1) Intro & Motivations

At the start of of this year, I set myself a personal goal of finding 365 bugs in 365 days.

This was entirely motivated by wanting to challenge myself to find more security issues as I felt I'd been slacking off.

I thought back to…

When gaining shell access to a machine on a network, a promising attack vector is to check the internal network for web applications and services that may be accessible from the machine that has been compromised.

Often, internal web applications are found…

In 2019, we published attacks on PDF Signatures and PDF Encryption . During our research and studying the related work, we discovered a lot...

This is a guest blogpost by Lauritz Holtmann . He wrote his master thesis: "Single Sign-On Security: Security Analysis of real-life OpenID C...

Last year we presented How to Spoof PDF Signatures . We showed three different attack classes. In cooperation with the CERT-Bund (BSI)...

During our joint research on DTLS state machines, we discovered a really interesting vulnerability (CVE-2020-2655) in the recent versions...

For this years hack.lu CTF I felt like creating a challenge. Since I work a lot with TLS it was only natural for me to create a TLS challen...

After investigating the security of  PDF signatures , we had a deeper look at PDF encryption. In co­ope­ra­ti­on with our friends from Mün...

A lot can go wrong when validating SAML messages . When auditing SAML endpoints, it's important to look out for vulnerabilities in the sign...

Security Assertion Markup Language (SAML) is an XML-based standard commonly used in Web Single Sign-On (SSO) [1]. In SAML, the confidential...

In this post, we present our new Burp Suite extension "TLS-Attacker". Using this extension penetration testers and security researchers ca...

This blog post is aimed to express and explain my surprise about Signal being more secure than I thought (due to receipt acknowledgments). ...

As you might have heard, we recently got our paper on padding oracle attacks accepted to the USENIX Security Conference. In this paper, we ...

In the last two years, we changed the TLS-Attacker Project quite a lot but kept silent about most changes we implemented. Since we do not h...

One year ago, we received a contract as a PDF file. It was digitally signed. We looked at the document - ignoring the "certificate is not tr...

We found out that reusing a key pair across different versions and modes of IPsec IKE can lead to cross-protocol authentication bypasses, e...

We found out that in contrast to public knowledge, the Pre-Shared Key (PSK) authentication method in main mode of IKEv1 is susceptible to o...

Hunting for bugs doesn’t have to be complex. This is a quick but informative story of how we found a vulnerability under 5 minutes on a…

Clustering of Application Security tooling refers to the use of multiple tools and techniques to improve the security of an application…

I have come across many agent based distributed systems like OEM, AV solutions and Splunk which need to communicate with a centralized server. This communication is often sensitive, carrying data…