A custom wordlist generator that creates permutations of all the input words as well as just manipulating them individually

Pipal analysis of a password dump from a dating site.

Pipal analysis of 1800 passwords dumped from Minecraft

Pipal analysis of 13,000 passwords from the Lizard Squad dump.

Pipal analysis of of a password dump from the Neofriends dating site.

A short howto on removing the obfuscation added to non-default passwords by Nessus.

A write up of my recent experiences of getting clients involved during testing.

A short guide to exploiting POST based reflected XSS using CSRF and iframes.

Trying to understand why the EE web portal doesn't have a password change feature.

Asking the question, when it is acceptable to miss a vulnerability on a test.

I've spent the day testing an app which disables the right click context menu, this makes testing tricky so I found a one liner which I could drop into the browser console to re-enable it for me.

Here is a little trick I just learned about to help prevent things like API keys from ending up in your Git repo. I've mentioned it to a few Git loving developers who all claimed that it is obvious and that loads of people are already using it, but, as we regularly see keys in GitHub, I'd guess that its a case of what people know they should be doing verses what they are actually doing. The trick uses Git hooks to catch content pre-commit and block anything that it thinks is suspicious.

I see a lot of requests for technical help with tools and projects, some good, some bad. This post covers what I like to see when someone asks a question.

The results of a small experiment to see what my heart rate was like during my SANS instructor murder board.

There is lots of plagiarism goes on on the internet, unfortunately for Christian, he decided that he was happy to do it and accepted the risks it created.

Imagine the scenario, you are testing a site running an open source package but not sure what version and need to find out. The site does not include any helpful comments in the HTML and there is no README file. The package isn't a popular one so none of the regular fingerprinting apps recognise it, what can you do? Call in Sitediff, it takes a local directory of files and then requests each of them from the target site and reports back on what it finds.

A write up on how a common mutual authentication scheme used by a number of banks can be easily proxied and turned against the bank.

Techniques using both raw JavaScript and jQuery to use XSS to grab a CSRF token and then submit the form it protects.

The slides and video from my talk at Wild West Hackinfest on programming by copying and pasting from Google.

A copy of the slides from my dotnetsheff talk on HTTP security headers and cookies.

A walk through from getting injection into an SNMP config file to getting a shell.

Using an invalid HTTP request to bypass rewrite rules in lighttpd and the story of how I found the problem.

In 2017, Pippa was learning about cryptography and set a couple of crypto challenges for the SteelCon kids track, this year we are working on logic gates so she has set a challenge based on that.

This is a full walk through detailing how I would go through my challenge. There are probably plenty of other ways this can be done so don't take this as the only or best. If you do have a better way, please let me know.

A client had the requirement to allow users to upload SVG files to their web app, these files then had to be displayed. As SVG files can contain JavaScript and can be used for Cross-Site Scripting attacks, I had to do some investigating to find ways to allow them to do what they wanted safely.

Have you ever logged in to a box, started running commands, and then remembered the bash history will be logging everything you run. I've done it occasionally so thought I should do some research on what the options are. This post covers what I came up with, please get in touch if you have any other ideas.

This post accompanies the post A 101 on Domain Fronting and in it we are going to setup both a site to use for domain fronting and then a fronted site.

Domain fronting has been around for years and I've always understood the concept but never actually looked at exactly how it works. That was until recently when I did some work with Chris Truncer who had us set it up as part of a red team test. That was the point I had to get down and understand the actual inner workings. Luckily Chris is a good teacher and the concept is fairly simple when it is broken down into pieces.

Whether you think it is true 'domain fronting' or just something that is similar, this post walks through how Cloudflare use SNI to protect against attackers modifying the HTTP Host header and then how ESNI can be used instead to help ensure any 'bad' traffic goes unnoticed by observers.