This repro contains almost all of Cure53's publications and papers. Click "watch" to get a mail once we publish something fresh.
- Pentest-Report Forward Email Architecture & Infrastructure 05.2026
- Pentest-Report EventVPN Architecture & Software 02.-03.2026
- Pentest-Report ExpressVPN ExpressMailGuard Service 02.-03.2026
- Pentest-Report PDFgear Desktop App & Codebase 02.-03.2026
- Pentest-Report ExpressVPN ExpressAI Client, Crypto & Infrastructure 03.2026
- Pentest-Report ExpressVPN Identity Defender 03.2026
- Summary-Report Aurorium Apps, Admin & API 03.2026
- Summary-Report Tangem Mobile Wallet Cryptography, SDK & Application Q4 2025
- Pentest-Report Dive CAE Web UI, API & Infra 09.2025
- Summary-Report IDZ Crypto Libraries, Mobile & Web 09.2025
- Audit-Report Project 11 Crypto Web UI & Backend 06.2025
- Pentest-Report Project 11 Web App UI, API & Infra 06.2025
- Summary-Report Tequity Web App UIs, Games, APIs & Infra 05.2025
- Pentest-Report InFlux ZelCore Addon, Mobile & Desktop Wallet Apps 01.-02.2025
- Pentest-Report Raspberry Pi Web Applications, Client App & Infra 01.2025
- Audit-Report Tuum Hedera Identify Snap & Codebase 01.2025
- Audit-Report Coinbase cb-mpc Library Crypto 12.2024
- Audit-Report ExpressVPN Lightway Protocol 10.-11.2024
- Pentest-Report ExpressVPN Aircove Firmware 11.2024
- Pentest-Report KeePassium iOS Apps & Crypto 10.2024
- Audit-Report Greymass Antelope Snap & Codebase 09.2024
- Audit-Report Tuum Hedera Wallet Snap & Codebase 09.2024
- Pentest-Report Obsidian Clients & UI 09.2024
- Pentest-Report Obsidian Sync API, Server & Crypto 09.2024
- Summary-Report Obsidian Clients & UI 09.2024
- Summary-Report Obsidian Sync API, Server & Crypto 09.2024
- Audit-Report Paul Miller Noble Crypto Libraries 08.2024
- Pentest-Report Tuum AuthFlow Snap & Codebase 08.2024
- Audit-Report Nym Mobile & Desktop, VPN, Infra & Cryptography 07.2024
- Pentest- & Review-Report ODK Mobile Apps, Server & Threat Model 07.2024
- Pentest-Report Mullvad VPN Relay-Infrastructure 06.2024
- Pentest-Report Psiphon Conduit Integration Codebase 04.-05.2024
- Pentest-Report ExpressVPN VPN Browser Extension 05.2024
- Pentest-Report Psiphon Tunnel Core Codebase 05.2024
- Audit-Report Distrust Keyfork Toolkit & Library 04.2024
- Pentest-Report Hedera Wallet Snap & Sources 04.2024
- Audit-Report Kyraview MetaMask Stellar Snap 04.2024
- Pentest-Report Passbolt UWP Windows App 03.2024
- Pentest-Report MetaMask Signing Snap & Codebase 03.2024
- Pentest-Report IVPN Customer Website & Servers 03.2024
- Audit-Report BOB MetaMask Snap Codebase & Build 02.2024
- Audit-Report Rubic MetaMask Snap Build & Codebase 02.2024
- Summary-Report Obsidian Clients & UI 01.2024
- Pentest-Report KryptoGO Mobile, API & Infra 01.2024
- Audit-Report SolidiFi Wallet Staking Feature 01.2024
- Pentest-Report Threema Desktop App 01.2024
- Audit-Report NIP44 Implementations 11.-12.2023
- Audit-Report Dedaub MetaMask Snap Code & Build 12.2023
- Pentest-Report Obsidian Clients & UI 11.2023
- Pentest-Report Tuum Hedera Wallet Snap & Code 11.2023
- Pentest-Report TunnelBear VPN Clients & Servers 10.-11.2023
- Pentest-Report Safeheron WASM MPC & Snap 09.2023
- Pentest-Report Silence Laboratories Silent Shard Mobile App, Web & Cloud 06.-07.2023
- Pentest-Report Silent Shard Snap 06.-07.2023
- Pentest-Report Tuum MetaMask Identify 07.2023
- Pentest-Report WalletChat MetaMask Snap 07.2023
- Audit-Report Passbolt DirectoryTree LdapRecord 07.2023
- Pentest-Report Proton Pass Browser Addon, Apps & API 05.-06.2023
- Pentest-Report Psiphon Conduit Library 06.2023
- Pentest-Report authentik IdP Web, API & SSO 05.2023
- Audit-Report ente Crypto Design & Code 02.-03.2023
- Pentest-Report Passbolt SSO, API & Add-On 02.-03.2023
- Summary-Report SolidiFi Wallet Mobile Apps 01.-02.2023
- Audit-Report Stealth Address Implementation 02.2023
- Audit-Report Privy.io Shamir Secret Sharing 02.2023
- Pentest-Report IVPN Gateway, Server & Setup 02.2023
- Audit-Report micro-btc-signer TS Library 01.2023
- Summary-Report NEW WORK SE Identeco Integration 12.2022
- Pentest-Report ExpressVPN Lightway 10.-11.2022
- Pentest-Report TunnelBear VPN 10.-11.2022
- Pentest-Report ExpressVPN Keys Browser Extension 09.-10.2022
- Pentest-Report ExpressVPN VPN Browser Extension 09.-10.2022
- Pentest-Report NordVPN Server & Infra 09.-10.2022
- Audit-Report Silence Laboratories ECDSA Library 10.2022
- Pentest-Report ExpressVPN iOS App 08.-09.2022
- Pentest-Report ExpressVPN Linux Clients 07.-08.2022
- Pentest-Report NordVPN Apps & Add-ons 07.-08.2022
- Pentest-Report ExpressVPN Android Client App & Integrations 08.2022
- Pentest-Report ExpressVPN macOS Client 06.-07.2022
- Pentest-Report ExpressVPN Router Firmware (Aircove) 06.-07.2022
- Review-Report Passbolt Crypto Features 07.2022
- Summary-Report RealVNC VNC Connect 01.-05.2022
- Pentest-Report ExpressVPN TrustedServer 04.-05.2022
- Summary-Report SonarQube Web UI & API 03.2022
- Summary-Report Opera VPN Server & Clients (Opera) 03.2022
- Pentest-Report 1Password Mobile Apps 02.-03.2022
- Summary-Report Cake DeFi Web UI & API 02.2022
- Pentest-Report IVPN Apps & Daemon (IVPN) 02.2022
- Audit-Report TypeScript ed25519 Libraries 02.2022
- Audit-Report Rust crypto_secretbox & crypto_box Libraries (Threema) 02.2022
- Pentest-Report 1Password Core 11.-12.2021
- Audit-Report TypeScript Hashing Libraries 12.2021
- Pentest-Report Passbolt Mobile App & API 11.-12.2021
- Pentest-Report TunnelBear VPN 11.-12.2021
- Pentest-Report PGPainless 11.2021
- Summary-Report SonarCloud Web UI & API 11.2021
- Pentest-Report Psiphon api-gatekeeper 11.2021
- Pentest-Report 1Password B5 Web Application 10.2021
- Summary-Report SonarQube Web UI & API 10.2021
- Pentest-Report Passbolt Extension Integration 08.2021
- Pentest-Report Towo Bifrost Wallet 06.2021
- Pentest-Report Passbolt Backend & Plugins 06.2021
- Review-Report Turbo Tunnel (UCB) 04.2021
- Summary-Report SonarQube Data Center Edition 04.2021
- Review-Report noble-secp256k1 Library 04.2021
- Pentest-Report Swarm 03.-04.2021
- Pentest-Report Passbolt Browser Extensions 04.2021
- Pentest-Report Pomerium 03.2021
- Pentest-Report Mozilla VPN Apps & Client (Mozilla) 03.2021
- Review-Report ExpressVPN Lightway Protocol 03.2021
- Pentest-Report VeePN Browser Extension 03.2021
- Pentest-Report IVPN Apps & Daemon 03.2021
- Review-Report Passbolt Security White Paper 02.2021
- Pentest-Report Mullvad VPN & Servers 11.-12.2020
- Pentest-Report Contour (CNCF) 11.2020
- Pentest-Report php-saml-sp (DeIC) 10.-11.2020
- Pentest-Report Tunnelbear VPN & Software 10.2020
- Pentest-Report 1Password B5 Web Application 10.2020
- Pentest-Report Threema Mobile Apps 10.2020
- Pentest-Report ChubaoFS (CNCF) 08.-09.2020
- Pentest-Report Thunderbird & RNP (MOSS) 08.2020
- Pentest-Report node_exporter (CNCF) 07.2020
- Pentest-Report Psiphon psipy Library 07.2020
- Pentest-Report GovTech FormSG Web & API 07.2020
- Pentest-Report Dapr 06.2020
- Audit-Report Monocypher Crypto Library (OTF) 06.2020
- Pentest-Report rustls (CNCF) 05.-06.2020
- Pentest-Report Mullvad Apps, Clients & API 05.2020
- Pentest-Report Request Network 05.2020
- Pentest-Report Mullvad Apps, Clients & API (v1) 05.2020
- Pentest-Report TiKV (CNCF) 02.2020
- Audit-Report Safing Jess Crypto-Library 01.2020
- Pentest-Report FlowCrypt (OTF) 01.2020
- Summary-Report IVPN VPN, Server & Web 01.2020
- Pentest-Report runc (CNCF) 11.-12.2019
- Summary-Report TunnelBear 11.2019
- Pentest-Report Keycloak 11.2019
- Pentest-Report Helm (CNCF) 10.-11.2019
- Pentest-Report Standard Notes 10.2019
- Pentest-Report Harbor (CNCF) 10.2019
- Pentest-Report gRPC (CNCF) 10.2019
- Pentest-Report Psiphon Apps & Server 10.2019
- Pentest-Report libssh C Library (MOSS) 09.2019
- Analysis-Report "Study the Great Nation" Android App (OTF) 09.2019
- Pentest-Report Rancher Web & API 07.2019
- Pentest-Report Falco (CNCF) 07.2019
- Pentest-Report Linkerd2 (CNCF) 06.2019
- Pentest-Report Fluentd/Fluent-Bit (CNCF) 05.2019
- Pentest-Report Jaeger (CNCF) 05.2019
- Pentest-Report Peergos Crypto & Software 05.2019
- Analysis-Report Chinese Police App "Feng Cai" (OTF) 03.2019
- Pentest-Report Exodus iOS Mobile App 03.2019
- Audit-Report IVPN Privacy & No-Log 03.2019
- Pentest-Report Vitess (CNCF) 02.2019
- Analysis-Report Chinese Police App "IJOP" (HRW) 12.2018
- Pentest- & Audit-Report Jigsaw Outline 09.-12.2018
- Pentest-Report NATS (CNCF) 11.2018
- Pentest-Report containerd (CNCF) 11.2018
- Pentest-Report Surfshark 11.2018
- Pentest-Report Bitwarden 11.2018
- Pentest-Report ExpressVPN Extension 10.-11.2018
- Summary-Report TunnelBear 10.2018
- Pentest-Report CrypTech/DiamondKey 09.2018
- Pentest-Report Frame Electron App 09.2018
- Pentest-Report Mullvad VPN Clients 09.2018
- Pentest-Report Mullvad VPN Clients (v1) 09.2018
- Pentest-Report Open Policy Agent (CNCF) 08.2018
- Pentest-Report Cuckoo Sandbox 07.2018
- Pentest-Report Antradar Gyroscope 07.2018
- Pentest-Report MyCrypto App 06.2018
- Pentest-Report TUF/Notary (CNCF) 05.-06.2018
- Pentest-Report Prometheus (CNCF) 05.-06.2018
- Pentest-Report imToken Wallet 05.2018
- Pentest-Report Gravitational Teleport 05.2018
- Pentest-Report CoreDNS (CNCF) 02.-03.2018
- Pentest-Report Envoy Proxy (CNCF) 02.2018
- Pentest-Report Whistler (BAM) 02.2018
- Pentest-Report MyEtherWallet Website 01.2018
- Pentest-Report SimpleSAMLphp (MOSS) 11.2017
- Pentest-Report Thunderbird & Enigmail (MOSS) 09.2017
- Pentest-Report MetaMask 08.2017
- Pentest-Report Gravitational Telekube 08.2017
- Pentest-Report RememBear 08.2017
- Summary-Report TunnelBear 07.2017
- Pentest-Report Psiphon 07.2017
- Summary-Report Appendix TunnelBear 07.2017
- Pentest-Report Gravitational Teleport 04.2017
- Pentest-Report Briar Project App & Protocol (OTF) 03.2017
- Pentest-Report NTP (MOSS) 03.2017
- Pentest-Report NTPsec (MOSS) 03.2017
- Pentest-Report Ethereum Mist 11.2016
- Pentest-Report Dovecot (MOSS) 11.2016
- Pentest-Report Mozilla FxA 09.2016
- Pentest-Report cURL (MOSS) 08.2016
- Pentest-Report Access My Info (OTF) 05.2016
- Pentest-Report Padlock (OTF) 04.2016
- Pentest-Report libjpeg-turbo (MOSS) 01.2016
- Pentest-Report PCRE (MOSS) 10.2015
- Pentest-Report Peerio (OTF) 09.2015
- Pentest-Report SmartSheriff 2 (OTF) 10.2015
- Pentest-Report OpenKeychain (OTF) 08.2015
- Pentest-Report Nitrokey Storage Firmware (OTF) 08.2015
- Pentest-Report Nitrokey Storage Hardware (OTF) 05.2015
- Pentest-Report SmartSheriff (OTF) 07.2015
- Pentest-Report Cyph (OTF) 06.2015
- Pentest-Report SC4 06.2015
- Pentest-Report Whiteout 06.2015
- Pentest-Report StreamCryptor 04.2015
- Pentest-Report DOMPurify 02.2015
- Pentest-Report F-Droid / Bazaar (RFA) 01.2015
- Pentest-Report CaseBox (Code Audit) (RFA) 06.2014
- Pentest-Report CaseBox (Production) (RFA) 08.2014
- Pentest-Report miniLock (RFA) 07.2014
- Pentest-Report Clipperz (RFA) 04.2014
- Pentest-Report Onion Browser (RFA) 04.2014
- Pentest-Report OpenPGP.js (RFA) 03.2014
- Pentest-Report SecureDrop (FPF) 12.2013
- Pentest-Report Globaleaks (RFA) 06.2013
- Pentest-Report Mailvelope (RFA) 12.2012 – 02.2013
- Pentest Report Cryptocat 2 (RFA) 11.2012
- Cure53 Browser Security White Paper
- ECMAScript 6 for Penetration Testers - How the new JS changes Web- and DOM Security
- X-Frame-Options: All about Clickjacking?
- DOMPurify: Client-Side Protection Against XSS and Markup Injection
- Experience Report: An Empirical Study of PHP Security Mechanism Usage
- ECMAScript 6 for Penetration Testers - How the new JS changes Web- and DOM Security
- Static Detection of Second-Order Vulnerabilities in Web Applications
- Code Reuse Attacks in PHP: Automated POP Chain Generation
- Scriptless Timing Attacks on Web Browser Privacy
- X-Frame-Options: All about Clickjacking?
- Simulation of Built-in PHP Features for Precise Static Code Analysis
- mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations
- SS-FP: Browser Fingerprinting using HTML Parser Quirks
- Scriptless Attacks – Stealing the Pie Without Touching the Sill
- On the Fragility and Limitations of Current Browser-provided Clickjacking Protection Schemes
- Crouching Tiger – Hidden Payload: Security Risks of Scalable Vectors Graphics
- The Bug that made me President: A Browser- and Web-Security Case Study on Helios Voting
- IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM
- All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces
- Exploiting the unexploitable with lesser known browser tricks
- An Abusive Relationship with AngularJS
- Copy & Pest – A case-study on the clipboard, blind trust and invisible cross-application XSS
- ECMAScript 6 from an Attacker's Perspective – Breaking Frameworks, Sandboxes & everything else
- In the DOM, no one will hear you scream – A journey into the moldy layer between HTML and JS
- JSMVCOMFG – To sternly look at JavaScript MVC and Templating Frameworks
- The innerHTML Apocalypse – How mXSS attacks change everything we believed to know so far
- Scriptless Attacks – Stealing the Pie without touching the Sill
- The Image that called me – Active Content Injection with SVG Files
- Locking the Throne Room – How ES5+ will change XSS and Client Side Security