A brief description of how to crack Flask session cookies and an introduction to the Cracked Flask Lab.

The DNS server that WSL2 uses returns records in a different way to a normal DNS server and because of this I ended up trying to log into the wrong server. This is my quick analysis of what is different, and what it caused to happen.

Talking about a way I found to split XSS payloads over multiple inputs to bypass input length limitations and input filtering.

A story of how I tracked down a Cross-Site Scripting issue by overriding the built in alert function to trigger a breakpoint.

Another update to the Authlab, this time covering how to use John the Ripper and Hashcat to crack the keys used to sign JWTs. For more information, and a walk through, see JWT Cracking Authentication Lab.

Added a new lab to play with GraphQL. It includes a set of working examples of how to make and manipulate various queries and mutations, and then a set of challenges to test what you learned.

An offer to take some friends running during SteelCon 2019.

A walkthrough of a process which allows off the shelf hardware to automatically acquire a valid TLS certificate on startup.

A proof of concept demonstration to go with the blog post .

I was recently contacted by to help him with an XSS issue he was having problems with. Ryan knows his stuff, and if he was having problems with something, I knew it had to be a fun challenge. This blog post covers debugging quirks in browser behaviour and some information on how JavaScript URIs work.

A set of walkthroughs for the challenges set in my .

I want my blog to reach as wide an audience as possible and to help with that, I'm asking for my readers to make suggestions for changes which will help make the site more accessible.

In this post I'm going to discuss using HTTP pipelining to hide malicious HTTP requests. This is not domain fronting but uses similar techniques to get the same result, an observer who is not able to perform TLS interception is only able to see the "good" request which conceals the "bad" request.

Whether you think it is true 'domain fronting' or just something that is similar, this post walks through how Cloudflare use SNI to protect against attackers modifying the HTTP Host header and then how ESNI can be used instead to help ensure any 'bad' traffic goes unnoticed by observers.

Domain fronting has been around for years and I've always understood the concept but never actually looked at exactly how it works. That was until recently when I did some work with Chris Truncer who had us set it up as part of a red team test. That was the point I had to get down and understand the actual inner workings. Luckily Chris is a good teacher and the concept is fairly simple when it is broken down into pieces.

This post accompanies the post A 101 on Domain Fronting and in it we are going to setup both a site to use for domain fronting and then a fronted site.

Have you ever logged in to a box, started running commands, and then remembered the bash history will be logging everything you run. I've done it occasionally so thought I should do some research on what the options are. This post covers what I came up with, please get in touch if you have any other ideas.

A client had the requirement to allow users to upload SVG files to their web app, these files then had to be displayed. As SVG files can contain JavaScript and can be used for Cross-Site Scripting attacks, I had to do some investigating to find ways to allow them to do what they wanted safely.

This is a full walk through detailing how I would go through my challenge. There are probably plenty of other ways this can be done so don't take this as the only or best. If you do have a better way, please let me know.

In 2017, Pippa was learning about cryptography and set a couple of crypto challenges for the SteelCon kids track, this year we are working on logic gates so she has set a challenge based on that.

Using an invalid HTTP request to bypass rewrite rules in lighttpd and the story of how I found the problem.

A walk through from getting injection into an SNMP config file to getting a shell.

A copy of the slides from my dotnetsheff talk on HTTP security headers and cookies.

The slides and video from my talk at Wild West Hackinfest on programming by copying and pasting from Google.

Techniques using both raw JavaScript and jQuery to use XSS to grab a CSRF token and then submit the form it protects.

A write up on how a common mutual authentication scheme used by a number of banks can be easily proxied and turned against the bank.

Imagine the scenario, you are testing a site running an open source package but not sure what version and need to find out. The site does not include any helpful comments in the HTML and there is no README file. The package isn't a popular one so none of the regular fingerprinting apps recognise it, what can you do? Call in Sitediff, it takes a local directory of files and then requests each of them from the target site and reports back on what it finds.

There is lots of plagiarism goes on on the internet, unfortunately for Christian, he decided that he was happy to do it and accepted the risks it created.

The results of a small experiment to see what my heart rate was like during my SANS instructor murder board.