Collaborate Disseminate
SSL Labs checks for TLS version intolerance and TLS extension intolerance. I’ve seen another answer on this site that covers version intolerance, but what does extension intolerance mean, specifically, in this context?
The most informatio… Continue reading What is extension intolerance in the context of TLS?
I’m working on a vulnerability within an application that uses .NET Remoting. I can see from the code that there are a number of potential ways to get RCE, but due to how the application performs its communications I cannot j… Continue reading Is there an easy way to dissect .NET Remoting traffic for reverse engineering?
If a named pipe on Windows has a Low Mandatory Level label and SYSTEM_MANDATORY_LABEL_NO_WRITE_UP in its SACL, but the DACL has WRITE_DAC and WRITE_OWNER for the current user, can a low integrity process running under that us… Continue reading Can a named pipe with a low integrity label have its SACL/DACL modified by a low integrity process?
In a Windows portable executable (PE) file the certificate directory points to an offset to a WIN_CERTIFICATE structure. My understanding is that while the field is named bCertificate, it actually contains an array of certificates in ASN.1… Continue reading Are all fields of the PE certificate directory hashed during authenticode signing?
I can’t seem to find a suitable CWE for classifying hardware-specific security weaknesses. Particularly, I’m looking for a CWE that applies to power glitching or clock glitching against a microcontroller or microprocessor.
Are there any C… Continue reading Are there any Common Weakness Entries (CWEs) applicable for hardware security weaknesses?
From my understanding, one of the major reasons we recommend Diffie-Hellman Ephemeral (e.g. DHE or ECDHE) over non-ephemeral DH, for SSL / TLS, is that compromise of the RSA private key (i.e. private certificate) would allow an attacker to… Continue reading How does non-ephemeral Diffie-Hellman key exchange become compromised in SSL when the RSA private key is leaked?
I’d like to perform a man-in-the-middle attack on SSL connections between clients and a server.
Assuming the following:
I’ve got a certificate that the client will accept, via poor cert validation or other means.
I know th… Continue reading What’s an easy way to perform a man-in-the-middle attack on SSL?
I know that content compression can cause SSL to be vulnerable to the CRIME attack, via changes in the content length when injected plaintext matches existing content. Does this principle carry over to NTFS file compression on volumes that… Continue reading Is NTFS file compression vulnerable to a CRIME-like attack when using an encrypted volume?
The typical set of multi-factor categories is as follows:
Something you know (e.g. a password)
Something you have (e.g. a hardware token, or key file)
Something you are (e.g. a fingerprint or retina scan)
I’d argue that there is a four… Continue reading Is behavioural analysis (e.g. keystroke dynamics) a reliable security mechanism for MFA?
I’ve seen OWASP Top 10 guides for web apps, native apps, etc., but never anything for embedded systems or hardware devices. These usually involve microcontrollers (e.g. Atmega / PIC) or small microprocessors which execute code and accept i… Continue reading OWASP Top 10 style security guide for implementation in hardware devices