Our published works

Our published works


Over the years, we have published technical papers, security tools and advisories to share our insights with the security community and the public.


  • Surf Jacking “HTTPS will not save you”: Attackers exploiting this vulnerability are able to hijack an HTTP session even when the victim and the attacker’s connection is encrypted using SSL or TLS.
  • The Extended HTML Form Attack Revisited: A generic security flaw which affects various web browsers such as Internet Explorer, Opera and Safari. This vulnerability allows attackers to launch Cross Site Scripting attacks by making use of non-HTTP protocols.

Open source and Free Tools


  • Storming SIP Security: An article published in the 02/08 issue of Hakin9. Why IP Phone Systems are the new target. How VoIP systems can be broken into or simply abused for Toll Fraud. What you can do to prevent this.
  • When best intentions go wrong: Debian OpenSSL vulnerability and how it affects the solutions that we (security professionals) recommend. Published on (IN)Secure Magazine.
  • Closing a can of worms: Tackling the assumption that network traffic cannot be intercepted or modified during transit. Published on (IN)Secure Magazine.
  • How security can hurt us: The more you spend on security does not necessarily equal more security. Published on (IN)Secure Magazine

Notable blog posts

Conference presentations

  • Kamailio World 2019 - The Various Ways Your RTC May Be Crushed (video)
  • Berlin RTC Meetup - WebRTC Infrastructure Security
  • Kamailio World 2018 - A tale of two RTC fuzzing approaches (video, slides)
  • Kamailio World 2017 - Listening By Speaking – An Under-Estimated Security Attack On Media Servers And RTP Relays (video)
  • Kamailio World 2016 - 9 Years Of Friendly Scanning And Vicious SIP (video)
  • HackPra 2013 - Webapp Exploit Payloads tools built for & during the job (video)
  • Bsides London 2012 - Escalating privileges on common webapps (video)
  • Hack in the Box Malaysia 2011 - VoIP Security workshop: Attacking CUCM
  • IIT’s RTC Conference and Expo 2011 - Practical Fraud Attacks on VoIP Systems
  • SECURE 2011 Poland - Attacks on VoIP (Workshop)
  • AstriCon 2010 Washington DC - Just how vulnerable is your VoIP system?
  • Hackcon Norway 2010
  • Hackito Ergo Sum France 2010 - Attacking VoIP; attacks and the attackers
  • Troopers 2009 - The Truth about Web Application Firewalls (video)
  • Shakacon 2009 - Web Application Firewalls: What the vendors do not want you to know
  • OWASP Europe 2009 - Web Application Firewalls
  • Ph-neutral 2009 - Web Application Firewalls
  • BruCON Belgium 2009 - VoIP pentesting workshop
  • Hack.lu Luxembourg 2009 - VoIP pentesting workshop
  • CONFidence Krakow 2009 - Scanning the Intertubes for VOIP (pdf)
  • SEC-T Sweden 2009 - Scanning the Intertubes for VOIP (video)
Get in touch