A brief description of how Mobile Me allows access to its file listings and how to interpret them.

The description of how I wrote a tool to brute force bucket names from the Amazon S3 system and then take it a step further.

Using decompression to avoid filters - Decompressing data to get it past filters such as IDS.

Analysis of the content I found when trawling Amazon's buckets looking for public information.

When I bought an IP camera to watch by daughters cot I didn't expect to end up writing tools to find others around the world, I also didn't expect it to be so poorly secured.

About once a fortnight I get a request to write an article for Hakin9 or one of its sister publications, this article details my attempts to stop this spam.

A story of how I tracked down a Cross-Site Scripting issue by overriding the built in alert function to trigger a breakpoint.

File Disclosure Browser, an application to parse files such as .DS_Store to reveal otherwise unlinked files on web sites.

Three times in the past few months I've been asked by clients to retest previous findings to see if they have been successfully fixed. One of the reports I was given was one I'd written, the other two were by other testers. For my report I couldn't remember anything about the test, reading the report gave me some clues but I was really lucky and found that I'd left myself a test harness in the client's folder fully set up to test the vulnerability. One of the other two was testing for a vulnerability I'd never heard of and couldn't find anything about on Google. I finally tracked down the original tester and it turns out there is a simple tool which tests for the issue and one command line script later the retest was over. The final issue was one that I knew about but had a really good write up that, even if I'd not heard of it, had a full walk through on how to reproduce the test.

This post accompanies the post A 101 on Domain Fronting and in it we are going to setup both a site to use for domain fronting and then a fronted site.

I see a lot of requests for technical help with tools and projects, some good, some bad. This post covers what I like to see when someone asks a question.

Karma was originally written for Madwifi and I then updated it to work with Madwifi-ng. This update adds the same functionality to hostapd.

When doing reconnaissance on clients it is often useful to try to identify other websites or companies who are related to your target. One way to do this is to look at who is managing the Google Analytics traffic for them and then find who else they manage. There are a few online services which do this, the probably best known being ewhois, but whenever you use someone else's resources you are at their mercy over things like accuracy of the data and coverage, especially if you are working for a small client who hasn't been scanned by them then you won't get any results. This is where my tracker tracking tool comes in. The tool is in two parts, the first uses the power of the nmap engine to scan all the domains you are interested in and pull back tracking codes, these are then output in the standard nmap format along with the page title. I've then written a second script which takes the output and generates a grouped and sorted CSV file which you can then analyse.

Spidering SpiderOak - By looking at the differences between responses it is possible to enumerate valid account names and then shares on the SpiderOak network. This post covers how I researched this, the findings and how it could be fixed.

Given a IP address calculate the top and bottom of its available subnet range

A Pipal analysis of the Manga Traders password dump, some interesting results when looking at demographics and reuse of username/email addresses as passwords.

Have you ever logged in to a box, started running commands, and then remembered the bash history will be logging everything you run. I've done it occasionally so thought I should do some research on what the options are. This post covers what I came up with, please get in touch if you have any other ideas.

A little trick to extract stored FTP details by setting up a fake server then capturing the clear text.

I've just added a new challenge to the lab looking at exploiting the none algorithm. For more information, and a walk through, see .