- — 24th May 2013
Has already become traditional conference Positive Hack Days in Moscow on 23-24 May was excellent. Beside technical reports and workshops, there was business section, where were presented different reports connected with organization security as a process both in companies and at the level of the state. It should be noted CTF and other competitions. They were really exciting! So everyone can find something for everyone.
Our command presented report "Lie to me: bypassing the current WAF"
Our experts command maintains high standards, given us in the first competition "Month of searching Yandex vulnerabilities" . Our colleagues from Yandex said, that at that moment only our command could find Remote Code Execution, RCE in their search system services.
Head of Yandex security department, Anton Karpov, said the following about one of our vulnerability:
"Very nice submission from @d0znpp for #YandexBugBounty. The best report so far."
We appreciate the active Yandex in raising the level of information security and promoting this area as a whole.
Conglomerate of research Pwning via SSRF (memcached, php-fastcgi, etc), performed in 2012 year by our experts command and our colleagues from DsecRG was recognized one of the best technic attack to web application from this year, by opinion WhiteHat Security company.
Our work is lost in the finals only attack CRIME to SSL protocol, which, objectively, is very theoretical. Another one report from Russian experts from Positive Technologies Research Team called Bruteforce of PHPSESSID was awarded fourth place.
More information you may found on official web-site Top Ten Web Hacking Techniques of 2012
Read about new attack technology to memcached, FastCGI and other services in our report SSRF attacks and sockets: smorgasbord of vulnerabilities.
Our research in this area is ongoing. We will presented new result in April at International Conference HITB-2013, which will be held in Amsterdam. The report description is on the official conference web-site.
- — 21th November 2012
At first we want to thank organizers of ZeroNights Conference!
ZeroNights- international conference of experts in information security area. It was held in Moscow on 19-20 November and gathered more than 600 participants. In main part of conference were presented 25 technical reports, and we think about 13 of them are absolutely new. Besides reports, of particular interest were workshop from the leading experts.
At the end of event, experts shared their achievements at the zero-day show. They demonstrated practical attacks for popular server and home program.
Our experts Vladimir Vorontsov and Alexander Golovko prepared report "SSRF attacks and sockets: smorgasbard of vulnerabilities". You may find their presentation here
Shortly before conference ONsec company conducted a competition ZeroNights HackQuest. We are pleased to congratulate our winners:
Our experts microblogs: