PAYFORT – Multiple Security Issues and Concerns in a PCI/DSS compliant payment processor SDK!

TL;DR A year ago we have been contacted by one of our clients from Middle east regarding looking for/implementing a payment processing solution for their own eCommerce solution and asked us to assist them in order to give them some candidates working in the same field in the middle east but we refused because our job is to assess not to suggest specific names, they suggested us some names but one among those names were a name-with-a-reputation but they ended up not choosing this name due to insecure implementation.

Continue reading “PAYFORT – Multiple Security Issues and Concerns in a PCI/DSS compliant payment processor SDK!”

Share

CryptoJacking by Clickjacking: Bypassing Coinhive OPT-IN feature and trick users into Cryptocurrency mining!

Today’s discovery is not a big deal too, just another Clickjacking in the world, but this time in the newly added “OPT-IN” feature by coinhive and authedmine but first let’s know some terms before we begin.

What is Coinhive?

Coinhive is a cryptocurrency mining service that relies on a small chunk of javascript code designed to be installed on Web sites.

Continue reading “CryptoJacking by Clickjacking: Bypassing Coinhive OPT-IN feature and trick users into Cryptocurrency mining!”

Share

Rolling around and Bypassing Facebook’s Linkshim protection on iOS

نتيجة بحث الصور عن ‪facebook‬‏

Supp!, How are you guys! I hope you’re fine, I’m Seif Elsallamy (again) if you don’t remember me read my previous blog here: Stored XSS in the heart of the Russian email provider giant (Mail.ru)

Before we go in depth, lets know What is Linkshim ?

Continue reading “Rolling around and Bypassing Facebook’s Linkshim protection on iOS”

Share

Business Logic Vulnerabilities Series: A brief on Abusing Invitation Systems

Photo courtesy of: "Lynda Network" - https://cdn.lynda.com/course/164982/164982-636246770364412772-16x9.jpg

Hi Guys,
I am Ali Kabeel an Application Security Intern at Seekurity team. This is my first blog i hope you like it. In this blog post I will be mainly focusing on Business Logic vulnerabilities by offering some tips and tricks on how to abuse invitation systems using real-world examples from my Facebook Bug Bounty experience but first let’s get a general knowledge about some concepts.

Continue reading “Business Logic Vulnerabilities Series: A brief on Abusing Invitation Systems”

Share

List of IPs you should block in your SSH server

2 months ago we have installed some servers in countries such as Germany and Singapore in which constantly we are receiving automated SSH bruteforce attacks trying to compromise the root user mainly from countries like China, Argentina, Brasil, Ecuador, Taiwan, Korea and India. After analyzing the traffic, we disabled the root user but hours later we started receiving attacks with different users, then we proceed to block the usage of users like: admin, test, guest, info, oracle, testing, webmaster and user.

Continue reading “List of IPs you should block in your SSH server”

Share

QRLJacking – Your QR-based session belongs to us!

qrljacking

Introduction

Before we start we need to explain some frequently mentioned terms which are: QR Code, SSO and Clickjacking.

What is QR Code?

QR code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional barcode) first designed for the automotive industry in Japan. A barcode is a machine-readable optical label that contains information about the item to which it is attached. A QR code uses four standardized encoding modes (numeric, alphanumeric, byte/binary, and kanji) to efficiently store data; extensions may also be used.

Continue reading “QRLJacking – Your QR-based session belongs to us!”

Share

VoIP Security Analysis with Asterisk

fb-1
Adopting new technologies such as VoIP by small, medium and large companies,
isn’t only  about the benefit representing a decrease in costs, is about an risk increase exposure too,
which can be reflected in the payment of  large sums of money , because (national or international)
calls made by people outside the company.
Share