Outlook.com Android App HTML Injection

I like to analyse random apps on the Google Play Store and this time I dedicated time to the Outlook.com Android App. At the time, another guys were looking at the app as well and release this analysis about insecure data storage on the app. Most, if not all email apps allow HTML emails so I decided to play around a little bit with this. I wrote the following Python script to send emails via a Gmail account in HTML format: ``` import smtplib from email.…

Keep reading

CVE-2014-1634 Sql Injection Advanced Newsletter Magento Extension

A remote unauthenticated attacker is able to execute arbitrary SQL commands via the the REST url parameter an_category_id in /advancednewsletter/index/subscribeajax/an_category_id/ Vulnerable Versions Confirmed on version 2.3.4 Solution Upgrade to version 2.3.5 Vulnerability Timeline 22 Jan 2014 – Vulnerability reported to vendor 23 Jan 2014 – Vendor requested more details 24 Jan 2014 – Vendor acknowledged vulnerability and released new version…

Keep reading

Pentesting Android Applications

My slides for May 2014 Confraria de Segurança da Informação in Portugal, where I talked about the Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers. Pentesting Android Applications from Cláudio André…

Keep reading