Vulnerability testing

Research

• Publications
• Research projects
• Seminar
• Conferences

Teaching

• Courses
• Student projects

SaToSS group

• Members
• Vacancies
• Software
• Vulnerability testing
• Contact

Vulnerability testing

SaToSS is focused on formalizing and applying formal reasoning to real-world security problems and trust issues. In the framework of our research, we perform vulnerability testing of existing systems. In executing and reporting these tests, we follow our internal code of conduct with respect to vulnerability testing. The tests have been executed and reported by Sjouke Mauw and Matthijs Melissen.

Below, we give a selection of anonymized incident reports.

• (January 2012) We discovered a vulnerability in an online promotional lottery organized by a Luxembourgish company. We discovered that adversaries can `win' the lottery without possessing the winning lot by modifying the parameters in the url. In order to prevent the risk of a potential financial loss for the company we reported the problem to the organisation, who confirmed the problem.
• (February 2012) We discovered an SQL injection vulnerability in a Luxembourgish governmental website. Moreover, we discovered that as a consequence of this vulnerability, more than 100 other websites that were hosted on the same server, among which some were closely linked to the government, critical infrastructures or sensitive sectors, were vulnerable as well. When exploited by an adversary, this vulnerability could potentially have the following negative consequences: the disclosure of user names and passwords of user accounts of several websites; the disclosure of confidential data stored on the databases of these websites; the possibility for unauthorized outsiders to change data (loss of integrity). To prevent these risks, we reported this vulnerability to GOVCERT.LU (the Luxembourgish governmental Computer Emergency Response Team). GOVCERT.LU acknowledged the vulnerability, and reported it to the provider hosting the vulnerable websites.
• (March 2012) We discovered a SQL injection vulnerability in a website of a European institution. The vulnerability could potentially lead to loss of confidentiality, integrity and availability of this website when exploited by a malicious attacker. We reported this vulnerability to GOVCERT.LU and to CERT.EU. Both acknowledged the vulnerability.
• (June 2012) We discovered a SQL injection vulnerability in a Dutch governmental institution. The vulnerability could potentially lead to loss of confidentiality, integrity and availability of this website when exploited by a malicious attacker. We contacted GOVCERT.LU, who reported it to the Dutch governmental CERT, which lead to the vulnerability being solved.
• (June 2012) We discovered a problem in the e-mail configuration of a Luxembourgish governmental institution, which allowed us to sign arbitrary text with the PGP key of this organisation. The vulnerability could lead to reputational damage and damage at third parties when exploited by a malicious party. We reported this problem to the institution and to the vendor of the used software. The institution subsequently changed their configuration, and the software vendor has adapted their software to avoid this vulnerability.
• (July 2012) We discovered a SQL injection vulnerability in a website of a European institution. The vulnerability could potentially lead to loss of confidentiality, integrity and availability of this website when exploited by a malicious attacker. We reported this vulnerability to GOVCERT.LU, who acknowledged the vulnerability.