cure53/Publications

Publications

This repro contains almost all of Cure53's publications and papers. Click "watch" to get a mail once we publish something fresh.

Pentest-Reports & Papers

2022

• Summary-Report RealVNC VNC Connect 01.-05.2022
• Summary-Report SonarQube Web UI & API 03.2022
• Summary-Report Opera VPN Server & Clients (Opera) 03.2022
• Pentest-Report 1Password Mobile Apps 02.-03.2022
• Summary-Report Cake DeFi Web UI & API 02.2022
• Pentest-Report IVPN Apps & Daemon (IVPN) 02.2022
• Audit-Report TypeScript ed25519 Libraries 02.2022
• Audit-Report Rust crypto_secretbox & crypto_box Libraries (Threema) 02.2022

2021

• Pentest-Report 1Password Core 11.-12.2021
• Audit-Report TypeScript Hashing Libraries 12.2021
• Pentest-Report PGPainless 11.2021
• Summary-Report SonarCloud Web UI & API 11.2021
• Pentest-Report Psiphon api-gatekeeper 11.2021
• Pentest-Report 1Password B5 Web Application 10.2021
• Summary-Report SonarQube Web UI & API 10.2021
• Pentest-Report Towo Bifrost Wallet 06.2021
• Review-Report Turbo Tunnel (UCB) 04.2021
• Summary-Report SonarQube Data Center Edition 04.2021
• Review-Report noble-secp256k1 Library 04.2021
• Pentest-Report Swarm 03.-04.2021
• Pentest-Report Pomerium 03.2021
• Pentest-Report Mozilla VPN Apps & Client (Mozilla) 03.2021
• Review-Report ExpressVPN Lightway Protocol 03.2021
• Pentest-Report VeePN Browser Extension 03.2021

2020

• Pentest-Report Mullvad VPN & Servers 11.-12.2020
• Pentest-Report Contour (CNCF) 11.2020
• Pentest-Report php-saml-sp (DeIC) 10.-11.2020
• Pentest-Report Tunnelbear VPN & Software 10.2020
• Pentest-Report 1Password B5 Web Application 10.2020
• Pentest-Report Threema Mobile Apps 10.2020
• Pentest-Report ChubaoFS (CNCF) 08.-09.2020
• Pentest-Report Thunderbird & RNP (MOSS) 08.2020
• Pentest-Report node_exporter (CNCF) 07.2020
• Pentest-Report Psiphon psipy Library 07.2020
• Pentest-Report GovTech FormSG Web & API 07.2020
• Pentest-Report Dapr 06.2020
• Audit-Report Monocypher Crypto Library (OTF) 06.2020
• Pentest-Report rustls (CNCF) 05.-06.2020
• Pentest-Report Mullvad Apps, Clients & API 05.2020
• Pentest-Report Request Network 05.2020
• Pentest-Report TiKV (CNCF) 02.2020
• Audit-Report Safing Jess Crypto-Library 01.2020
• Pentest-Report FlowCrypt (OTF) 01.2020

2019

• Pentest-Report runc (CNCF) 11.-12.2019
• Summary-Report TunnelBear 11.2019
• Pentest-Report Keycloak 11.2019
• Pentest-Report Helm (CNCF) 10.-11.2019
• Pentest-Report Standard Notes 10.2019
• Pentest-Report Harbor (CNCF) 10.2019
• Pentest-Report gRPC (CNCF) 10.2019
• Pentest-Report Psiphon Apps & Server 10.2019
• Pentest-Report libssh C Library (MOSS) 09.2019
• Analysis-Report "Study the Great Nation" Android App (OTF) 09.2019
• Pentest-Report Rancher Web & API 07.2019
• Pentest-Report Falco (CNCF) 07.2019
• Pentest-Report Linkerd2 (CNCF) 06.2019
• Pentest-Report Fluentd/Fluent-Bit (CNCF) 05.2019
• Pentest-Report Jaeger (CNCF) 05.2019
• Analysis-Report Chinese Police App "Feng Cai" (OTF) 03.2019
• Pentest-Report Exodus iOS Mobile App 03.2019
• Pentest-Report Vitess (CNCF) 02.2019

2018

• Analysis-Report Chinese Police App "IJOP" (HRW) 12.2018
• Pentest-Report NATS (CNCF) 11.2018
• Pentest-Report containerd (CNCF) 11.2018
• Pentest-Report Surfshark 11.2018
• Pentest-Report Bitwarden 11.2018
• Summary-Report TunnelBear 10.2018
• Pentest-Report CrypTech/DiamondKey 09.2018
• Pentest-Report Frame Electron App 09.2018
• Pentest-Report Mullvad VPN Clients 09.2018
• Pentest-Report Open Policy Agent (CNCF) 08.2018
• Pentest-Report Cuckoo Sandbox 07.2018
• Pentest-Report MyCrypto App 06.2018
• Pentest-Report TUF/Notary (CNCF) 05.-06.2018
• Pentest-Report Prometheus (CNCF) 05.-06.2018
• Pentest-Report imToken Wallet 05.2018
• Pentest-Report Gravitational Teleport 05.2018
• Pentest-Report CoreDNS (CNCF) 02.-03.2018
• Pentest-Report Envoy Proxy (CNCF) 02.2018
• Pentest-Report Whistler (BAM) 02.2018
• Pentest-Report MyEtherWallet Website 01.2018

2017

• Pentest-Report SimpleSAMLphp (MOSS) 11.2017
• Pentest-Report Thunderbird & Enigmail (MOSS) 09.2017
• Pentest-Report MetaMask 08.2017
• Pentest-Report Gravitational Telekube 08.2017
• Summary-Report TunnelBear 07.2017
• Pentest-Report Psiphon 07.2017
• Pentest-Report Gravitational Teleport 04.2017
• Pentest-Report Briar Project App & Protocol (OTF) 03.2017
• Pentest-Report NTP (MOSS) 03.2017
• Pentest-Report NTPsec (MOSS) 03.2017

2016

• Pentest-Report Ethereum Mist 11.2016
• Pentest-Report Dovecot (MOSS) 11.2016
• Pentest-Report Mozilla FxA 09.2016
• Pentest-Report cURL (MOSS) 08.2016
• Pentest-Report Access My Info (OTF) 05.2016
• Pentest-Report Padlock (OTF) 04.2016
• Pentest-Report libjpeg-turbo (MOSS) 01.2016

2015 and earlier

• Pentest-Report PCRE (MOSS) 10.2015
• Pentest-Report Peerio (OTF) 09.2015
• Pentest-Report SmartSheriff 2 (OTF) 10.2015
• Pentest-Report OpenKeychain (OTF) 08.2015
• Pentest-Report Nitrokey Storage Firmware (OTF) 08.2015
• Pentest-Report Nitrokey Storage Hardware (OTF) 05.2015
• Pentest-Report SmartSheriff (OTF) 07.2015
• Pentest-Report Cyph (OTF) 06.2015
• Pentest-Report SC4 06.2015
• Pentest-Report Whiteout 06.2015
• Pentest-Report StreamCryptor 04.2015
• Pentest-Report F-Droid / Bazaar (RFA) 01.2015
• Pentest-Report CaseBox (Code Audit) (RFA) 06.2014
• Pentest-Report CaseBox (Production) (RFA) 08.2014
• Pentest-Report miniLock (RFA) 07.2014
• Pentest-Report Clipperz (RFA) 04.2014
• Pentest-Report Onion Browser (RFA) 04.2014
• Pentest-Report OpenPGP.js (RFA) 03.2014
• Pentest-Report SecureDrop (FPF) 12.2013
• Pentest-Report Globaleaks (RFA) 06.2013
• Pentest-Report Mailvelope (RFA) 12.2012 – 02.2013
• Pentest Report Cryptocat 2 (RFA) 11.2012

## White Papers

• Cure53 Browser Security White Paper
• ECMAScript 6 for Penetration Testers - How the new JS changes Web- and DOM Security
• X-Frame-Options: All about Clickjacking?

Academic Papers

• DOMPurify: Client-Side Protection Against XSS and Markup Injection
• Ex­pe­ri­ence Re­port: An Em­pi­ri­cal Study of PHP Se­cu­ri­ty Me­cha­nism Usage
• ECMAScript 6 for Penetration Testers - How the new JS changes Web- and DOM Security
• Static Detection of Second-Order Vulnerabilities in Web Applications
• Code Reuse Attacks in PHP: Automated POP Chain Generation
• Script­less Ti­ming At­tacks on Web Brow­ser Pri­va­cy
• X-Frame-Options: All about Clickjacking?
• Simulation of Built-in PHP Features for Precise Static Code Analysis
• mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations
• SS-FP: Browser Finger­printing using HTML Parser Quirks
• Scriptless Attacks – Stealing the Pie Without Touching the Sill
• On the Fragility and Limitations of Current Browser-provided Cli­ck­ja­cking Pro­tec­tion Sche­mes
• Crouching Tiger – Hidden Payload: Security Risks of Scalable Vectors Graphics
• The Bug that made me President: A Browser- and Web-Security Case Study on Helios Voting
• Ice­Shield: Detection and Miti­ga­ti­on of Malicious Websites with a Frozen DOM
• All Your Clouds are Be­long to us – Se­cu­ri­ty Ana­ly­sis of Cloud Management Inter­faces

## Presentations

• Exploiting the unexploitable with lesser known browser tricks
• An Abusive Relationship with AngularJS
• Copy & Pest – A case-study on the clipboard, blind trust and invisible cross-application XSS
• ECMAScript 6 from an Attacker's Perspective – Breaking Frameworks, Sandboxes & everything else
• In the DOM, no one will hear you scream – A journey into the moldy layer between HTML and JS
• JSMVCOMFG – To sternly look at JavaScript MVC and Templating Frameworks
• The innerHTML Apocalypse – How mXSS attacks change everything we believed to know so far
• Scriptless Attacks – Stealing the Pie without touching the Sill
• The Image that called me – Active Content Injection with SVG Files
• Locking the Throne Room – How ES5+ will change XSS and Client Side Security

## Tools & Software

• DOMPurify
• HTTPLeaks
• HTML5 Security Cheatsheet
• Flashbang