Date Wed 17 April 2024
Author Philippe Teuwen
Category Cryptography

Passbolt, an Open Source Password Manager, is using the Pwned Passwords service from HaveIBeenPwned to alert users if their password is present in a previous data breach. Pwned Passwords API is based on a mathematical property known as k-Anonymity guaranteeing that it never gains enough information about a non-breached password hash to be able to breach it later. Sounds good, right?

Date Tue 26 March 2024
Author Lucas Di Martino
Category Containers

This second article describes how to convert a Silo into a Server Silo in order to create a Windows Container. In addition, it dives into certain Kernel side Silo mechanisms.

Date Fri 22 March 2024
Author Dahmun Goudarzi
Category Cryptography

In March 2024, SandboxAQ proposed a CTF around Post-Quantum Cryptography (and more specifically Kyber's key exchange) for the RWPQC workshop. Here is our write-up of the solutions to the challenges.

Date Thu 21 March 2024
Author Mathieu Farrell
Category Pentest

The following article explains how during a Red Team engagement we were able to develop a 1day for GLPI CVE-2023-43813 which later led to the identification of an arbitrary object instantiation leading to an SSRF referenced as CVE-2024-27098 as well as an SQL injection referenced as CVE-2024-27096.

Date Tue 19 March 2024
Authors Madigan Lebreton, Elouan Wauquier
Category Blockchain

Allbridge's maintainers, with support from Stellar Development Foundation, engaged with Quarkslab to perform an audit of Allbridge Core implementation in the Stellar ecosystem. This new implementation uses Stellar's smart contracts platform: Soroban.

Date Thu 07 March 2024
Authors Eloïse Brocas, Sami Babigeon
Category Reverse-Engineering

Ever wanted to find a nice tool to easily represent cartography results and other graphs? The Sourcetrail tool could be a nice solution! In this blog post, we will introduce two of our tools: Numbat, a new Python API for Sourcetrail, and Pyrrha, a mapper collection for firmware cartography.

Date Thu 29 February 2024
Authors Nicolas Surbayrole, Philippe Teuwen
Category Cryptography

We announce the release of a new version of Blue Galaxy Energy, our white-box cryptanalysis tool implementing the BGE attack against AES. This version addresses the main limitations of the previous version.

Date Thu 22 February 2024
Author Julien Rakotomalala
Category Hardware

In this article, we'll see how to put an entire car into a transportable box from scratch or at least the main electronic components.

Date Tue 13 February 2024
Author Mathieu Farrell
Category Pentest

Discovery of a new gadget chain in Laravel.

Date Tue 06 February 2024
Author Eric Le Guevel
Category Android

Study of an Android runtime (ART) hijacking mechanism for bytecode injection through a step-by-step analysis of the packer used to protect the DJI Pilot Android application.