Pentagrid AG

@pentagrid@infosec.exchange
145 Followers
2 Following
31 Posts
Pentagrid performs technically solid IT security assessments.
LocationBuchs SG, Switzerland
Webhttps://www.pentagrid.ch
Imprinthttps://www.pentagrid.ch/en/pages/imprint-and-contact/
Linkedinhttps://www.linkedin.com/company/pentagrid/
Githubhttps://github.com/pentagridsec
Pentagrid AGNov 21
At Pentagrid, we occasionally review our clients' internal processes to identify IT security risks. When we discovered that large sums of money are transferred with just a few clicks and no transaction verification, we helped securing the process. At the same time, we developed a tool to support this improvement. #itsecurity #infosec #iso200222 #pain001 https://www.pentagrid.ch/en/blog/pain001-interfaces-and-payment-of-your-salary/
ISO 20022, Pain001 and payment of your salary

Pain001 are a common way to instruct banks to send large amounts of money to different recipients, often sent via insecure channel and no interface for transactions reviews.

Pentagrid AG
Pentagrid AGDec 11, 2024
A story about looking at the effectiveness of web application firewalls and finding bypasses for the filter ruleset. https://www.pentagrid.ch/en/blog/airlock-web-application-firewall-ruleset-testing-and-waf-bypasses/ #WAF #OWASP #coreruleset #ergon #airlock
An excursion into Airlock WAF ruleset testing

A story about looking at the effectiveness of web application firewalls (WAFs) and finding bypasses for the filter ruleset.

Pentagrid AG
Pentagrid AGDec 6, 2024
Pentagrid published two #Hackvertor tags for #EAN13 (also Swiss AHV numbers) and #TOTP for #2FA. These tags are available via the Hackvertor Tag Store by @garethheyes. Our blog post explains what these tags do and how they can be used. https://www.pentagrid.ch/en/blog/hackervertor-ean13-and-totp-tags-for-web-application-penetration-testing-with-burp/ #pentest #OWASP
Hackvertor EAN-13 and TOTP tags for web-application penetration testin

Using Hackvertor tags for Swiss social security number and EAN-13 generation and for second factor authentication with TOTP in web pentests.

Pentagrid AG
Pentagrid AGOct 2, 2024
Pentagrid is looking for an IT security analyst (d/f/m) in Buchs SG, Switzerland. https://www.pentagrid.ch/en/pages/career/ #FediHire #infosec
Career

Open job postings for IT-Security Analysts, Penetration testers and Red Teamer

Pentagrid AG
Pentagrid AGJun 17, 2024
Today, our certificate transparency monitoring popped up with an InvalidSignature exception, because we didn't add the recent Let's Encrypt intermediate CAs as monitoring trust anchors. We updated the documentation accordingly, but it is good to see it working. If you want to monitor your certificates, you may run your own instance. https://github.com/pentagridsec/check-transparency-logs
GitHub - pentagridsec/check-transparency-logs: Retrieve server certificate data from transparency logs or APIs and compare it to certs we know we have.

Retrieve server certificate data from transparency logs or APIs and compare it to certs we know we have. - pentagridsec/check-transparency-logs

GitHub
Pentagrid AGJun 10, 2024
If you want to protect your IT #infrastructure against #MITM attacks where an attacker bypasses domain verification to obtain valid certificates, you may want to use #CAA and #accountURI binding, which is easy to set up. https://www.pentagrid.ch/en/blog/domain-verification-bypass-prevention-caa-accounturi/ #hardening
How to prevent domain verification bypasses of your server certificate

Description of the CAA accounturi binding to mitigate or prevent domain verification bypasses and monitoring approaches like certificate transparency log analysis.

Pentagrid AG
Pentagrid AGJun 5, 2024
Our colleague Michael will be speaking about #Unify #OpenScape and #OpenStage #VoIP phones at the #Area41 security conference in Zurich on June 6. If you use these VoIP systems, we recommend coming to the talk.
Pentagrid AGJun 5, 2024
It happened again. We accidentally broke another #hotel check-in #terminal. This time Mr O'Yolo triggered a problem, crashed the #Ariane Allegro Scenario Player and escaped the #kiosk mode, which enabled access to the Windows Desktop: https://www.pentagrid.ch/en/blog/ariane-allegro-hotel-check-in-terminal-kios-escape/ #itsecurity #infosec
Kiosk mode bypass for an Ariane Allegro Scenario Player based hotel ch

A hotel check-in kiosk application crashed when entering a single quote into the guest search, which enabled access to the Windows Desktop. The terminal uses the Ariane Allegro Scenario Player.

Pentagrid AG
Pentagrid AGApr 2, 2024
This is not a late April Fool's joke: After #37C3, we accidentally dumped the keypad codes of almost half of an IBIS hotel's rooms by entering some dashes into a check-in terminal: https://www.pentagrid.ch/en/blog/ibis-hotel-check-in-terminal-keypad-code-leakage/ #itsecurity #infosec #ibis #accor #terminal #hotel
IBIS hotel check-in terminal keypad-code leakage

An IBIS hotel check-in terminal leaked room door key codes of almost half of the rooms.

Pentagrid AG
Pentagrid AGMar 12, 2024
#SQLinjection in login dialog of web-based #YABOOK harbour administration allows authentication bypass
https://www.pentagrid.ch/en/blog/sql-injection-in-port-administration-software-yabook/
#pentest #sailing #hafenverwaltung #imonaboat
SQL injection in YABOOK port administration allows authentication bypa

An SQL injection on the login page of the YABOOK port administration allows authentication to be bypassed and disclosure of all data.

Pentagrid AG