CINXE.COM

Cure53 – Fine penetration tests for fine websites

<!doctype html><!-- --> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=0.45"> <meta name="description" content="Cure53 – Fine penetration tests for fine websites"> <title>Cure53 – Fine penetration tests for fine websites</title> <link rel="stylesheet" href="css/style.css"> </head> <body id="top"> <div id="menu"> <span><a id="home-anchor" href="#top">Home</a></span> <span><a id="services-anchor" href="#services">Services</a></span> <span><a id="publications-anchor" href="#publications">Publications</a></span> <span><a id="team-anchor" href="#team">Team</a></span> <span><a id="contact-anchor" href="#contact">Contact</a></span> <span><a id="impressum-anchor" href="/impressum.php">Impressum</a></span> <span><a id="datenschutz-anchor" href="/datenschutz.php">Datenschutz</a></span> </div> <div class="spacer"></div> <div id="index"> <div class="strapline">Fine penetration tests for fine websites</div> <div class="spacer"></div> <div class="index column"> <div class="headline services"> <a href="#services"><span class="gray">What we are good at</span><br>Services</a> </div> <div class="content">Penetration tests for online services</div> <div class="content">Security analysis and architectural advice</div> <div class="content">Training & Consulting</div> <span> <a href="#contact">Contact us</a> </span> </div> <div class="index column"> <div class="headline papers"> <a href="#publications-academic"><span class="gray">Recent</span><br>Academic Papers</a> </div> <div class="content"> <a href="https://link.springer.com/chapter/10.1007/978-3-319-66399-9_7" target="_blank">DOMPurify: Client-Side Protection Against XSS</a> </div> <div class="content"> <a href="http://syssec.rub.de/media/emma/veroeffentlichungen/2015/05/27/sanitization_issta15.pdf" target="_blank">An Em­pi­ri­cal Study of PHP Se­cu­ri­ty Me­cha­nism Use</a> </div> <div class="content"> <a href="https://cure53.de/es6-for-penetration-testers.pdf" target="_blank">ECMAScript 6 for Penetration Testers</a> </div> <span> <a href="#publications-academic">View all</a> </span> </div> <div class="index column last"> <div class="headline reports"> <a href="#publications-2023"><span class="gray">Recent</span><br>Pentest Reports</a> </div> <div class="content"> <a href="https://cure53.de/pentest-report_dedaub-metamask-snap.pdf"><strong>Pentest-Report Dedaub MetaMask Snap</strong> 12.2023</a> </div> <div class="content"> <a href="https://cure53.de/audit-report_nip44-implementations.pdf"><strong>Audit-Report NIP44 Implementations</strong> 11.-12.2023</a> </div> <div class="content"> <a href="https://cure53.de/pentest-report_tuum-hedera-snap.pdf"><strong>Pentest-Report Tuum Hedera Wallet Snap</strong> 11.2023</a> </div> <span> <a href="#publications-2023">View all</a> </span> </div> <div class="clear"></div> </div> <div class="spacer"></div> <div id="services"> <div class="services header"> <span class="black">Services</span> <span class="gray">Learn about the Services we offer</span> </div> <div class="services column first"> <div class="headline">Penetration tests for online services</div> <p> <strong>Cure53 offers classic black-box penetration tests (zero-knowledge) as well as white-box tests and code audits. Web application and mobile app developers speak many languages and so do we. From classic languages as PHP, JavaScript, ActionScript, Java, Ruby, Python and Perl to more exotic candidates like web back-ends written in C++ and Delphi – we've seen them.</strong> </p> <p> During our assignments we appreciate contact to the development team to be able to discuss bugs, vulnerabilities and fixes as quickly as possible. At the time of report submission, all critical bugs we spotted are usually fixed already – or soon thereafter. </p> <p> Our assignments don't end with the report submission. Ongoing communication and knowledge transfer are part of the package – we rarely experience the often mentioned gap between development and security. </p> <p> Since Cure53 was founded in 2007, we have performed several hundreds of penetration tests against all kinds of web applications, online services, hardware interfaces, mobile applications, libraries and crypto tools. We value manual and thorough tests, human interaction and communication and a short yet to-the-point penetration test report without overhead or pie charts no one wants to see. </p> </div> <div class="services column"> <div class="headline">Security analysis and architectural advice</div> <p> <strong>Sometimes security advice is necessary before a penetration test would even make sense. Especially for young and quickly developing projects, an early security analysis, design help and architectural advice help more than a penetration test close to the launch date.</strong> </p> <p> We can help finding out if a chosen 3rd party software is secure enough, a github repo looks trustworthy or a design pattern can resist real-life attacks. </p> <p> In the past, we helped many projects during the design phase and early development stages by pointing out hidden risks and possible security pitfalls – before any code was written. </p> <p> Getting professional security advice before the majority of code is written often saves a lot of energy and helps especially young projects to focus on what they need to do: code safely without worrying about a bitter end. </p> </div> <div class="services column last"> <div class="headline">Training and consulting</div> <p> <strong>Cure53 delivers a range of web security related training courses that range from a single, intense day to a full five day week. Trainings are available in German and English language and are carried out by one, two or even three members of the team depending on the number of participants.</strong> </p> <p> Cure53 has carried out several dozens of web security trainings in Germany, Belgium, Switzerland, UK and even India. We have trained small startups as well as major telecommunication providers, government institutions, university students as well as full-grown well-experienced web penetration testers. </p> <p> Our trainings are known to be intense and a fire-hose of knowledge – almost too much to take. needless to say all participants will get a copy of the training slides with examples, links and more. Questions arising after the training event will be answered by our team as part of the package. </p> <p> We frequently offer training courses on conferences, but focus on corporate trainings for classes of 10 to 25 students (and masters – many trainings end with us learning new things as well). To learn about course contents, get a preview to the training slides or ask for a quote please cont act us! </p> </div> <div class="clear"></div> </div> <div class="spacer"></div> <div id="publications"> <div class="publications header"> <span class="black">Publications</span> <span class="gray">Download articles and papers</span> </div> <p>Note that all those reports have been proudly published upon explicit request by the project maintainers, or the party that sponsored the penetration test in coordination with the project maintainer. The links below are ordered by publication date.</p> <div class="publications subheader">Pentest Reports</div> <div class="publications column"> <span id="publications-2024">2024</span> <a href="https://cure53.de/pentest-report_keepassium.pdf" target="_blank"><strong>Pentest-Report KeePassium iOS Apps & Crypto</strong> 10.2024</a> <a href="https://cure53.de/pentest-report_antelope-snap.pdf" target="_blank"><strong>Audit-Report MetaMask Greymass Antelope Snap Codebase & Build</strong> 09.2024</a> <a href="https://cure53.de/pentest-report_hedera-snap_2.pdf" target="_blank"><strong>Audit-Report MetaMask Hedera Wallet Snap Codebase & Build</strong> 09.2024</a> <a href="https://cure53.de/audit-report_noble-crypto-libs.pdf" target="_blank"><strong>Audit-Report Noble Cryptography Libraries</strong> 08.2024</a> <a href="https://cure53.de/pentest-report_tuum-auth-snap.pdf" target="_blank"><strong>Audit-Report Tuum MetaMask AuthFlow Snap Codebase & Build</strong> 08.2024</a> <a href="https://cure53.de/pentest-report_mullvad_2024_v1.pdf" target="_blank"><strong>Pentest-Report Mullvad VPN Relay-Infrastructure</strong> 06.2024</a> <a href="https://cure53.de/pentest-report_expressvpn-vpn-extension_2.pdf" target="_blank"><strong>Pentest-Report ExpressVPN VPN Browser Extension</strong> 05.2024</a> <a href="https://cure53.de/pentest-report_psiphon_4.pdf" target="_blank"><strong>Pentest-Report Psiphon Tunnel Core Codebase</strong> 05.2024</a> <a href="https://cure53.de/pentest-report_psiphon-conduit-library_2.pdf" target="_blank"><strong>Pentest-Report Psiphon Conduit Integration Codebase</strong> 04.-05.2024</a> <a href="https://cure53.de/audit-report_distrust-toolkit.pdf" target="_blank"><strong>Audit-Report Distrust Keyfork Toolkit & Library</strong> 04.2024</a> <a href="https://cure53.de/pentest-report_hedera-snap.pdf" target="_blank"><strong>Audit-Report MetaMask Hedera Wallet Snap Codebase & Build</strong> 04.2024</a> <a href="https://cure53.de/pentest-report_passbolt-uwp-app.pdf" target="_blank"><strong>Pentest-Report Passbolt UWP Windows App</strong> 03.2024</a> <a href="https://cure53.de/pentest-report_IVPN_2024.pdf" target="_blank"><strong>Pentest-Report IVPN Websites & Servers</strong> 03.2024</a> <a href="https://cure53.de/pentest-report_metamask-signing-snap.pdf" target="_blank"><strong>Audit-Report MetaMask Signing Snap Codebase & Build</strong> 03.2024</a> <a href="https://cure53.de/pentest-report_rubic-snap.pdf" target="_blank"><strong>Audit-Report Rubic MetaMask Snap Codebase & Build</strong> 02.2024</a> <a href="https://cure53.de/pentest-report_bob-snap.pdf" target="_blank"><strong>Audit-Report BOB MetaMask Snap Codebase & Build</strong> 02.2024</a> <a href="https://cure53.de/audit-report_solidifi-staking-feature.pdf" target="_blank"><strong>Audit-Report SolidiFi Wallet Staking Feature</strong> 01.2024</a> </div> <div class="publications column right"> </div> <div class="clear"></div> <div class="publications column"> <span id="publications-2023">2023</span> <a href="https://cure53.de/pentest-report_dedaub-metamask-snap.pdf" target="_blank"><strong>Pentest-Report Dedaub MetaMask Snap</strong> 12.2023</a> <a href="https://cure53.de/audit-report_nip44-implementations.pdf" target="_blank"><strong>Audit-Report NIP44 Implementations</strong> 11.-12.2023</a> <a href="https://cure53.de/pentest-report_obsidian-1.pdf" target="_blank"><strong>Pentest-Report Obsidian Client Software</strong> 11.2023</a> <a href="https://cure53.de/summary-report_obsidian-1.pdf" target="_blank"><strong>Summary-Report Obsidian Client Software</strong> 11.2023</a> <a href="https://cure53.de/pentest-report_tuum-hedera-snap.pdf" target="_blank"><strong>Pentest-Report Tuum Hedera Wallet Snap</strong> 11.2023</a> <a href="https://cure53.de/pentest-report_tunnelbear_2023.pdf" target="_blank"><strong>Pentest-Report Tunnelbear VPN & Software</strong> 10.-11.2023</a> <a href="https://cure53.de/pentest-report_kryptogo.pdf" target="_blank"><strong>Pentest-Report KryptoGO Web, Mobile & API</strong> 10.-11.2023</a> <a href="https://cure53.de/pentest-report_safeheron-snap.pdf" target="_blank"><strong>Pentest-Report Safeheron WASM MPC & MetaMask Snap</strong> 09.2023</a> <a href="https://cure53.de/review-report_passbolt-directorytree.pdf" target="_blank"><strong>Review-Report Passbolt DirectoryTree LdapRecord</strong> 07.2023</a> <a href="https://cure53.de/pentest-report_tuum-snap.pdf" target="_blank"><strong>Pentest-Report Tuum MetaMask Identify Snap</strong> 07.2023</a> <a href="https://cure53.de/pentest-report_walletchat-snap.pdf" target="_blank"><strong>Pentest-Report Walletchat MetaMask Snap</strong> 07.2023</a> <a href="https://cure53.de/pentest-report_silencelabs-snap.pdf" target="_blank"><strong>Pentest-Report Silence Laboratries MetaMask Snap</strong> 06.-07.2023</a> <a href="https://cure53.de/pentest-report_silencelabs-apps.pdf" target="_blank"><strong>Pentest-Report Silence Laboratries Web & Mobile Apps</strong> 06.-07.2023</a> <a href="https://cure53.de/pentest-report_psiphon-conduit-library.pdf" target="_blank"><strong>Pentest-Report Psiphon Conduit Library</strong> 06.2023</a> <a href="https://cure53.de/pentest-report_proton-pass.pdf" target="_blank"><strong>Pentest-Report Proton Pass Browser Addon, Apps & API</strong> 05.-06.2023</a> <a href="https://cure53.de/pentest-report_authentik.pdf" target="_blank"><strong>Pentest-Report authentik IdP Web, API & SSO</strong> 05.2023</a> <a href="https://cure53.de/pentest-report_passbolt-sso.pdf" target="_blank"><strong>Pentest-Report Passbolt SSO, API & Addon</strong> 02.-03.2023</a> <a href="https://cure53.de/pentest-report_IVPN_2023.pdf" target="_blank"><strong>Pentest-Report IVPN Gateway, Server & Setup</strong> 02.2023</a> <a href="https://cure53.de/audit-report_stealth-address.pdf" target="_blank"><strong>Audit-Report Stealth Address Implementation</strong> 02.2023</a> <a href="https://cure53.de/summary-report_solidifi-wallet.pdf" target="_blank"><strong>Summary-Report SolidiFi Wallet Mobile Apps</strong> 02.2023</a> <a href="https://cure53.de/audit-report_privy-sss-library.pdf" target="_blank"><strong>Audit-Report Privy.io Shamir Secret Sharing Library</strong> 02.2023</a> <a href="https://cure53.de/audit-report_micro-btc-signer.pdf" target="_blank"><strong>Audit-Report micro-btc-signer TS Library</strong> 01.2023</a> <a href="#">&nbsp;</a> <a href="#">&nbsp;</a> </div> <div class="publications column right"> <span id="publications-2022">2022</span> <a href="https://cure53.de/summary-report_nwse-identeco.pdf" target="_blank"><strong>Summary-Report NEW WORK SE Identeco Integration</strong> 12.2022</a> <a href="https://cure53.de/pentest-report_expressvpn-lightway.pdf" target="_blank"><strong>Pentest-Report ExpressVPN Lightway</strong> 10.-11.2022</a> <a href="https://cure53.de/audit-report_silencelabs-ecdsa-lib.pdf" target="_blank"><strong>Audit-Report Silence Laboratries ECDSA library.pdf</strong> 10.2022</a> <a href="https://cure53.de/pentest-report_tunnelbear_2022.pdf" target="_blank"><strong>Pentest-Report Tunnelbear VPN & Software</strong> 10.2022</a> <a href="https://cure53.de/pentest-report_nordvpn-infra.pdf" target="_blank"><strong>Pentest-Report NordVPN NordVPN Server & Infra</strong> 09.-10.2022</a> <a href="https://cure53.de/pentest-report_nordvpn-apps-addons.pdf" target="_blank"><strong>Pentest-Report NordVPN Apps & Add-ons</strong> 07.-08.2022</a> <a href="https://cure53.de/pentest-report_expressvpn-keys-extension.pdf" target="_blank"><strong>Pentest-Report ExpressVPN Keys Browser Extension</strong> 09.-10.2022</a> <a href="https://cure53.de/pentest-report_expressvpn-vpn-extension.pdf" target="_blank"><strong>Pentest-Report ExpressVPN Browser Extension</strong> 09.-10.2022</a> <a href="https://cure53.de/pentest-report_expressvpn-ios.pdf" target="_blank"><strong>Pentest-Report ExpressVPN iOS Client</strong> 08.-09.2022</a> <a href="https://cure53.de/pentest-report_expressvpn-android.pdf" target="_blank"><strong>Pentest-Report ExpressVPN Android Client</strong> 08.2022</a> <a href="https://cure53.de/pentest-report_expressvpn-linux.pdf" target="_blank"><strong>Pentest-Report ExpressVPN Linux Clients</strong> 07.-08.2022</a> <a href="https://cure53.de/review-report_passbolt-crypto.pdf" target="_blank"><strong>Review-Report Passbolt Crypto</strong> 07.2022</a> <a href="https://cure53.de/pentest-report_expressvpn-macos.pdf" target="_blank"><strong>Pentest-Report ExpressVPN MacOS Client</strong> 06.-07.2022</a> <a href="https://cure53.de/pentest-report_expressvpn-aircove.pdf" target="_blank"><strong>Pentest-Report ExpressVPN Aircove</strong> 06.-07.2022</a> <a href="https://cure53.de/pentest-report_expressvpn-trusted-server.pdf" target="_blank"><strong>Pentest-Report ExpressVPN Trusted Server</strong> 04.-05.2022</a> <a href="https://cure53.de/summary-report_realvnc-connect.pdf" target="_blank"><strong>Summary-Report RealVNC VNC Connect</strong> 01.-05.2022</a> <a href="https://cure53.de/summary-report_sonarqube-2022_1.pdf" target="_blank"><strong>Summary-Report SonarQube Web UI & API</strong> 03.2022</a> <a href="https://cure53.de/summary-report_opera-vpn.pdf" target="_blank"><strong>Summary-Report Opera VPN Server & Clients</strong> (Opera) 03.2022</a> <a href="https://cure53.de/pentest-report_1password-mobile.pdf" target="_blank"><strong>Pentest-Report 1Password Mobile Apps</strong> 02.-03.2022</a> <a href="https://cure53.de/summary-report_cake-defi.pdf" target="_blank"><strong>Summary-Report Cake DeFi Web UI & API</strong> 02.2022</a> <a href="https://cure53.de/pentest-report_IVPN_2022.pdf" target="_blank"><strong>Pentest-Report IVPN Apps & Daemon</strong> (IVPN) 02.2022</a> <a href="https://cure53.de/pentest-report_ed25519.pdf" target="_blank"><strong>Audit-Report TypeScript ed25519 Libraries</strong> 02.2022</a> <a href="https://cure53.de/pentest-report_rust-libs_2022.pdf" target="_blank"><strong>Audit-Report Rust crypto_secretbox & crypto_box Libraries</strong> (Threema) 02.2022</a> <a href="#">&nbsp;</a> </div> <div class="publications column"> <span id="publications-2021">2021</span> <a href="https://cure53.de/pentest-report_passbolt-mobile-api.pdf" target="_blank"><strong>Pentest-Report Passbolt Mobile App & API</strong> 11.-12.2021</a> <a href="https://cure53.de/pentest-report_1password-core-2021.pdf" target="_blank"><strong>Pentest-Report 1Password Core</strong> 11.-12.2021</a> <a href="https://cure53.de/pentest-report_hashing-libs.pdf" target="_blank"><strong>Audit-Report TypeScript Hashing Libraries</strong> 12.2021</a> <a href="https://cure53.de/pentest-report_tunnelbear_2021.pdf" target="_blank"><strong>Pentest-Report Tunnelbear VPN & Software</strong> 11.2021</a> <a href="https://cure53.de/pentest-report_pgpainless.pdf" target="_blank"><strong>Pentest-Report PGPainless</strong> 11.2021</a> <a href="https://cure53.de/summary-report_sonarcloud-2021.pdf" target="_blank"><strong>Summary-Report SonarCloud Web UI & API</strong> 11.2021</a> <a href="https://cure53.de/pentest-report_psiphon_3.pdf" target="_blank"><strong>Pentest-Report Psiphon api-gatekeeper</strong> 11.2021</a> <a href="https://cure53.de/pentest-report_1password-b5-2021.pdf" target="_blank"><strong>Pentest-Report 1Password B5 Web Application</strong> 10.2021</a> <a href="https://cure53.de/summary-report_sonarqube-2021_2.pdf" target="_blank"><strong>Summary-Report SonarQube Web UI & API</strong> 10.2021</a> <a href="https://cure53.de/pentest-report_passbolt-ext-integration.pdf" target="_blank"><strong>Pentest-Report Passbolt Extension Integration</strong> 08.2021</a> <a href="https://cure53.de/pentest-report_bifrost-wallet.pdf" target="_blank"><strong>Pentest-Report Towo Bifrost Wallet</strong> 06.2021</a> <a href="https://cure53.de/pentest-report_passbolt-backend.pdf" target="_blank"><strong>Pentest-Report Passbolt Backend & Plugins</strong> 065.2021</a> <a href="https://cure53.de/pentest-report_turbotunnel.pdf" target="_blank"><strong>Review-Report Turbo Tunnel</strong> (UCB) 04.2021</a> <a href="https://cure53.de/summary-report_sonarqube-2021.pdf" target="_blank"><strong>Summary-Report SonarQube Data Center Edition</strong> 04.2021</a> <a href="https://cure53.de/pentest-report_noble-lib.pdf" target="_blank"><strong>Review-Report noble-secp256k1 Library</strong> 04.2021</a> <a href="https://cure53.de/pentest-report_passbolt-extensions.pdf" target="_blank"><strong>Pentest-Report Passbolt Browser Extensions</strong> 04.2021</a> <a href="https://cure53.de/pentest-report_swarm.pdf" target="_blank"><strong>Pentest-Report Swarm</strong> 03.-04.2021</a> <a href="https://cure53.de/pentest-report_pomerium.pdf" target="_blank"><strong>Pentest-Report Pomerium</strong> 03.2021</a> <a href="https://cure53.de/pentest-report_mozilla-vpn.pdf" target="_blank"><strong>Pentest-Report Mozilla VPN Apps & Client</strong> (Mozilla) 03.2021</a> <a href="https://cure53.de/pentest-report_lightway.pdf" target="_blank"><strong>Review-Report ExpressVPN Lightway Protocol</strong> 03.2021</a> <a href="https://cure53.de/pentest-report_veepn.pdf" target="_blank"><strong>Pentest-Report VeePN Browser Extension</strong> 03.2021</a> <a href="https://cure53.de/review-report_passbolt-whitepaper.pdf" target="_blank"><strong>Review-Report Passbolt Security Whitepaper</strong> 02.2021</a> <a href="#">&nbsp;</a> <a href="#">&nbsp;</a> </div> <div class="publications column right"> <span id="publications-2020">2020</span> <a href="https://cure53.de/pentest-report_mullvad_2021_v1.pdf" target="_blank"><strong>Pentest-Report Mullvad VPN & Servers</strong> 11.-12.2020</a> <a href="https://cure53.de/pentest-report_contour.pdf" target="_blank"><strong>Pentest-Report Contour</strong> (CNCF) 11.2020</a> <a href="https://cure53.de/pentest-report_php-saml-sp.pdf" target="_blank"><strong>Pentest-Report php-saml-sp</strong> (DeIC) 10.-11.2020</a> <a href="https://cure53.de/pentest-report_tunnelbear_2020.pdf" target="_blank"><strong>Pentest-Report Tunnelbear VPN & Software</strong> 10.2020</a> <a href="https://cure53.de/pentest-report_1password-b5.pdf" target="_blank"><strong>Pentest-Report 1Password B5 Web Application</strong> 10.2020</a> <a href="https://cure53.de/pentest-report_threema.pdf" target="_blank"><strong>Pentest-Report Threema Mobile Apps</strong> 10.2020</a> <a href="https://cure53.de/pentest-report_chubaofs.pdf" target="_blank"><strong>Pentest-Report ChubaoFS</strong> (CNCF) 08.-09.2020</a> <a href="https://cure53.de/pentest-report_rnp.pdf" target="_blank"><strong>Pentest-Report Thunderbird & RNP</strong> (MOSS) 08.2020</a> <a href="https://cure53.de/pentest-report_nodeexporter.pdf" target="_blank"><strong>Pentest-Report node_exporter</strong> (CNCF) 07.2020</a> <a href="https://cure53.de/pentest-report_psipy.pdf" target="_blank"><strong>Pentest-Report Psiphon psipy Library</strong> 07.2020</a> <a href="https://cure53.de/pentest-report_formsg.pdf" target="_blank"><strong>Pentest-Report GovTech FormSG Web & API</strong> 07.2020</a> <a href="https://cure53.de/pentest-report_dapr.pdf" target="_blank"><strong>Pentest-Report Dapr</strong> 06.2020</a> <a href="https://cure53.de/pentest-report_monocypher.pdf" target="_blank"><strong>Audit-Report Monocypher Crypto Library</strong> (OTF) 06.2020</a> <a href="https://cure53.de/pentest-report_rustls.pdf" target="_blank"><strong>Pentest-Report rustls</strong> (CNCF) 05.-06.2020</a> <a href="https://cure53.de/pentest-report_mullvad_2020_v2.pdf" target="_blank"><strong>Pentest-Report Mullvad Apps, Clients & API</strong> 05.2020</a> <a href="https://cure53.de/pentest-report_request.pdf" target="_blank"><strong>Pentest-Report Request Network</strong> 05.2020</a> <a href="https://cure53.de/pentest-report_tikv.pdf" target="_blank"><strong>Pentest-Report TiKV</strong> (CNCF) 02.2020</a> <a href="https://cure53.de/pentest-report_safing-jess.pdf" target="_blank"><strong>Audit-Report Safing Jess Crypto-Library</strong> 01.2020</a> <a href="https://cure53.de/pentest-report_flowcrypt.pdf" target="_blank"><strong>Pentest-Report FlowCrypt</strong> (OTF) 01.2020</a> </div> <div class="clear"></div> <div class="publications column"> <span id="publications-whitepapers">White Papers</span> <a href="https://github.com/cure53/browser-sec-whitepaper" target="_blank"><strong>Cure53 Browser Security White Paper</strong></a> <a href="https://cure53.de/es6-for-penetration-testers.pdf" target="_blank"><strong>ECMAScript 6 for Penetration Testers</strong></a> <a href="https://cure53.de/xfo-clickjacking.pdf" target="_blank"><strong>X-Frame-Options: All about Clickjacking?</strong></a> </div> <div class="publications column right"> <span id="publications-tools">Tools</span> <a href="https://github.com/cure53/DOMPurify" target="_blank"><strong>DOMPurify</strong></a> <a href="https://github.com/cure53/HTTPLeaks" target="_blank"><strong>HTTPLeaks</strong></a> <a href="https://github.com/cure53/H5SC" target="_blank"><strong>HTML5 Security Cheatsheet</strong></a> </div> <div class="clear"></div> <div class="publications column full"> <span id="publications-academic">Academic Papers</span> <a href="https://link.springer.com/chapter/10.1007/978-3-319-66399-9_7" target="_blank">DOMPurify: Client-Side Protection Against XSS and Markup Injection</a> <a href="http://syssec.rub.de/media/emma/veroeffentlichungen/2015/05/27/sanitization_issta15.pdf" target="_blank">Ex­pe­ri­ence Re­port: An Em­pi­ri­cal Study of PHP Se­cu­ri­ty Me­cha­nism Usage</a> <a href="https://cure53.de/es6-for-penetration-testers.pdf" target="_blank">ECMAScript 6 for Penetration Testers - How the new JS changes Web- and DOM Security</a> <a href="http://syssec.rub.de/media/emma/veroeffentlichungen/2014/07/29/secondOrder-Usenix14.pdf" target="_blank">Static Detection of Second-Order Vulnerabilities in Web Applications</a> <a href="http://syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf" target="_blank">Code Reuse Attacks in PHP: Automated POP Chain Generation</a> <a href="http://www.nds.rub.de/media/nds/veroeffentlichungen/2014/07/09/DSN_paper.pdf" target="_blank">Script­less Ti­ming At­tacks on Web Brow­ser Pri­va­cy</a> <a href="https://cure53.de/xfo-clickjacking.pdf" target="_blank">X-Frame-Options: All about Clickjacking?</a> <a href="http://www.syssec.rub.de/media/emma/veroeffentlichungen/2014/01/21/rips-NDSS14.pdf" target="_blank">Simulation of Built-in PHP Features for Precise Static Code Analysis</a> <a href="https://cure53.de/fp170.pdf" target="_blank">mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations</a> <a href="http://www.nds.rub.de/research/publications/SS-FP-Heiderich/" target="_blank">SS-FP: Browser Finger­printing using HTML Parser Quirks </a> <a href="http://www.nds.rub.de/research/publications/scriptless-attacks/" target="_blank">Scriptless Attacks – Stealing the Pie Without Touching the Sill </a> <a href="http://www.nds.rub.de/research/publications/clickjacking/" target="_blank">On the Fragility and Limitations of Current Browser-provided Cli­ck­ja­cking Pro­tec­tion Sche­mes</a> <a href="http://www.nds.rub.de/research/publications/SVG-security-risks/" target="_blank">Crouching Tiger – Hidden Payload: Security Risks of Scalable Vectors Graphics </a> <a href="http://www.nds.rub.de/research/publications/SecurityCaseStudyHeliosVoting/" target="_blank">The Bug that made me President: A Browser- and Web-Security Case Study on Helios Voting</a> <a href="http://www.nds.rub.de/research/publications/iceshield-detection-and-mitigation-malicious-sites/" target="_blank">Ice­Shield: Detection and Miti­ga­ti­on of Malicious Websites with a Frozen DOM </a> <a href="http://www.nds.rub.de/research/publications/amazon-hacking/" target="_blank">All Your Clouds are Be­long to us – Se­cu­ri­ty Ana­ly­sis of Cloud Management Inter­faces </a> </div> <div class="publications column full"> <span id="publications-talks">Presentations &amp; Talks</span> <a href="https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks" target="_blank"><strong>Exploiting the unexploitable with lesser known browser tricks</strong></a> <a href="https://www.slideshare.net/x00mario/an-abusive-relationship-with-angularjs" target="_blank"><strong>An Abusive Relationship with AngularJS</strong></a> <a href="http://www.slideshare.net/x00mario/copypest" target="_blank"><strong>Copy &amp; Pest</strong> – A case-study on the clipboard, blind trust and invisible cross-application XSS</a> <a href="http://www.slideshare.net/x00mario/es6-en" target="_blank"><strong>ECMAScript 6 from an Attacker's Perspective</strong> – Breaking Frameworks, Sandboxes & everything else</a> <a href="http://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream" target="_blank"><strong>In the DOM, no one will hear you scream</strong> – A journey into the moldy layer between HTML and JS</a> <a href="http://www.slideshare.net/x00mario/jsmvcomfg-to-sternly-look-at-javascript-mvc-and-templating-frameworks" target="_blank"><strong>JSMVCOMFG</strong> – To sternly look at JavaScript MVC and Templating Frameworks</a> <a href="http://www.slideshare.net/x00mario/the-innerhtml-apocalypse" target="_blank"><strong>The innerHTML Apocalypse</strong> – How mXSS attacks change everything we believed to know so far</a> <a href="http://www.slideshare.net/x00mario/stealing-the-pie" target="_blank"><strong>Scriptless Attacks</strong> – Stealing the Pie without touching the Sill</a> <a href="http://www.slideshare.net/x00mario/the-image-that-called-me" target="_blank"><strong>The Image that called me</strong> – Active Content Injection with SVG Files</a> <a href="http://www.slideshare.net/x00mario/locking-the-throneroom-20" target="_blank"><strong>Locking the Throne Room</strong> – How ES5+ will change XSS and Client Side Security</a> </div> <div class="clear"></div> </div> <div class="spacer"></div> <div id="team"> <div class="team header"> <span class="black">Team</span> <span class="gray">Meet the Cure53 Team</span> </div> <div class="team column"> <span class="member"> <span>Dr.-Ing. Mario Heiderich</span> <span> <a href="mailto:mario@cure53.de">mario@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xC26C858090F70ADA" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Dipl.-Ing. Alex Inführ</span> <span> <a href="mailto:alex@cure53.de">alex@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xa98fdcc053480e62" target="_blank">PGP</a> </span> </span> <span class="member"> <span>MSc. Sebastian Moritz</span> <span> <a href="mailto:seba@cure53.de">seba@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x81AC474F77C707C2" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Maxim Rupp</span> <span> <a href="mailto:rupp@cure53.de">rupp@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x09DC02C619890640" target="_blank">PGP</a> </span> </span> <span class="member"> <span>MSc. Dario Weißer</span> <span> <a href="mailto:dario@cure53.de">dario@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x3E9C7E8EA03A7C8C" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Dr. Marta Conde</span> <span> <a href="mailto:marta@cure53.de">marta@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?search=0xdfe90c63f8eb16c0a53434723de1b5d059300a29&fingerprint=on&op=index" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Dr. Alexander Pirker</span> <span> <a href="mailto:apirker@cure53.de">apirker@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?search=0x0b837b099b3fc47f74da4e64ca92966230acd751&fingerprint=on&op=index" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Jesper Larsson</span> <span> <a href="mailto:jesper@cure53.de">jesper@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xDB04371F9BDB79A3" target="_blank">PGP</a> </span> </span> <span class="member"> <span>BSc. (Hons) Edwin "EdOverflow" Foudil</span> <span> <a href="mailto:ed@cure53.de">ed@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xda27f8854b055704" target="_blank">PGP</a> </span> </span> </div> <div class="team column"> <span class="member"> <span>MSc. Robin Peraglie</span> <span> <a href="mailto:robin@cure53.de">robin@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x7ec83e753efcd28b7208a6d4096896a268a057f5" target="_blank">PGP</a> </span> </span> <span class="member"> <span>BSc. Benjamin Walny</span> <span> <a href="mailto:benjamin@cure53.de">benjamin@cure53.de</a> | <a href="http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x119B51E13B568673" target="_blank">PGP</a> </span> </span> <span class="member"> <span>MSc. Johannes Moritz</span> <span> <a href="mailto:johannes@cure53.de">johannes@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x1d1df3aa6ee385e2" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Mohan "S1r1us" Pedhapati</span> <span> <a href="mailto:s1r1us@cure53.de">s1r1us@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?search=s1r1us%40cure53.de&fingerprint=on&op=index" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Masato Kinugawa</span> <span> <a href="mailto:masato@cure53.de">masato@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x93D04D02BE03BFC7" target="_blank">PGP</a> </span> </span> <span class="member"> <span>MSc. Fabian Fäßler</span> <span> <a href="mailto:fabian@cure53.de">fabian@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x2BD8397F79E1FDB0" target="_blank">PGP</a> </span> </span> <span class="member"> <span>MSc. Nikolai Krein</span> <span> <a href="mailto:niko@cure53.de">niko@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x5D33C36E8F0B178C" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Dr. Nadim Kobeissi</span> <span> <a href="mailto:nadim@cure53.de">nadim@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xf0d0df5519ae2cd3" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Dr. hab. Paula Pustułka</span> <span> <a href="mailto:paula@cure53.de">paula@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xE73BEC5813982FED" target="_blank">PGP</a> </span> </span> </div> <div class="team column last"> <span class="member"> <span>Jack Rudy Walker Smith</span> <span> <a href="mailto:jack@cure53.de">jack@cure53.de</a> | <a target="_blank" href="#">PGP</a> </span> </span> <span class="member"> <span>Norman Hippert</span> <span> <a href="mailto:norman@cure53.de">norman@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xE38C82C8EE421DF5" target="_blank">PGP</a> </span> </span> <span class="member"> <span>MSc. Elyas Damej</span> <span> <a href="mailto:elyas@cure53.de">elyas@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x665652193b71242c7b74460f3a99f66a9734d704" target="_blank">PGP</a> </span> </span> <span class="member"> <span>BSc. Christopher Kean</span> <span> <a href="mailto:chris@cure53.de">chris@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x9EF85B7C9D0B6BC0" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Michael Wege</span> <span> <a href="mailto:mike@cure53.de">mike@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x7A6AC9B3387D8CCB" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Julian Hector</span> <span> <a href="mailto:julian@cure53.de">julian@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x6FC11F39AD9AEAD6" target="_blank">PGP</a> </span> </span> <span class="member"> <span>Martin Elrod</span> <span> <a href="mailto:martin@cure53.de">martin@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?search=martin%40cure53.de&fingerprint=on&op=index" target="_blank">PGP</a> </span> </span> <span class="member"> <span>BSc. Felix Heiderich</span> <span> <a href="mailto:felix@cure53.de">felix@cure53.de</a> | <a href="https://keyserver.ubuntu.com/pks/lookup?search=felix%40cure53.de&fingerprint=on&op=index" target="_blank">PGP</a> </span> </span> </div> <div class="clear"></div> </div> <div class="spacer"></div> <div id="contact"> <div class="contact header"> <span class="black">Contact</span> <span class="gray">For business enquiries <br>please contact<br><a href="mailto:hello@cure53.de">hello@cure53.de</a></span> </div> <div class="contact column first"> <p> <strong>Email</strong> <a href="mailto:hello@cure53.de">hello@cure53.de</a> <strong>Telephone</strong> <a href="tel:+4915208675782">+49 1520 8675 782</a> </p> <p> <strong>We speak</strong> PGP and S/MIME </p> <p> <strong>Address</strong> <span> Cure53, <br> Dr.-Ing. Mario Heiderich <br> Wilmersdorfer Str. 106 <br> D-10629 Berlin <br> Germany </span> </div> <div class="contact column"> <p> <strong>Links</strong> <a href="#index">Home</a> <a href="#services">Services</a> <a href="#publications">Publications</a> <a href="#team">Team</a> <a href="#contact">Contact</a> <a href="/impressum.php">Impressum</a> <a href="/datenschutz.php">Datenschutz</a> </p> <p> <strong>Socials</strong> <a href="https://twitter.com/cure53berlin" target="_blank">X / Twitter</a> <a href="https://infosec.exchange/@cure53" target="_blank">Mastodon</a> <a href="https://de.linkedin.com/company/cure53" target="_blank">LinkedIn</a> <a href="https://github.com/cure53" target="_blank">Github</a> <a href="https://keybase.io/cure53" target="_blank">Keybase</a> </p> </div> <div class="contact column"> <p> <strong>Payment</strong> <span> As well as the usual, we also accept Bitcoin (BTC), Bitcoin Cash (BCH), Ripple (XRP) and Ethereum (ETH). <br> <br> Bill.com, Deel and Veem also work for us. </span> </p> <p> <strong>Insurance</strong> <span> During our assignments we are insured by the Gothaer Allgemeine Versicherung AG </span> </p> <p> <strong>Legals</strong> <span> Tax-ID: 24/336/01163 <br> VAT: DE-275774772 </span> </p> </div> <div class="clear"></div> </div> <div class="spacer"></div> <div id="footer"> &copy; Cure53 - Fine penetration tests for fine websites </div> <div class="spacer"></div> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10