As a security company we try to use services that are solid, trustworthy and secure and therefore we do our due diligence if we find the time for it. Checking products for IT security issues in a non-intrusive way is a part of that. You can call it supply chain security if you like.

To avoid scanning credit card paper statements sent by snail mail every month, Pentagrid was looking for an option to receive them electronically. For our bank though, the only option was to sign up for Viseca's eXpense platform, which allows access to business credit card statements in PDF format. However, uppon login into the portal for the first time, our experienced analyst's gut feeling told us something is not right. For example, the second-factor authentication when doing a login on the eXpense platform was simply typing the last four digits of our telephone number. And that's definitely not state-of-the-art security.

We decided to have a quick look. Our experience in web application security analysis told us that the download function for PDF statements was a good candidate to have a look at. We've seen this kind of functionality fail in many applications before. You may guess, what happened.

Read more…

Accounts for mobile applications are often bound to phone numbers and working with multiple people on a project may make it necessary at some point to share mobile phone numbers for receiving SMS. Also, when testing mobile applications protected by a SMS-based second-factor authentication, sharing phone numbers among the testing team is sometimes necessary and also acceptable regarding security, when the scope is only a test system. At Pentagrid, we therefore operate a small SMS Gateway, which we hereby publish as open source.

Read more…

During a penetration test, Pentagrid identified several vulnerabilities in the E-mail gateway SEPPmail version 11.1.10 developed by the Swiss company Seppmail AG. The gateway solution is used to transfer confidential E-mails.

Read more…

During a penetration test of an Electronic Banking Internet Communication Standard (EBICS) environment, Pentagrid observed a vulnerability in the EBICS banking implementation developed by CREALOGIX AG and used by many banks. EBICS is a common standard in Germany, France and Switzerland for sending payment information from customers to banks and between banks.

Read more…

We're back with another helpful Portswigger Burp Pro Proxy extension that you shouldn't miss if you do web application security analysis. This time the wasteful approach of Burp's feature "Actively scan all in-scope traffic" triggered the development of a new extension called Pentagrid Scan Controller, because there are several improvements possible and desirable.

Read more…

During a penetation test of a cloud environment, Pentagrid observed vulnerabilities in the cloud printing solution developed by Printix.net ApS, a Kofax subsidiary.

Read more…

Today we would like to talk about Burp Suite Professional and extensions again. In this blog post we explain how we can teach Burp Suite to handle a custom Transport Encoding that is spoken between an HTTP client and a server by using Burp extensions.

Read more…

Today we would like to announce the release of an updated BurpSuite extension in the BApp store.

Read more…

"Delete early, delete often" is the slightly adapted slogan reminding to minimize data leakage via lost or stolen USB thumb drives by frequently cleaning them. Are you tired of being focused to not accidentally erase the wrong USB device on your local computer when formatting an USB stick? To simplify the process, we implemented an USB eraser station software, which runs on a Raspberry Pi and that cleans USB sticks. Therefore, shreddy, ready, go!

Read more…