Today there’s a number of publicly available EVM bytecode decompilers. However, many of them actually work only for toy examples and fail on real-world programs. This is one of the problems for Ethereum smart contracts continue reading

Positive Hack Days is a unique global event. It is the only event which brings together the elite of the hackers' world, leaders of the information security industry and representatives of the Internet community to cooperate in addressing burning information…

During PHDays 2019, apart from our booth, we also participated in the Wearable & Medical Security Village, organized together with Positive Technologies and the cool guys (Tim Yunusov, Denis...

In Russian: https://blog.deteact.com/ru/dql-injection Modern web applications are less prone to injections, everyone uses prepared queries and ORM, but we still encounter such vulnerabilities in the wild. SQL dialects built into ORM libraries are of particular…

In Russian: https://blog.deteact.com/ru/yandex-clickhouse-injection/ In order to process a large amount of data in Yandex.Metrika, Yandex created a column-oriented DBMS ClickHouse. During penetration tests, we encountered ClickHouse in the systems of statistics…

In Russian: https://blog.deteact.com/ru/common-flaws-of-sms-auth/ Many online services use SMS to authenticate users. But subtle implementation mistakes may lead to major problems. This is what we will talk about in this article. Intro This authentication…

In Russian: https://blog.deteact.com/ru/bitrix-waf-bypass/ UPD: CVE-2020-13758 assigned Sometimes when exploiting reflected XSS the input parameters get injected directly into the body of the <noscript> tag. Typically, this means that the exploit is trivial:…

A curious case of HTTP smuggling attack on mitmproxy+gunicorn setup

About XSS mitigation and the security of Content Security Policy

Deteact conducted a security audit of the blockchain voting service based on the Waves Enterprise platform.