Author Archive

Android Application Penetration Testing

May 18th, 2011
Bonsai Information Security is providing a new service.

This service aims to: raise the security level of applications developed in this platform, detecting potential vulnerabilities that could generate risk to the company. Our methodology includes the analysis of file permissions, system processes, databases, system calls, HTTP Requests, Webservices used and logic operations specific to the application. Thus, it would detect possible security breaches that would be reported with strategic recommendations that seek to mitigate them.

For more information:

lucas.apa bonsai, open source, security , , ,

Capture the Captcha – It’s now Online !

May 13th, 2011

Bonsai Information Security presents: Capture the Captcha – The Game !

A Captcha is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. It is a contrived acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.

The process usually involves one computer asking a user to complete a simple test (Captcha)
which the computer is able to generate and grade. Because other computers are unable to solve the Captcha, any user entering a correct solution is presumed to be Human.

There are a lot of Captcha implementations out there, written in JSP, PHP, ASP, .NET which are very poorly implemented and introduce serious bugs in Web applications they are supposed to protect. We designed this CTC contest to serve as an educational exercise to give participants experience in securing Web Applications from automated attacks, as well as conducting and reacting to the sort of Captchas found in the wild.

Teams are scored on their success in breaking the security behind 10 different captcha implementations, using automation and hacking techniques with the objective of bypassing the human verification process. The winner of the game will be the user/team who bypasses the highest amount of captchas in less time in order to receive the major prize: a 50USD Amazon Gift Card.

The CTC game starts at 2011-05-13 21:00:00 GMT 0 and ends at 2011-07-15 21:00:00 GMT 0 or if any participant breaks ALL captchas.

Happy Captcha Killing !

Follow @bonsai_sec on Twitter for Tips, Tricks & More

lucas.apa bonsai, security , , , ,

Ekoparty Security Conference 2010

September 23rd, 2010

Last week, the most important security conference of latin america was held in Buenos Aires where security specialists from all over the world had the chance to get involved with state-of-art techniques, vulnerabilities and tools in a relaxed environment. The sixth edition of ekoparty brought together over 850 security specialists from around the world in the most deep-knowledge technical conference of the region.

Among the lectures, Bonsai Information Security presented “Web Application Security Payloads”. This research led by Andres Riancho and Lucas Apa, exploits a new concept in a theorical and practical environment. Part of this research explores how to distinguish the system calls involved in a web application vulnerability and then leverage it’s power to get sensitive information in an automated way.

Lucas Apa & Andrés Riancho

ekoparty 2010 – Web Application Security Payloads

The “Web Application Security Payloads” implementation was developed as a part of the w3af framework, an Open Source Web application attack and audit framework developed by contributors around the world since 2007 and directed by Andrés Riancho.

Between some other long waited talks, Juliano Rizzo & Thai Duong presented “Padding Oracles Everywhere” where they easely exposed a 0day advanced technique to decrypt and tamper ASP.NET sensitive data.

lucas.apa bonsai, conferences, ekoparty, open source, security, w3af