Labs

Take a look at our tools, presentations, and policies.

Advisories

Edison Mail Advisory – August 2019
Qolsys Advisory – October 2015
Systech Advisory – April 2016
Sierra Wireless Advisory – June 2016
Netcomm Wireless Advisory – June 2016

Slides

Tools

Inzure Blog + Tool
Mallory

Disclosure Policy

Coordinated Disclosure

Whitepapers

Patching BL/BLX instructions in ARM

by Jeremy Allen | October 15, 2015 | IOT, Labs, Techniques | 0 Comments

We are often looking at ARM binaries in our favorite disassembler as we work on mobile applications and "Internet of Things" devices. As we worked on this binary we discovered a particular branch instruction that we wanted to modify. If you are familiar with the X86...

The 5 Most Common GraphQL Security Vulnerabilities

by Aidan Noll | Apr 16, 2020 | Exploits, Labs, News, Techniques, Tools

Intro - GraphQL GraphQL (GQL) is a popular data query language that makes it easier to get data from a server to a client via an API call. GQL is commonly deployed as a critical piece of the technology stack for modern web and mobile applications, and as a result,...

Rule-Based Highlighter Plugin for BurpSuite

by Ángel Suárez-Bárcena Martín | Feb 18, 2020 | Labs, Techniques, Tools, Web

BurpSuite is one of those must-have tools when dealing with web application or API security assessments. Usually, when proxying applications through Burp, a fair amount of noise (advertising and user-tracking 3rd party services, CORS preflight checks, etc.) is also...

Owning a device with a single jump

by Danny Rosseau | Jan 13, 2020 | Exploits, IOT, Labs

Back when I first read about this thing called “hacking” I thought I’d be spending all my days overflowing NSA buffers with plagiarized shell code and going by some cool hacker name like “1337BadGeR”. Sadly for me, upon entering the actual world, I had to get back in...

Network monitoring with nmap

by John Poch | Nov 4, 2019 | Labs, Tools

Asset management is a problem we help many of our customers with. What are an organization's assets, and how accurate and up-to-date is this information? Even with a mature asset management program, organizations want some form of validation of their result. From a...

Android Hard Coded Secrets

by Danny Rosseau | Aug 30, 2019 | Android, Labs, Mobile, Techniques

One of the more common findings we report for Android security reviews is an issue involving hard coded secrets. This blog post will specifically focus on hard coded secrets used for encrypting application data. I'll try to use a bit of light threat modeling and risk...

Command Injection with USB Peripherals

by Danny Rosseau | Aug 22, 2019 | Android, Exploits, IOT, Labs, Mobile, Techniques

When this Project Zero report came out I started thinking more about USB as an interesting attack surface for IoT devices. Many of these devices allow users to plug in a USB and then perform some actions with that USB automatically, and that automatic functionality...

« Older Entries