Positive Security
Holistic IT security research & consulting
Positive Security
Holistic IT security research & consulting
Quick -  Proper - Thorough
Our work is thorough - we are driven by curiosity to explore the whole picture.

Who we are

We're a team of highly skilled IT security professionals dedicated to tackling the most diverse and complex problems in the industry.

Learn More

What we do

With a holistic mindset, we provide a wide range of offensive and defensive IT security services. From hacking your website, company or IoT device, to implementing security features in your app, we help you drive positive change in your organization.

Learn More
Ransacking your password reset tokens
January 26, 2023

We demonstrate how the popular "Ransack" library (Ruby on Rails) can be abused to exfiltrate sensitive data via character by character brute-force, allowing for a full application compromise in some cases. An internet wide search identifies several hundred potentially vulnerable applications.

urlscan.io's SOAR spot: Chatty security tools leaking private data
November 2, 2022

We explore the security service urlscan.io and showcase through various "dorks" that their searchable scan database is a treasure trove of URLs pointing to sensitive user information, allowing account takeover, and much more. Part of the data has been leaked in an automated way by other security tools (SOARs) that accidentally made their scans public.

From XSS to RCE (dompdf 0day)
March 16, 2022

Using a still unpatched vulnerability in the PHP library dompdf (used for rendering PDFs from HTML), we achieved RCE on a web server with merely a reflected XSS vulnerability as entry point.

More posts

Contact Us

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Or send an email to hi@positive.security