Blog

In God we trust; rest we test!

Instamojo Woocommerce Plugin XSS

We are using Instamojo as a payment gateway for Indian customers in our security education platform OpSecX. Instamojo provides a plugin that can be used with WooCommerce. To ensure our customers safety we used to do a code review and security analysis on the plugins we use. Our security assessment revealed that Instamojo plugin is affected by a reflected cross site scripting (XSS).

Posted by Ajin Abraham on Apr 13 2016

OS X Mavericks 10.9.5 – out of bound read/write in memmove()

Running cat command on a malformed file in OSX Maverick's Terminal.app results in crash. This post explains the crash analysis. Code execution was not achieved due to limited buffer.

Posted by Ajin Abraham on Sep 9 2015

AppLock MITM Password Reset Vulnerability

Applock is an android application used to add lock screen to gallery and other applications. This app has a vulnerability in the web backend allowing an attacker to reset anyone's password with MITM attack.

Posted by Ajin Abraham on Aug 5 2015

Reversing DexGuard’s String Encryption

DexGuard is a commercial tool used for protecting android binaries (APK) mainly from reversing and tampering. It provides features like code obfuscation, class encryption, string encryption, asset/resource encryption, tamper protection, anti-debugger checks, VM/Environment checks, SSL pinning etc. This blog post explains the decryption/reversing of DexGuard 6.1's string encryption.

Posted by Ajin Abraham on Jun 11 2015

Bypassing Content Security Policy with a JS/GIF Polyglot

This post explains the creation of a JS/GIF polyglot to bypass Content Security Policy (CSP) in certain scenarios. We will build a custom polyglot file that is a valid GIF as well as JavaScript and use Xenotix to simulate real world exploitation.

Posted by Ajin Abraham on Jun 10 2015