Homepage
Open in app
Sign in
Get started
TSS - Trusted Security Services
TSS is a leading cyber security company founded by former Australian Government security specialists. This blog is a way for TSS staff to contribute back to the security industry
About This Blog
TSS Website
Follow
NOC NOC. Who’s there? Your NMS is pwned.
NOC NOC. Who’s there? Your NMS is pwned.
By xerubus
TSS
Apr 8, 2020
Penetration testing & window.opener — XSS vectors part 2
Penetration testing & window.opener — XSS vectors part 2
tldr; opener.location.* and the onhashchange event are XSS vectors. XSS exists in old versions of reveal.js.
Josh Graham
Jun 3, 2019
CTF Writeup — You Shall Not Pass
CTF Writeup — You Shall Not Pass
BSides Canberra 2019 — Reverse Engineering
Tom
Mar 18, 2019
Under Cover of Darkness
Under Cover of Darkness
Practical considerations for (legally) breaking and entering.
Tom
Feb 12, 2019
BloodHound.xpab — Applocker bypass
BloodHound.xpab — Applocker bypass
A few weeks ago I created a proof of concept XAML browser application (XBAP) that demonstrates Presentationhost.exe bypassing default…
Josh Graham
Feb 11, 2019
Cyberlympics 2018 — Finals
Cyberlympics 2018 — Finals
Wherein the team travels to Atlanta to open a padlock without touching it.
Tom
Jan 21, 2019
Multiple Security Vulnerabilities in Dell EMC Avamar
Multiple Security Vulnerabilities in Dell EMC Avamar
In this post I’ll cover four different CVEs identified by myself and a colleague from TSS.
Jarrod Farncomb
Jan 7, 2019
Penetration testing & window.opener — XSS vectors part 1
Penetration testing & window.opener — XSS vectors part 1
This is the first part of a four part series discussing security concepts related to the JavaScript opener variable (almost all the…
Josh Graham
Dec 3, 2018
Cyberlympics 2018 — DNS covert channel
Cyberlympics 2018 — DNS covert channel
I was fortunate enough to participate in the Cyberlympics this year with the TSS CTF team. There was some tough competition and after…
Josh Graham
Nov 8, 2018
XSS in Dynamics 365
XSS in Dynamics 365
I recently tested an application hosted within Microsoft’s Dynamics 365 online services platform. During the test I discovered a…
Tim Kent
Nov 5, 2018
AppLocker Bypass — presentationhost.exe
AppLocker Bypass — presentationhost.exe
Presentationhost.exe appears on several AppLocker whitelist bypass lists (e.g. api0cradl and milkdevil) but I wasn’t able to find any good…
Josh Graham
Oct 19, 2018
Pentesting and .hta (bypassing PowerShell Constrained Language Mode)
Pentesting and .hta (bypassing PowerShell Constrained Language Mode)
When I’m on an engagement and I’m given a SOE and a domain account, I usually want to use a tool like PowerShell Empire to remotely…
Josh Graham
Oct 4, 2018
BlueHat 2018 CTF
BlueHat 2018 CTF
I had the chance to play Jonathan Bar Or’s BlueHat CTF this year. Because I didn’t know anyone, I asked to be allocated to a random team…
Josh Graham
Oct 1, 2018
Cyberlympics 2018
Cyberlympics 2018
Earlier in August, the remaining TSS team members who weren’t representing in Vegas for DEF CON competed in the Global Cyberlympics 2018…
Jeremy Goldstein
Aug 23, 2018
DEF CON 2018
DEF CON 2018
TSS will be representing in the Las Vegas area for #HackerSummerCamp this year, with a few of our team members speaking at the various…
Glenn 'devalias' Grant
Aug 8, 2018
Adversary Mindset
Adversary Mindset
TSS' Inaugural Red Team Training
Tom
Jul 31, 2018
The “billion silent laughs” attack — That time Incapsula was vulnerable to a DoS attack
By Joshua Graham (@JPG1nc)
TSS
Jun 25, 2018
Ruxcon 11 [Pwnable 2] Write Up
Ruxcon 11 [Pwnable 2] Write Up
By Tom Ravenscroft- Small batch artisanal hax0r and security specialist
TSS
Jan 31, 2018
Atlassian Confluence: Cross-Site Scripting (XSS) (CVE-2017–16856)
Earlier this year I spent some time delving into Atlassian Confluence to see if I could dig up any bugs that had slipped through the…
Glenn 'devalias' Grant
Dec 4, 2017
About TSS - Trusted Security Services
Latest Stories
Archive
About Medium
Terms
Privacy
Teams