Young hacker smiling

We hack your software

zero false positives

Expert intelligence + effective automation

Chucky the actual serial killer doll

The anomaly serial killer doll

Hunting missing checks with anomaly detection

In our previous article we focused on taint-style vulnerabilites, i.e., those that are essentially due to the lack of input sanitization which allows tainted, user-controlled data to reach sensitive functions. Some of these arise due to missing checks in code, such as: failure to check authentication, authorization...



Cartoonized dragon book cover

Exploiting code graphs

Mining graph representations for vulnerabilities

As we have seen in our previous revision article, probably the most interesting and successful approach to automated vulnerability detection is the pattern-based approach. Since we expect to extract meaningful patterns from the code we also need a "comprehensive and feature rich representation"[1] of it. Other...



calling a super-hero

Save the world!

How to solve Save the World from We Chall!

First of all let’s review the problem statement at WeChall It is year 2018, the world war III is upcoming between USA and China. You are a secret agent working for the USA. The USA Information Gathering Agency gathered three RSA enciphered messages. All messages were originated from the …



image of a DoS in action

Asymmetric DoS, slow HTTP attack

The story of David and Goliath

Have you ever heard about that beautiful story of David and Goliath where an underdog, expected to lose and highly underestimate guy, shut down the biggest and strongest of the enemies? Fine! because today we are going to talk about those unequal scenarios. Furthermore, we are going to battle one …



Can machines learn to hack?

Machine-learning to hack

Machine learning for vulnerability discovery

To date the most important security vulnerabilities have been found via laborius code auditing. Also, this is the only way vulnerabilities can be found and fixed during development. However, as software production rates increase, so does the need for a reliable, automated method for checking or classifiying this code in …



Vulnerability disclosure

Vulnerability disclosure ecosystem

Responsible vulnerability disclosure

An information security vulnerability is a flaw or a weakness in a system or application that a malicious attacker could exploit and result in a compromise of the confidentiality, integrity or availability of both software and hardware systems. We as Security Testers (or pentesters, white hat hackers) find every day …



Release the beast

Release the BEAST!

Understanding the BEAST

The Browser Exploit Attack on SSL/TLS (B.E.A.S.T), - bet you thougth it was a rampage hack that launched nukes - it is a practical attack demonstrated by Thai Duong and Julian Rizzo at ekoparty in 2011. That was the lamest introduction ever, it’s not because the …



heartbleed official logo

My heart bleeds (but not for you)

Understanding the flaw behind Heartbleed

Back in April 2014, one of the biggest vulnerabilities in recent history was found, HeartBleed. The popular open source cryptographic software library OpenSSL, had a critical flaw, [1] in the implementation of a extension on the Transport Layer Security (TLS) protocol. The wide use of OpenSSL on several services such …



Orion carrying Cedalion

Stand on the shoulders of giants

About software composition analysis

In our last post, we reproduced the discovery of a vulnerability in libpng. But that is only a small library, you might say, with a very limited scope and only 556 KiB installed. However, many, many packages depend on it. To see how many packages in the Arch Linux repository …



Person playing chess against a robotic arm

Will machines replace us?

Automatic detection vs. manual detection

More than 20 years have passed since Garry Kasparov, the chess world champion, was defeated by Deep Blue, the supercomputer designed by IBM. For many people, that event was proof that machines had managed to exceed human intelligence [1]. This belief raised many doubts and concerns regarding technological advance, that …



Service status - Terms of Use