I want my blog to reach as wide an audience as possible and to help with that, I'm asking for my readers to make suggestions for changes which will help make the site more accessible.

Tiger Scheme Check Team Member Exam - A review of the Check Team Member exam.

How I got involved in yet another new project, this time the PenTester Scripting community wiki

A story of how Christmas generosity in sharing his backup plan resulted in a friend's files being accessible by all his family.

Asking the question, when it is acceptable to miss a vulnerability on a test.

I've just got back from BruCON 2012 where I started the week with the Corelan Live - Win32 Exploit Development Bootcamp. A lot of people asked about the course and what it covered so I've put this together.

Imagine the scenario, you are testing a site running an open source package but not sure what version and need to find out. The site does not include any helpful comments in the HTML and there is no README file. The package isn't a popular one so none of the regular fingerprinting apps recognise it, what can you do? Call in Sitediff, it takes a local directory of files and then requests each of them from the target site and reports back on what it finds.

A custom wordlist generator that creates permutations of all the input words as well as just manipulating them individually.

Do you know what the VM or live CD you have just downloaded really contains and if you don't, how do you find out?

HTTP Banner grabbing beyond the root, where do you do your web banner grabbing?

A walkthrough of a process which allows off the shelf hardware to automatically acquire a valid TLS certificate on startup.

I've spent the day testing an app which disables the right click context menu, this makes testing tricky so I found a one liner which I could drop into the browser console to re-enable it for me.

The results of a small experiment to see what my heart rate was like during my SANS instructor murder board.

I've been meaning to build a ModSecurity lab for a while and seeing as I had some free time I decided it was about time to do it and to document it for everyone to share. The lab I built uses an up-to-date version of ModSecurity with a rule set taken from the SpiderLabs github repo and, so there is something to attack, I've included DVWA.

An offer to take some friends running during SteelCon 2019.

I'm going to be doing some AP testing and this is a small part of the collection.

The following article is part two of my introduction to ZAP and testing WebSockets, in this episode I'll cover fuzzing. If you've not used ZAP before I suggest you look at some of the official tutorials first - ZAP home page, Videos. You can find my first part here OWASP ZAP and Web Sockets. The testing is being done against a small WebSockets based app I wrote called SocketToMe which has a few published services along with a few unpublished ones. In this article we are going to look at one of the published ones and try to identify some of the unpublished ones. The first feature I'll investigate is the number guessing game. Here the system picks a random number between 1 and 100 and you have to guess it. I'm going to cheat and see if I can get ZAP to play all 100 numbers for me to go for a quick win.

This Micro SD reader is so small it is only just larger than the USB connector it is built on

This scan result beats any I've seen from Nessus, Nikto or Nmap. I'm going to be a daddy!