device appeared on my desk. A wireless presentation device that one of our customers wanted to deploy on its premises, but not before we had audited it first.

The idea behind those devices is pretty simple: instead of running from meetings to meetings with HDMI and VGA cables in your pockets, just leave a device connected to a presentation screen at all time and let presenters connect to the device using a client application on their laptop or smartphone. These presentation devices are usually deployed in large companies or universities and cost between $800 to something around $1800 based on the features they got.

The device in question was an Airmedia AM-101 and in this blog series I'll describe my complete process on how I went to test it. Hopefully this can be used as some kind of cheat sheet for folks starting in the field.

JTAG Enumeration Tool

JTAG enumeration rig
Pavel has released go-jtagenum. This project is a port of JTAGenum and JTAGualtor to the Golang. It is supposed to be used under Linux (or any OS which Go supports) on the device with GPIO lines exported to userspace. Raspberry Pi 1,2,3 is the most famous example.


Table of Contents

TCP to WebSockets proxy in python

There seems to be a few proxies that can convert a WebSockets connection to TCP, however I couldn't find anything that goes other way around. Having the task of sending crafted messages to a WebSockets connection made me write one. Having a TCP to WebSockets proxy allows me to use netcat as a WebSockets client.

I have used the code developed by our Quentin, and added stuff like proper command-line options, upstream proxy support (to tunnel it through Burp) and making it multithreaded.

The tool is written in python and uses the websocket library.

Secure file upload in PHP web applications

This is an old paper I wrote about vulnerabilities in file upload implementations in PHP web applications. The web site it used to live on no longer exists, so I thought I repost it here to have it close at hand. It is relevant to other web application technologies (Java, .NET, etc.) but all the examples are for PHP.


Burp is Going to Support PKCS#11

Great news - PortSwigger is working on PKCS#11 support (SSL client certificates stored on hardware tokens, such as smart cards) for Burp. I got to try the test build - it works perfectly with Belgian eID on Linux.

I am really happy about it - no more awkward chaining of proxies and SSL tunnels to get the job done.


MagicTree 1.3 - important bug fixes and support for IBM Rational AppScan

We have released MagicTree 1.3. It fixes several nasty bugs that may lead to data corruption. We recommend everybody who uses MagicTree to upgrade. New features include support for AppScan XML and better handling of Imperva Scuba XML

Here is the full change log:


Subscribe to RSS - blogs