Labs
Take a look at our tools, presentations, and policies.
Advisories
- Edison Mail Advisory – August 2019
- Qolsys Advisory – October 2015
- Systech Advisory – April 2016
- Sierra Wireless Advisory – June 2016
- Netcomm Wireless Advisory – June 2016
Slides
- 2016 April – Computers Everywhere (IoT)
- 2016 August – pin2pwn Howto Root an Embedded Linux Box With A Sewing Needle
Tools
Disclosure Policy
Whitepapers
The 5 Most Common GraphQL Security Vulnerabilities
Intro - GraphQL GraphQL (GQL) is a popular data query language that makes it easier to get data from a server to a client via an API call. GQL is commonly deployed as a critical piece of the technology stack for modern web and mobile applications, and as a result,...
Rule-Based Highlighter Plugin for BurpSuite
BurpSuite is one of those must-have tools when dealing with web application or API security assessments. Usually, when proxying applications through Burp, a fair amount of noise (advertising and user-tracking 3rd party services, CORS preflight checks, etc.) is also...
Owning a device with a single jump
Back when I first read about this thing called “hacking” I thought I’d be spending all my days overflowing NSA buffers with plagiarized shell code and going by some cool hacker name like “1337BadGeR”. Sadly for me, upon entering the actual world, I had to get back in...
Network monitoring with nmap
Asset management is a problem we help many of our customers with. What are an organization's assets, and how accurate and up-to-date is this information? Even with a mature asset management program, organizations want some form of validation of their result. From a...
Android Hard Coded Secrets
One of the more common findings we report for Android security reviews is an issue involving hard coded secrets. This blog post will specifically focus on hard coded secrets used for encrypting application data. I'll try to use a bit of light threat modeling and risk...
Command Injection with USB Peripherals
When this Project Zero report came out I started thinking more about USB as an interesting attack surface for IoT devices. Many of these devices allow users to plug in a USB and then perform some actions with that USB automatically, and that automatic functionality...