Actualités

Code of the Week #4: The Hidden Flaws

dans Code review
Welcome to another insightful entry in our “Code of the Week” series, where we unravel the subtle intricacies and hidden vulnerabilities within our code. This week marks our fourth exploration into code pitfalls that are often overlooked but can have significant implications if left unaddressed. Today, we delve into a critical aspect of web application security – Cross-Site Request Forgery (CSRF) protections. Our focus will be on a commonly employed but occasionally flawed implementation of CSRF token validation.

Continuer

Code of the Week #3: The Hidden Flaws

dans Code review
Welcome back to our “Code of the Week” series! This is the third installment where we continue our deep dive into the less obvious, but equally critical, vulnerabilities hidden within our code. Today, we’re going to uncover another sneaky issue that, much like our previous episodes, might be sitting unnoticed, ready to cause havoc under the right circumstances. This time around, we’re examining a scenario that’s commonplace in many applications but contains a subtle flaw that could lead to significant vulnerabilities, especially when handling user input and array indexing.

Continuer

AWS Red Team Expert (ARTE) Review

dans Review
Summary Introduction Who is ARTE for? Certification Preparation The Exam Pros and cons Pros Cons Conclusion Introduction ARTE or htARTE is a certification issued by Hacktricks Training, a training organization created by Carlos Polop, who is also the creator of the famous hacktricks cheatsheet. The aim of the certification is to present different exploitation techniques on the most commonly used AWS services in corporate environments, and to provide a methodological basis for white-box audits (configuration audit) and black-box audits (penetration testing and red team engagements).

Continuer

Code of the Week #2: The Hidden Flaws

dans Code review
Hey, everyone! It’s time for the second episode of our “Code of the Week” journey, where we zero in on the more obscure, yet critical vulnerabilities lurking in our codebases. This week, we’re shed light on a subtler, yet potentially devastating issue. In this episode, we’re delving into the world of thread safety and authentication mechanisms, focusing on a vulnerability that arises from using static class attributes in a multithreaded environment.

Continuer

Code of the Week #1: The Hidden Flaws

dans Code review
Hey everyone! Welcome to the first installment of “Code of the Week,” where we dive deep into the lesser-seen side of coding vulnerabilities. We’re skipping past the usual suspects like SQL injections and XSS because, let’s face it, there’s enough out there on those already. Instead, we’re on the lookout for those sneaky, hidden flaws that don’t get enough spotlight but can cause just as much trouble. The goal here is simple: spot those tricky bugs, understand why they’re a problem, figure out how to fix them, and learn how to catch them automatically next time.

Continuer

RealWorldCTF: OKPROOF - Write Up

dans Write-Up
Write-Up for the cryptanalysis challenge from the RealWorld (2023) Context What’s the RealWorld CTF? “All challenges are built on the top of real world applications. Hack the Real. Super Hunters Conquer Together.” - Their site Most of the time the challenges are based on 0days to find or 1days in more or less known github projects. This CTF is renowned for being one of the hardest in the world. (see the Zerotistic article from the previous week, which deals with a complicated 2024 pwn/low-level challenge).

Continuer

RealWorldCTF: Let's party in the house - Write Up

dans Write-Up
Let’s party in the house - pwn Write-Up This weekend, the RealWorld CTF happened. This is one of the most famous and prestigious CTF in the world. I played with “Friendly Malteze Citizens” and took 3rd place. This article is a write-up of the challenge “Let’s party in the house”, which was a binary exploitation challenge of difficulty “Schrödinger” (Rating is the following: baby/medium/hard/schrödinger). We were one of the only six team to solve it.

Continuer

Hackcyom est une entreprise de conseil en cybersécurité et secure cloud computing.

Hackcyom est une société d’expertise en sécurité de l’information financée par des fonds privés et indépendante, basée à Paris, en France. Grâce à notre expertise et à nos méthodologies, nous offrons des services de conseil, d’audit, d’ingénierie et d’innovation en cybersécurité hautement qualifiés. Nous sommes fiers de nous spécialiser dans des projets de sécurité de l’information très complexes nécessitant expertise et tact. L’une de nos spécialisations aide les opérateurs cloud à concevoir et sécuriser leurs services et infrastructures. En France, Hackcyom est le leader dans le domaine de niche du conseil sur la sécurité de l’information des clouds souverains (qualifiés ou candidats à la qualification SecNumCloud). Nous intervenons aussi sur le conseil sur d’autres qualification comme PAMS, PDIS, ISO27001, NIS2, DORA, etc. Hackcyom fournit également services d’audit, des tests d’intrusion, une analyse des risques (EBIOS Risk Manager), du conseil et de l’assistance en ingénierie sécurisée, du conseil SDLC, du conseil en gestion du chiffrement, etc. Hackcyom se prononce comme “axiome”, le terme mathématique parce que nous aimerions que nos clients travaillent et se concentrent sur leurs métiers en considérant leur sécurité de l’information acquise grâce à nous.


10 rue de la Paix, 75002 Paris