Skip to main content


Slack SAML authentication bypass

tl;dr  I found a severe issue in the Slack's SAML implementation that allowed me to bypass the authentication. This has now been solved by Slack.
Introduction IMHO the rule #1 of any bug hunter (note I do not consider myself one of them since I do this really sporadically) is to have a good RSS feed list.  In the course of the last years I built a pretty decent one and I try to follow other security experts trying to "steal" some useful tricks. There are many experts in different fields of the security panorama and too many to quote them here (maybe another post). But one of the leading expert (that I follow) on SAML is by far Ioannis Kakavas. Indeed he was able in the last years to find serious vulnerability in the SAML implementation of Microsoft and Github. Usually I am more an "OAuth guy" but since both, SAML and OAuth, are nothing else that grandchildren of Kerberos learning SAML has been in my todo list for long time. The Github incident gave me the final…
Recent posts

How to try to predict the output of Micali-Schnorr Generator (MS-DRBG) knowing the factorization

The article was modified since its publication. Last update was 09/10/2017 

tl;dr in this post we are going to describe how to try predict the output of Micali-Schnorr Generator (MS-DRBG)  knowing the factorization of the n value. If this sounds like, "why the hell should I care?", you might want to give a look at this great post from Matthew Green about the backdoor in Dual_EC_DRBG. But In a nutshell, quoting Matthew Green : Dual_EC_DRBG is not the only asymmetric random number generator in the ANSI and ISO standards (see at the bottom).   it’s not obvious from the public literature how one would attack the generator even if one knew the factorization of the n values above. What I am NOT claiming in this post though is that there is a backdoor in one of this standard.

The first time I heard about this problem is about couple of weeks ago via this Matthew's tweet: As a curiosity, the NSA didn’t just standardize Dual EC, they also standardized a second sketchy …

CVE-2017-7781/CVE-2017-10176: Issue with elliptic curve addition in mixed Jacobian-affine coordinates in Firefox/Java

tl;dr Firefox and Java suffered from a moderate vulnerability affecting the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result POINT_AT_INFINITY when it should not.

Few months ago I was working on a vulnerability affecting the internet standard JWE (slides here) and I got a stroke of luck. Yuppieeee  Basically I was constructing the malicious JWEs needed for the Demo Attack. When something weird happened :S
You can try and share with me the surprise I had, the gist is here

If you try to execute this class with Java 1.7 you basically have

Exception in thread "main" java.lang.IllegalStateException
    at Method)
    at javax.crypto.KeyAgreement.generateSecret(
    at orig.EccJava.getAgreedKey(
    at orig.EccJava.main(


Analisi dei dump di Rousseau (Movimento Cinque Stelle) - Parte I: password

Disclaimer Questo blog post e' scritto da evariste.gal0is ed Antonio Sanso. Entrambi gli autori non hanno nessuna affiliazione politica ed il post ha l'unico scopo di fornire un'analisi tecnica di parte dei dump relativa alle password.
Riassunto delle puntate precedenti
In data 2 agosto 2017 uno dei coautori di questo blog post  (evariste.gal0is) ha segnalato
Il sito Rousseau del M5S è vulnerabile, voti e dati personali degli iscritti sono tutti a rischio #Hack5Stelle — evariste.gal0is (@evaristegal0is) August 2, 2017 una severa vulnerabilita' (del tipo SQL injection) che affligeva la piattaforma del Movimento Cinque Stelle chiamata Rousseau: . La sua segnalazione riceve una notevole copertura mediatica e minacce di querela da parte del  Movimento Cinque Stelle* (cosa che spinge  evariste.gal0is a prendere temporaneamente una pausa). Nel frattempo un black hat hacker che si fa chiamare rogue0 viola nuovament…

Historical courses and resorts in Elliptic Curves Cryptography - Is Curve25519 dead?

tl;dr This short blog post serves to me to recollect some of the thing I have been learning (climbing) about Elliptic Curves Cryptography (ECC from now on) during the last months/years, so please take it with a grain of salt since it might contains some erroneous beliefs.

'80 - Introduction Giambattista Vico  was an Italian political philosopher and rhetorician, historian and jurist, of the Age of Enlightenment famous (also) for the concept of historical courses and resorts. This can be resumed with: "some events are repeated in the same way even after a long time;and this is not by chance". Well it seems that this might also applies to ECC so he maybe he was right :)
Elliptic Curve made its first appearance in cryptography with Lenstra in 1984 (eventually published in 1987). Curiously enough he introduced them not while trying to come up with a new crypto system but he employed EC in order to factor integers (a side note, there is a really beautiful survey about…

Cross-origin brute-forcing of Github SAML and 2FA recovery codes

Yesterday while reading my Twitter stream I found this interesting article about  downloading GitHub SSO bypass codes. Same as Yasin Soliman I was invited to a Github pre-release of the organisation SAML single sign-on (SSO) private program. And same as him I found an issue in the same endpoint. So I thought to write a quick blog post about it. Github already published a tl;dr about this,

 I will try to fill the blanks here.

As mentioned by Yasin, Github offers an endpoint where privileged users can recover bypass codes. These recovery codes were accessible for download as plaintext and had the content-type as text/plain, something like:

What immediately caught my attention was that the format of the code forms (with some exceptions) a valid JavaScript file with lines in the format of XXXXX-XXXXX, ten hex digits separated by a hyphen. This is interpreted in JavaScript as the subtraction of two variables! This remember an old blog post of mine where I could possibly exfiltrate informa…

OAuth Worm II - The revenge

We all know about this massive Google Doc Phishing Attack that hit about 1 million accounts right?

Well this really "sophisticated attack" (really??) was based on a really spread Internet procol named OAuth. It also turns out that during the early stage of the standardization someone reported this very own attack vector but as often happens he was ignored. 

Back in 2015 I also reported another "hidden feature"

 of OAuth that turns an OAuth server into an open redirector that makes phishing a piece of cake.

Yesterday I was twitting about this and today I decided to imitate Eugene Pupov (lol) and work on my master thesis project. So this is the resulting mail. Have fun:

Fret not, go ahead and click and you will be redirected to:

that is not a Github page but is rather controlled by me.
Well that's all folks. For more OAuth phishing follow me on Twitter
P.S. for the record me and some other folks from the OAuth working group proposed a draft  (3 years ago!!!) t…