This repro contains almost all of Cure53's publications and papers. Click "watch" to get a mail once we publish something fresh.
- Summary-Report RealVNC VNC Connect 01.-05.2022
- Summary-Report SonarQube Web UI & API 03.2022
- Summary-Report Opera VPN Server & Clients (Opera) 03.2022
- Pentest-Report 1Password Mobile Apps 02.-03.2022
- Summary-Report Cake DeFi Web UI & API 02.2022
- Pentest-Report IVPN Apps & Daemon (IVPN) 02.2022
- Audit-Report TypeScript ed25519 Libraries 02.2022
- Audit-Report Rust crypto_secretbox & crypto_box Libraries (Threema) 02.2022
- Pentest-Report 1Password Core 11.-12.2021
- Audit-Report TypeScript Hashing Libraries 12.2021
- Pentest-Report PGPainless 11.2021
- Summary-Report SonarCloud Web UI & API 11.2021
- Pentest-Report Psiphon api-gatekeeper 11.2021
- Pentest-Report 1Password B5 Web Application 10.2021
- Summary-Report SonarQube Web UI & API 10.2021
- Pentest-Report Towo Bifrost Wallet 06.2021
- Review-Report Turbo Tunnel (UCB) 04.2021
- Summary-Report SonarQube Data Center Edition 04.2021
- Review-Report noble-secp256k1 Library 04.2021
- Pentest-Report Swarm 03.-04.2021
- Pentest-Report Pomerium 03.2021
- Pentest-Report Mozilla VPN Apps & Client (Mozilla) 03.2021
- Review-Report ExpressVPN Lightway Protocol 03.2021
- Pentest-Report VeePN Browser Extension 03.2021
- Pentest-Report Mullvad VPN & Servers 11.-12.2020
- Pentest-Report Contour (CNCF) 11.2020
- Pentest-Report php-saml-sp (DeIC) 10.-11.2020
- Pentest-Report Tunnelbear VPN & Software 10.2020
- Pentest-Report 1Password B5 Web Application 10.2020
- Pentest-Report Threema Mobile Apps 10.2020
- Pentest-Report ChubaoFS (CNCF) 08.-09.2020
- Pentest-Report Thunderbird & RNP (MOSS) 08.2020
- Pentest-Report node_exporter (CNCF) 07.2020
- Pentest-Report Psiphon psipy Library 07.2020
- Pentest-Report GovTech FormSG Web & API 07.2020
- Pentest-Report Dapr 06.2020
- Audit-Report Monocypher Crypto Library (OTF) 06.2020
- Pentest-Report rustls (CNCF) 05.-06.2020
- Pentest-Report Mullvad Apps, Clients & API 05.2020
- Pentest-Report Request Network 05.2020
- Pentest-Report TiKV (CNCF) 02.2020
- Audit-Report Safing Jess Crypto-Library 01.2020
- Pentest-Report FlowCrypt (OTF) 01.2020
- Pentest-Report runc (CNCF) 11.-12.2019
- Summary-Report TunnelBear 11.2019
- Pentest-Report Keycloak 11.2019
- Pentest-Report Helm (CNCF) 10.-11.2019
- Pentest-Report Standard Notes 10.2019
- Pentest-Report Harbor (CNCF) 10.2019
- Pentest-Report gRPC (CNCF) 10.2019
- Pentest-Report Psiphon Apps & Server 10.2019
- Pentest-Report libssh C Library (MOSS) 09.2019
- Analysis-Report "Study the Great Nation" Android App (OTF) 09.2019
- Pentest-Report Rancher Web & API 07.2019
- Pentest-Report Falco (CNCF) 07.2019
- Pentest-Report Linkerd2 (CNCF) 06.2019
- Pentest-Report Fluentd/Fluent-Bit (CNCF) 05.2019
- Pentest-Report Jaeger (CNCF) 05.2019
- Analysis-Report Chinese Police App "Feng Cai" (OTF) 03.2019
- Pentest-Report Exodus iOS Mobile App 03.2019
- Pentest-Report Vitess (CNCF) 02.2019
- Analysis-Report Chinese Police App "IJOP" (HRW) 12.2018
- Pentest-Report NATS (CNCF) 11.2018
- Pentest-Report containerd (CNCF) 11.2018
- Pentest-Report Surfshark 11.2018
- Pentest-Report Bitwarden 11.2018
- Summary-Report TunnelBear 10.2018
- Pentest-Report CrypTech/DiamondKey 09.2018
- Pentest-Report Frame Electron App 09.2018
- Pentest-Report Mullvad VPN Clients 09.2018
- Pentest-Report Open Policy Agent (CNCF) 08.2018
- Pentest-Report Cuckoo Sandbox 07.2018
- Pentest-Report MyCrypto App 06.2018
- Pentest-Report TUF/Notary (CNCF) 05.-06.2018
- Pentest-Report Prometheus (CNCF) 05.-06.2018
- Pentest-Report imToken Wallet 05.2018
- Pentest-Report Gravitational Teleport 05.2018
- Pentest-Report CoreDNS (CNCF) 02.-03.2018
- Pentest-Report Envoy Proxy (CNCF) 02.2018
- Pentest-Report Whistler (BAM) 02.2018
- Pentest-Report MyEtherWallet Website 01.2018
- Pentest-Report SimpleSAMLphp (MOSS) 11.2017
- Pentest-Report Thunderbird & Enigmail (MOSS) 09.2017
- Pentest-Report MetaMask 08.2017
- Pentest-Report Gravitational Telekube 08.2017
- Summary-Report TunnelBear 07.2017
- Pentest-Report Psiphon 07.2017
- Pentest-Report Gravitational Teleport 04.2017
- Pentest-Report Briar Project App & Protocol (OTF) 03.2017
- Pentest-Report NTP (MOSS) 03.2017
- Pentest-Report NTPsec (MOSS) 03.2017
- Pentest-Report Ethereum Mist 11.2016
- Pentest-Report Dovecot (MOSS) 11.2016
- Pentest-Report Mozilla FxA 09.2016
- Pentest-Report cURL (MOSS) 08.2016
- Pentest-Report Access My Info (OTF) 05.2016
- Pentest-Report Padlock (OTF) 04.2016
- Pentest-Report libjpeg-turbo (MOSS) 01.2016
- Pentest-Report PCRE (MOSS) 10.2015
- Pentest-Report Peerio (OTF) 09.2015
- Pentest-Report SmartSheriff 2 (OTF) 10.2015
- Pentest-Report OpenKeychain (OTF) 08.2015
- Pentest-Report Nitrokey Storage Firmware (OTF) 08.2015
- Pentest-Report Nitrokey Storage Hardware (OTF) 05.2015
- Pentest-Report SmartSheriff (OTF) 07.2015
- Pentest-Report Cyph (OTF) 06.2015
- Pentest-Report SC4 06.2015
- Pentest-Report Whiteout 06.2015
- Pentest-Report StreamCryptor 04.2015
- Pentest-Report F-Droid / Bazaar (RFA) 01.2015
- Pentest-Report CaseBox (Code Audit) (RFA) 06.2014
- Pentest-Report CaseBox (Production) (RFA) 08.2014
- Pentest-Report miniLock (RFA) 07.2014
- Pentest-Report Clipperz (RFA) 04.2014
- Pentest-Report Onion Browser (RFA) 04.2014
- Pentest-Report OpenPGP.js (RFA) 03.2014
- Pentest-Report SecureDrop (FPF) 12.2013
- Pentest-Report Globaleaks (RFA) 06.2013
- Pentest-Report Mailvelope (RFA) 12.2012 – 02.2013
- Pentest Report Cryptocat 2 (RFA) 11.2012
- Cure53 Browser Security White Paper
- ECMAScript 6 for Penetration Testers - How the new JS changes Web- and DOM Security
- X-Frame-Options: All about Clickjacking?
- DOMPurify: Client-Side Protection Against XSS and Markup Injection
- Experience Report: An Empirical Study of PHP Security Mechanism Usage
- ECMAScript 6 for Penetration Testers - How the new JS changes Web- and DOM Security
- Static Detection of Second-Order Vulnerabilities in Web Applications
- Code Reuse Attacks in PHP: Automated POP Chain Generation
- Scriptless Timing Attacks on Web Browser Privacy
- X-Frame-Options: All about Clickjacking?
- Simulation of Built-in PHP Features for Precise Static Code Analysis
- mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations
- SS-FP: Browser Fingerprinting using HTML Parser Quirks
- Scriptless Attacks – Stealing the Pie Without Touching the Sill
- On the Fragility and Limitations of Current Browser-provided Clickjacking Protection Schemes
- Crouching Tiger – Hidden Payload: Security Risks of Scalable Vectors Graphics
- The Bug that made me President: A Browser- and Web-Security Case Study on Helios Voting
- IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM
- All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces
- Exploiting the unexploitable with lesser known browser tricks
- An Abusive Relationship with AngularJS
- Copy & Pest – A case-study on the clipboard, blind trust and invisible cross-application XSS
- ECMAScript 6 from an Attacker's Perspective – Breaking Frameworks, Sandboxes & everything else
- In the DOM, no one will hear you scream – A journey into the moldy layer between HTML and JS
- JSMVCOMFG – To sternly look at JavaScript MVC and Templating Frameworks
- The innerHTML Apocalypse – How mXSS attacks change everything we believed to know so far
- Scriptless Attacks – Stealing the Pie without touching the Sill
- The Image that called me – Active Content Injection with SVG Files
- Locking the Throne Room – How ES5+ will change XSS and Client Side Security