Fine penetration tests for fine websites
Penetration tests for online services
Security analysis and architectural advice
Training & Consulting
Contact us
View all
View all
Services Learn about the Services we offer
Penetration tests for online services

Cure53 offers classic black-box penetration tests (zero-knowledge) as well as white-box tests and code audits. Web application and mobile app developers speak many languages and so do we. From classic languages as PHP, JavaScript, ActionScript, Java, Ruby, Python and Perl to more exotic candidates like web back-ends written in C++ and Delphi – we've seen them.

During our assignments we appreciate contact to the development team to be able to discuss bugs, vulnerabilities and fixes as quickly as possible. At the time of report submission, all critical bugs we spotted are usually fixed already – or soon thereafter.

Our assignments don't end with the report submission. Ongoing communication and knowledge transfer are part of the package – we rarely experience the often mentioned gap between development and security.

Since Cure53 was founded in 2007, we have performed several hundreds of penetration tests against all kinds of web applications, online services, hardware interfaces, mobile applications, libraries and crypto tools. We value manual and thorough tests, human interaction and communication and a short yet to-the-point penetration test report without overhead or pie charts no one wants to see.

Security analysis and architectural advice

Sometimes security advice is necessary before a penetration test would even make sense. Especially for young and quickly developing projects, an early security analysis, design help and architectural advice help more than a penetration test close to the launch date.

We can help finding out if a chosen 3rd party software is secure enough, a github repo looks trustworthy or a design pattern can resist real-life attacks.

In the past, we helped many projects during the design phase and early development stages by pointing out hidden risks and possible security pitfalls – before any code was written.

Getting professional security advice before the majority of code is written often saves a lot of energy and helps especially young projects to focus on what they need to do: code safely without worrying about a bitter end.

Training and consulting

Cure53 delivers a range of web security related training courses that range from a single, intense day to a full five day week. Trainings are available in German and English language and are carried out by one, two or even three members of the team depending on the number of participants.

Cure53 has carried out several dozens of web security trainings in Germany, Belgium, Switzerland, UK and even India. We have trained small startups as well as major telecommunication providers, government institutions, university students as well as full-grown well-experienced web penetration testers.

Our trainings are known to be intense and a fire-hose of knowledge – almost too much to take. needless to say all participants will get a copy of the training slides with examples, links and more. Questions arising after the training event will be answered by our team as part of the package.

We frequently offer training courses on conferences, but focus on corporate trainings for classes of 10 to 25 students (and masters – many trainings end with us learning new things as well). To learn about course contents, get a preview to the training slides or ask for a quote please cont act us!

Publications Download articles and papers

Note that all those reports have been proudly published upon explicit request by the project maintainers, or the party that sponsored the penetration test in coordination with the project maintainer. The links below are ordered by publication date.

Pentest Reports
2024 Audit-Report MetaMask Greymass Antelope Snap Codebase & Build 09.2024 Audit-Report MetaMask Hedera Wallet Snap Codebase & Build 09.2024 Audit-Report Noble Cryptography Libraries 08.2024 Audit-Report Tuum MetaMask AuthFlow Snap Codebase & Build 08.2024 Pentest-Report Mullvad VPN Relay-Infrastructure 06.2024 Pentest-Report ExpressVPN VPN Browser Extension 05.2024 Pentest-Report Psiphon Tunnel Core Codebase 05.2024 Pentest-Report Psiphon Conduit Integration Codebase 04.-05.2024 Audit-Report Distrust Keyfork Toolkit & Library 04.2024 Audit-Report MetaMask Hedera Wallet Snap Codebase & Build 04.2024 Pentest-Report Passbolt UWP Windows App 03.2024 Pentest-Report IVPN Websites & Servers 03.2024 Audit-Report MetaMask Signing Snap Codebase & Build 03.2024 Audit-Report Rubic MetaMask Snap Codebase & Build 02.2024 Audit-Report BOB MetaMask Snap Codebase & Build 02.2024 Audit-Report SolidiFi Wallet Staking Feature 01.2024
2023 Pentest-Report Dedaub MetaMask Snap 12.2023 Audit-Report NIP44 Implementations 11.-12.2023 Pentest-Report Obsidian Client Software 11.2023 Summary-Report Obsidian Client Software 11.2023 Pentest-Report Tuum Hedera Wallet Snap 11.2023 Pentest-Report Tunnelbear VPN & Software 10.-11.2023 Pentest-Report KryptoGO Web, Mobile & API 10.-11.2023 Pentest-Report Safeheron WASM MPC & MetaMask Snap 09.2023 Review-Report Passbolt DirectoryTree LdapRecord 07.2023 Pentest-Report Tuum MetaMask Identify Snap 07.2023 Pentest-Report Walletchat MetaMask Snap 07.2023 Pentest-Report Silence Laboratries MetaMask Snap 06.-07.2023 Pentest-Report Silence Laboratries Web & Mobile Apps 06.-07.2023 Pentest-Report Psiphon Conduit Library 06.2023 Pentest-Report Proton Pass Browser Addon, Apps & API 05.-06.2023 Pentest-Report authentik IdP Web, API & SSO 05.2023 Pentest-Report Passbolt SSO, API & Addon 02.-03.2023 Pentest-Report IVPN Gateway, Server & Setup 02.2023 Audit-Report Stealth Address Implementation 02.2023 Summary-Report SolidiFi Wallet Mobile Apps 02.2023 Audit-Report Privy.io Shamir Secret Sharing Library 02.2023 Audit-Report micro-btc-signer TS Library 01.2023    
2022 Summary-Report NEW WORK SE Identeco Integration 12.2022 Pentest-Report ExpressVPN Lightway 10.-11.2022 Audit-Report Silence Laboratries ECDSA library.pdf 10.2022 Pentest-Report Tunnelbear VPN & Software 10.2022 Pentest-Report NordVPN NordVPN Server & Infra 09.-10.2022 Pentest-Report NordVPN Apps & Add-ons 07.-08.2022 Pentest-Report ExpressVPN Keys Browser Extension 09.-10.2022 Pentest-Report ExpressVPN Browser Extension 09.-10.2022 Pentest-Report ExpressVPN iOS Client 08.-09.2022 Pentest-Report ExpressVPN Android Client 08.2022 Pentest-Report ExpressVPN Linux Clients 07.-08.2022 Review-Report Passbolt Crypto 07.2022 Pentest-Report ExpressVPN MacOS Client 06.-07.2022 Pentest-Report ExpressVPN Aircove 06.-07.2022 Pentest-Report ExpressVPN Trusted Server 04.-05.2022 Summary-Report RealVNC VNC Connect 01.-05.2022 Summary-Report SonarQube Web UI & API 03.2022 Summary-Report Opera VPN Server & Clients (Opera) 03.2022 Pentest-Report 1Password Mobile Apps 02.-03.2022 Summary-Report Cake DeFi Web UI & API 02.2022 Pentest-Report IVPN Apps & Daemon (IVPN) 02.2022 Audit-Report TypeScript ed25519 Libraries 02.2022 Audit-Report Rust crypto_secretbox & crypto_box Libraries (Threema) 02.2022  
2021 Pentest-Report Passbolt Mobile App & API 11.-12.2021 Pentest-Report 1Password Core 11.-12.2021 Audit-Report TypeScript Hashing Libraries 12.2021 Pentest-Report Tunnelbear VPN & Software 11.2021 Pentest-Report PGPainless 11.2021 Summary-Report SonarCloud Web UI & API 11.2021 Pentest-Report Psiphon api-gatekeeper 11.2021 Pentest-Report 1Password B5 Web Application 10.2021 Summary-Report SonarQube Web UI & API 10.2021 Pentest-Report Passbolt Extension Integration 08.2021 Pentest-Report Towo Bifrost Wallet 06.2021 Pentest-Report Passbolt Backend & Plugins 065.2021 Review-Report Turbo Tunnel (UCB) 04.2021 Summary-Report SonarQube Data Center Edition 04.2021 Review-Report noble-secp256k1 Library 04.2021 Pentest-Report Passbolt Browser Extensions 04.2021 Pentest-Report Swarm 03.-04.2021 Pentest-Report Pomerium 03.2021 Pentest-Report Mozilla VPN Apps & Client (Mozilla) 03.2021 Review-Report ExpressVPN Lightway Protocol 03.2021 Pentest-Report VeePN Browser Extension 03.2021 Review-Report Passbolt Security Whitepaper 02.2021    
2020 Pentest-Report Mullvad VPN & Servers 11.-12.2020 Pentest-Report Contour (CNCF) 11.2020 Pentest-Report php-saml-sp (DeIC) 10.-11.2020 Pentest-Report Tunnelbear VPN & Software 10.2020 Pentest-Report 1Password B5 Web Application 10.2020 Pentest-Report Threema Mobile Apps 10.2020 Pentest-Report ChubaoFS (CNCF) 08.-09.2020 Pentest-Report Thunderbird & RNP (MOSS) 08.2020 Pentest-Report node_exporter (CNCF) 07.2020 Pentest-Report Psiphon psipy Library 07.2020 Pentest-Report GovTech FormSG Web & API 07.2020 Pentest-Report Dapr 06.2020 Audit-Report Monocypher Crypto Library (OTF) 06.2020 Pentest-Report rustls (CNCF) 05.-06.2020 Pentest-Report Mullvad Apps, Clients & API 05.2020 Pentest-Report Request Network 05.2020 Pentest-Report TiKV (CNCF) 02.2020 Audit-Report Safing Jess Crypto-Library 01.2020 Pentest-Report FlowCrypt (OTF) 01.2020
White Papers Cure53 Browser Security White Paper ECMAScript 6 for Penetration Testers X-Frame-Options: All about Clickjacking?
Tools DOMPurify HTTPLeaks HTML5 Security Cheatsheet
Academic Papers DOMPurify: Client-Side Protection Against XSS and Markup Injection Ex­pe­ri­ence Re­port: An Em­pi­ri­cal Study of PHP Se­cu­ri­ty Me­cha­nism Usage ECMAScript 6 for Penetration Testers - How the new JS changes Web- and DOM Security Static Detection of Second-Order Vulnerabilities in Web Applications Code Reuse Attacks in PHP: Automated POP Chain Generation Script­less Ti­ming At­tacks on Web Brow­ser Pri­va­cy X-Frame-Options: All about Clickjacking? Simulation of Built-in PHP Features for Precise Static Code Analysis mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations SS-FP: Browser Finger­printing using HTML Parser Quirks Scriptless Attacks – Stealing the Pie Without Touching the Sill On the Fragility and Limitations of Current Browser-provided Cli­ck­ja­cking Pro­tec­tion Sche­mes Crouching Tiger – Hidden Payload: Security Risks of Scalable Vectors Graphics The Bug that made me President: A Browser- and Web-Security Case Study on Helios Voting Ice­Shield: Detection and Miti­ga­ti­on of Malicious Websites with a Frozen DOM All Your Clouds are Be­long to us – Se­cu­ri­ty Ana­ly­sis of Cloud Management Inter­faces
Presentations & Talks Exploiting the unexploitable with lesser known browser tricks An Abusive Relationship with AngularJS Copy & Pest – A case-study on the clipboard, blind trust and invisible cross-application XSS ECMAScript 6 from an Attacker's Perspective – Breaking Frameworks, Sandboxes & everything else In the DOM, no one will hear you scream – A journey into the moldy layer between HTML and JS JSMVCOMFG – To sternly look at JavaScript MVC and Templating Frameworks The innerHTML Apocalypse – How mXSS attacks change everything we believed to know so far Scriptless Attacks – Stealing the Pie without touching the Sill The Image that called me – Active Content Injection with SVG Files Locking the Throne Room – How ES5+ will change XSS and Client Side Security
Team Meet the Cure53 Team
Dr.-Ing. Mario Heiderich mario@cure53.de | PGP Dipl.-Ing. Alex Inführ alex@cure53.de | PGP MSc. Sebastian Moritz seba@cure53.de | PGP Maxim Rupp rupp@cure53.de | PGP MSc. Dario Weißer dario@cure53.de | PGP Dr. Marta Conde marta@cure53.de | PGP Dr. Alexander Pirker apirker@cure53.de | PGP Jesper Larsson jesper@cure53.de | PGP BSc. (Hons) Edwin "EdOverflow" Foudil ed@cure53.de | PGP
MSc. Robin Peraglie robin@cure53.de | PGP BSc. Benjamin Walny benjamin@cure53.de | PGP MSc. Johannes Moritz johannes@cure53.de | PGP Mohan "S1r1us" Pedhapati s1r1us@cure53.de | PGP Masato Kinugawa masato@cure53.de | PGP MSc. Fabian Fäßler fabian@cure53.de | PGP MSc. Nikolai Krein niko@cure53.de | PGP Dr. Nadim Kobeissi nadim@cure53.de | PGP Dr. hab. Paula Pustułka paula@cure53.de | PGP
Jack Rudy Walker Smith jack@cure53.de | PGP Norman Hippert norman@cure53.de | PGP MSc. Elyas Damej elyas@cure53.de | PGP BSc. Christopher Kean chris@cure53.de | PGP Michael Wege mike@cure53.de | PGP Julian Hector julian@cure53.de | PGP Martin Elrod martin@cure53.de | PGP BSc. Felix Heiderich felix@cure53.de | PGP
Contact For business enquiries
please contact
hello@cure53.de

Email hello@cure53.de Telephone +49 1520 8675 782

We speak PGP and S/MIME

Address Cure53,
Dr.-Ing. Mario Heiderich
Wilmersdorfer Str. 106
D-10629 Berlin
Germany

Links Home Services Publications Team Contact Impressum Datenschutz

Socials X / Twitter Mastodon LinkedIn Github Keybase

Payment As well as the usual, we also accept Bitcoin (BTC), Bitcoin Cash (BCH), Ripple (XRP) and Ethereum (ETH).

Bill.com, Deel and Veem also work for us.

Insurance During our assignments we are insured by the Gothaer Allgemeine Versicherung AG

Legals Tax-ID: 24/336/01163
VAT: DE-275774772