Fine penetration tests for fine websites

Fri 19 Jul, 12:00:21

Cure53 Pro-Bono Pentest Summer 2013

Apply for 5 days of free penetration testing!

What's going on?

We are proud to announce a first edition of the Cure53 Pro-Bono Pentest competition. This means that one lucky open source software project with humanitarian, privacy- or security-related focus will win a full work week donated by the Cure53 Team exclusively to their vision.

What's at stake?

Beat the competition and you'll get 5 (that's five!) full days of free penetration testing, including report, fix support and follow-up communication. It is up to you to decide whether the final test report is to be published or not. No strings attached, no small-print. Just five days of our time for your project. Period.

How does it work?

Starting today (19th of July), you can submit an application for a pro-bono pentest of your open source software project by sending us an email with a short description of your idea and an answer to a simple question: What makes your project deserve a free pen-test from us? That's all..

Deadline for applications is set to mid August (the 19th to be precise, 23:59:59 GMT+1). We will then have a look at all applications and chose the one we deem most important, relevant and best fitting in terms of Cure53 strengths and interests. We will notify the applicants and announce the winner right afterwards.

Looking forward to hearing about your projects. Good luck!

Sat 13 Jul, 19:56:29

HackPra Allstars Conference Track

Offensive security track at OWASP AppSec EU 2013 in Hamburg

General Info

Cure53 will sposor and co-host the HackPra Allstars conference track accompanying the OWASP AppSec EU 2013 in Hamburg, Germany

HackPra Allstars is delivering in one full day what the legendary HackPra does in one semester! HackPra Allstars will present the finest, hand selected talks from prolific speakers and top-tier researchers in the field of web-security (and the lack thereof).

You can think of the HackPra Allstars as a conference inside a conference — offering you one day with the most interesting influencers in today’s web application security and in-security.

The HackPra Allstars is a dedicated invited speakers track at the OWASP Research 2013 conference on August 22. The track will be open to all regular attendees of the main conference.


The HackPra Allstars line-up consist of the following gentlemen:

The HackPra Allstars Keynote will be held by Prof. Dr. Jörg Schwenk, NDS, RUB


Learn about the services we offer

Penetration tests for online services

Cure53 offers classic black-box penetration tests (zero-knowledge) as well as white-box tests and code audits. Web application and mobile app developers speak many languages and so do we. From classic languages as PHP, JavaScript, ActionScript, Java, Ruby, Python and Perl to more exotic candidates like web back-ends written in C++ and Delphi – we've seen them. During our assignments we appreciate contact to the development team to be able to discuss bugs, vulnerabilities and fixes as quickly as possible. At the time of report submission, all critical bugs we spotted are usually fixed already – or soon thereafter.

Our assignments don't end with the report submission. Ongoing communication and knowledge transfer are part of the package – we rarely experience the often mentioned gap between development and security.
Since Cure53 was founded in 2007, we have performed several hundreds of penetration tests against all kinds of web applications, online services, hardware interfaces, mobile applications, libraries and crypto tools. We value manual and thorough tests, human interaction and communication and a short yet to-the-point penetration test report without overhead or pie charts no one wants to see.

Security analysis and architectural advice

Sometimes security advice is necessary before a penetration test would even make sense. Especially for young and quickly developing projects, an early security analysis, design help and architectural advice help more than a penetration test close to the launch date. We can help finding out if a chosen 3rd party software is secure enough, a github repo looks trustworthy or a design pattern can resist real-life attacks.

In the past, we helped many projects during the design phase and early development stages by pointing out hidden risks and possible security pitfalls – before any code was written. Getting professional security advice before the majority of code is written often saves a lot of energy and helps especially young projects to focus on what they need to do: code safely without worrying about a bitter end.

Training and consulting

Cure53 delivers a range of web security related training courses that range from a single, intense day to a full five day week. Trainings are available in German and English language and are carried out by one, two or even three members of the team depending on the number of participants.
Cure53 has carried out several dozens of web security trainings in Germany, Belgium, Switzerland, UK and even India. We have trained small startups as well as major telecommunication providers, government institutions, university students as well as full-grown well-experienced web penetration testers.

Our trainings are known to be intense and a fire-hose of knowledge – almost too much to take. needless to say all participants will get a copy of the training slides with examples, links and more. Questions arising after the training event will be answered by our team as part of the package.
We frequently offer training courses on conferences, but focus on corporate trainings for classes of 10 to 25 students (and masters – many trainings end with us learning new things as well). To learn about course contents, get a preview to the training slides or ask for a quote please contact us!

Incident management, web malware analysis

"We got hacked. Do what now?" Cure53 helps answering the most pressing questions after an incident has happened, can help tracking down the root cause and assists in finding ways to make sure it doesn't happen again. We can further help in making your backend a bit safer – to minimize the damage in case the unpleasant event ever happens again. Cure53 has helped migrating millions of user accounts to secure password storage and communicating security fixes to unwilling third-party vendors.

Our team has years of academic and industry experience in web malware analysis, code de-obfuscation and attack detection – heck, we even came up with several obfuscation techniques that are now visible in the wild. If you got stung by something weird and wish to know what it was, we might be the ones to help you quickly and efficiently. A strange JavaScript, a weird PDF or some nasty piece of heavily obfuscated PHP code – we know how to help you find out what what it really does!


Download articles and papers

Pentest Reports



Tools & Software


Who are these people?

Meet the Cure53 Team


For business enquiries please contact

We speak PGP and S/MIME

Dr.-Ing. Mario Heiderich
Rudolf-Reusch Str. 33
D-10367 Berlin
Fon +49 1520 8675782

Tax-ID: 32/336/00536
VAT: DE-275774772

We accept Bitcoin: 1HREftqT3VGRAzFGc3J9JhS2Grjit2rMrf

During our assignments we are insured by the Gothaer Allgemeine Versicherung AG