Read our blog post about the motivation for the Ethereum smart contracts reverse engineering and our small efforts to automate the process.
https://blog.deteact.com/decompiling-ethereum-smart-contract-abi/
https://blog.deteact.com/decompiling-ethereum-smart-contract-abi/
Deteact - continuous information security services
Decompiling Ethereum smart contract ABI - Deteact - continuous information security services
Today there’s a number of publicly available EVM bytecode decompilers. However, many of them actually work only for toy examples and fail on real-world programs. This is one of the problems for Ethereum smart contracts continue reading
Long time no see! And we have sponsored one of the biggest infosec forums.
http://2019.phdays.com/en/about/sponsors/deteact/
http://2019.phdays.com/en/about/sponsors/deteact/
Phdays
DeteAct Exhibition Participant
Positive Hack Days is a unique global event. It is the only event which brings together the elite of the hackers' world, leaders of the information security industry and representatives of the Internet community to cooperate in addressing burning information…
More about PHDays 2019: https://www.facebook.com/deteact/posts/371803953434518
Medical Security Village on PHDays 2019: https://www.facebook.com/deteact/posts/372268986721348
Facebook
Deteact
During PHDays 2019, apart from our booth, we also participated in the Wearable & Medical Security Village, organized together with Positive Technologies and the cool guys (Tim Yunusov, Denis...
See our introductory post about Doctrine Query Language injections: https://blog.deteact.com/dql-injection/
Deteact - continuous information security services
DQL injection - Deteact - continuous information security services
In Russian: https://blog.deteact.com/ru/dql-injection Modern web applications are less prone to injections, everyone uses prepared queries and ORM, but we still encounter such vulnerabilities in the wild. SQL dialects built into ORM libraries are of particular…
Read our review of the Yandex.Clickhouse DBMS attack surface and exploitation techniques: https://blog.deteact.com/yandex-clickhouse-injection/
Deteact - continuous information security services
Yandex.ClickHouse injection - Deteact - continuous information security services
In Russian: https://blog.deteact.com/ru/yandex-clickhouse-injection/ In order to process a large amount of data in Yandex.Metrika, Yandex created a column-oriented DBMS ClickHouse. During penetration tests, we encountered ClickHouse in the systems of statistics…
A small take into SMS auth security pitfalls: https://blog.deteact.com/common-flaws-of-sms-auth/
Deteact - continuous information security services
Common flaws of SMS auth - Deteact - continuous information security services
In Russian: https://blog.deteact.com/ru/common-flaws-of-sms-auth/ Many online services use SMS to authenticate users. But subtle implementation mistakes may lead to major problems. This is what we will talk about in this article. Intro This authentication…
Do you need a pentest if your website is protected with a WAF? See for yourself: https://blog.deteact.com/bitrix-waf-bypass/
Deteact - continuous information security services
Bitrix WAF bypass - Deteact - continuous information security services
In Russian: https://blog.deteact.com/ru/bitrix-waf-bypass/ UPD: CVE-2020-13758 assigned Sometimes when exploiting reflected XSS the input parameters get injected directly into the body of the <noscript> tag. Typically, this means that the exploit is trivial:…
Beware of HTTP implementations: they can be incompatible and broken, see https://blog.deteact.com/gunicorn-http-request-smuggling/
Deteact - continuous information security services
HTTP Request Smuggling - Deteact - continuous information security services
A curious case of HTTP smuggling attack on mitmproxy+gunicorn setup
Mitigating XSS can be hard, learn more about Content Security Policy in our blog: https://blog.deteact.com/csp-bypass/
Deteact - continuous information security services
Bypassing Content Security Policy
About XSS mitigation and the security of Content Security Policy
We've recently performed a security assessment of the Waves Enterprise blockchain voting service.
Learn more about the vulnerabilities of such systems:
https://blog.deteact.com/waves-enterprise-voting-security-audit/
Learn more about the vulnerabilities of such systems:
https://blog.deteact.com/waves-enterprise-voting-security-audit/
Deteact - continuous information security services
Security Audit of Waves Enterprise Voting service
Deteact conducted a security audit of the blockchain voting service based on the Waves Enterprise platform.
Long time no see!
https://hh.ru/vacancy/92476148
https://hh.ru/vacancy/92476148
hh.ru
Вакансия Application Security TechLead / техлид (Pentest) в Москве, работа в компании Непрерывные Технологии (вакансия в архиве…
Зарплата: от 250000 до 350000 ₽ за месяц. Москва. Требуемый опыт: 3–6 лет. Полная занятость. Дата публикации: 27.02.2024.
👍1
Как несколько low-impact недостатков может привести к атаке с высоким уровнем риска?
Читайте в нашем блогпосте, где логические уязвимости и атаки на client-side, достойные CTF-таска за 300, мастерски скомбинированы для захвата аккаунта:
https://blog.deteact.ru/open-redirect-to-account-takeover/
P.S. Обещаем теперь чаще и системнее делиться опытом с наших проектов по тестированию на проникновение и анализу защищённости!
Читайте в нашем блогпосте, где логические уязвимости и атаки на client-side, достойные CTF-таска за 300, мастерски скомбинированы для захвата аккаунта:
https://blog.deteact.ru/open-redirect-to-account-takeover/
P.S. Обещаем теперь чаще и системнее делиться опытом с наших проектов по тестированию на проникновение и анализу защищённости!
Deteact - Тестирование на проникновение. Информационная безопасность
От Open Redirect до Account Takeover - Deteact
Узнайте, как небольшие уязвимости (IDOR, XSS, Open Redirect) в совокупности с неправильной настройкой CSP могут привести к захвату аккаунтов пользователей. Подробный разбор реального кейса из практики пентестинга.
👍5