Date Thu 10 October 2024
Author Mathieu Farrell
Category Pentest

The following article explains how during an audit we took a look at Apache Superset and found bypasses (by reading the PostgreSQL documentation) for the security measures implemented.

Date Tue 08 October 2024
Author Mathieu Farrell
Category Pentest

The following article explains how during a Purple Team engagement we were able to identify a vulnerability in Microsoft Teams on macOS allowing us to access a user's camera and microphone.

Date Thu 03 October 2024
Author Célian Glénaz
Category Cryptography

Following a brief introduction to differential fuzzing, this blog post reviews the leading tools that leverage it for testing cryptographic primitives. In the second half, we present a method for creating a differential fuzzer along with the results we obtained.

Date Tue 24 September 2024
Author Julio Loayza Meneses
Category Cryptography

In this blog post we present crypto-condor, an open-source test suite for compliance testing of implementations of cryptographic primitives.

Date Tue 17 September 2024
Author Mathieu Farrell
Category Pentest

The following blogpost explains how during a Red Team engagement we were able to identify several vulnerabilities including Remote Code Executions in the latest version of Chamilo.

Date Wed 04 September 2024
Author Pentest Team
Category Software

Quarkslab was mandated by the Open Source Technology Improvement Fund, Inc. to proceed with the security assessment of the Operator Fabric project. The purpose of this assessment is to deliver an expert opinion of the security level reached by the application at a specific moment.

Date Tue 27 August 2024
Authors Elouan Wauquier, Madigan Lebreton
Category Blockchain

Drawing from our audit of Airswift's SCF, we discuss part of Soroban's security model and showcase common vulnerabilities. SCF, for "Supply Chain Financing", is the DeFi product developed by Airswift that "optimizes funds flow" between buyers and suppliers. It is developed on Stellar's smart contract platform: Soroban. Airswift mandated Quarkslab for an audit of their smart contracts, with support from the Stellar Development Foundation. In this blog post, we present the results of this audit, and share common pitfalls to avoid on Soroban.

Date Tue 20 August 2024
Author Philippe Teuwen
Category Cryptography

We studied the most secure static encrypted nonce variant of "MIFARE Classic compatible" cards -- meant to resist all known card-only attacks -- and developed new attacks defeating it, uncovering a hardware backdoor in the process. And that's only the beginning...

Date Tue 30 July 2024
Author Tom Mansion
Category Exploitation

This is a writeup of a heap pwn challenge at HitconCTF Qualifiers 2024, which explains some glibc malloc internals and some heap exploitation tricks that can be used for getting a shell!

Date Tue 16 July 2024
Authors Mihail Kirov, Sébastien Rolland
Category Software

We performed a security assessment of Cloud Native Buildpacks to help improve it, in collaboration with Open Source Technology Improvement Fund, Inc .