A brief description of how to crack Flask session cookies and an introduction to the Cracked Flask Lab.

The DNS server that WSL2 uses returns records in a different way to a normal DNS server and because of this I ended up trying to log into the wrong server. This is my quick analysis of what is different, and what it caused to happen.

Another update to the Authlab, this time covering how to use John the Ripper and Hashcat to crack the keys used to sign JWTs. For more information, and a walk through.

I've just added a new challenge to the lab looking at exploiting the none algorithm. For more information, and a walk through.

Added a new lab to play with GraphQL. It includes a set of working examples of how to make and manipulate various queries and mutations, and then a set of challenges to test what you learned.

A story about having to push through elitism to get to the real community.

An offer to take some friends running during SteelCon 2019.

A walkthrough of a process which allows off the shelf hardware to automatically acquire a valid TLS certificate on startup.

A proof of concept demonstration to go with the blog post .

I was recently contacted by to help him with an XSS issue he was having problems with. Ryan knows his stuff, and if he was having problems with something, I knew it had to be a fun challenge. This blog post covers debugging quirks in browser behaviour and some information on how JavaScript URIs work.

A set of walkthroughs for the challenges set in my .

I want my blog to reach as wide an audience as possible and to help with that, I'm asking for my readers to make suggestions for changes which will help make the site more accessible.

Using HTTP pipelining to hide requests.

A worked example of setting up domain fronting with Cloudflare using ESNI.

A 101 on domain fronting along with some examples.

A worked example of setting up domain fronting with Cloudfront.

Some research on how to hide commands from the bash history.

Protecting against XSS in SVG

A walkthrough of my vuLnDAP project

A logic gate challenge set by Pippa for the 2018 SteelCon kids track.

Invalid HTTP requests and bypassing rewrite rules in lighttpd

SNMP Config File Injection to Shell

dotnetsheff Headers and Cookies Slides

Burp Macros and Session Handling.

Programming with Google.

Shellshock and the Telnet USER Variable

Stealing CSRF tokens with XSS

A custom wordlist generator with a twist.

A banking mutual authentication scheme that does not work.

NoSQLi Lab

New tool, Sitediff

Accidentally Sharing CrashPlan Data

The plagiarism of Christian Bruhin

Windows RDP client, show login page

The results of a small experiment to see what my heart rate was like during my SANS instructor murder board.

I see a lot of requests for technical help with tools and projects, some good, some bad. This post covers what I like to see when someone asks a question.

Here is a little trick I just learned about to help prevent things like API keys from ending up in your Git repo. I've mentioned it to a few Git loving developers who all claimed that it is obvious and that loads of people are already using it, but, as we regularly see keys in GitHub, I'd guess that its a case of what people know they should be doing verses what they are actually doing. The trick uses Git hooks to catch content pre-commit and block anything that it thinks is suspicious.

I've spent the day testing an app which disables the right click context menu, this makes testing tricky so I found a one liner which I could drop into the browser console to re-enable it for me.

Asking the question, when it is acceptable to miss a vulnerability on a test.

Trying to understand why the EE web portal doesn't have a password change feature.

A short guide to exploiting POST based reflected XSS using CSRF and iframes.

A write up of my recent experiences of getting clients involved during testing.

A short howto on removing the obfuscation added to non-default passwords by Nessus.

Pipal analysis of a password dump from the Neofriends dating site.

Pipal analysis of 13,000 passwords from the Lizard Squad dump.

Pipal analysis of 1800 passwords dumped from Minecraft

Pipal analysis of a password dump from a dating site.

My opinion on the Sony hack.

A huge thank you to the amazing hacker community.

A tool to follow HTTP redirects showing the full details at each request, collecting and replaying cookies on the way.

Pipal of a database dump from comicbookdb.

Pipal gets a Kippo log parser to show what passwords attackers are using when brute forcing SSH servers.

A Pipal analysis of the Manga Traders password dump, some interesting results when looking at demographics and reuse of username/email addresses as passwords.

A new Pipal checker to look at the relationship between email addresses and passwords.

My opinion on the eBay password reset policy - no pasting and 20 character caps are bad.

Custom word list generator based on tweets - Update to use the new Twitter search API

A script I knocked together to import issues from my DradisPro install into MediaWiki so they could be the start of my issues library.

Do you include steps to reproduce vulnerabilities in your security reports? In this post I think about how to do this.

Part two of the exploiting RIP series, this time looking at RIPv2 and it's authentication mechanisms.

A Pipal analysis of the recent Tesco password disclosure.

Write up of my efforts to track down what turned out to be an accidental DoS against my Gmail account.

Setting up a RIPv1 lab in GNS3 and then exploiting it to poison routes between two machines.

Abusing Cisco Dynamic Trunking Protocol, DTP, to change a switch port from access to trunk mode to gain access to all VLAN traffic.

Adding VLANs to the GNS3/VirtualBox Lab

Integrating GNS3 and VirtualBox - This is the first part of a series integrating GNS3 and VirtualBox to build a lab to play with layer 2 attacks

Sitemap2Proxy takes the sitemap published by a web app and requests each page through your specified proxy. This release adds response code stats to the output.

Building a lab with ModSecurity and DVWA.

Version 5.0 of CeWL adds proxy and basic/digest authentication support along with a few small bug fixes.

Extract meta data from videos taken on iPhones.

The second part of my introduction to using ZAP to test WebSockets, this part focuses on fuzzing.

I recently decided it was time to learn how to test WebSockets and so decided to take the opportunity to learn a bit about how ZAP works. This two part blog post covers a brief into to ZAP and how it interacts with WebSockets and then looks in depth at how to fuzz them.

A WebSocket based application which goes along side the blog post on ZAP and WebSockets.

Pipal now has a modular structure allowing you to write your own Checkers and Splitters, this is a brief introduction to how they both work.

A proof of concept application which takes observed key presses and generates a list of potential passwords.

Enumerating shares on the SpiderOak network.

A companion tool to Pipal which can spot keyboard patterns in password lists.

A simple script to create files containing binary data.

Using Google Analytics tracking codes to find relationships between domains.

How I'm going to spend my share of the 25,000 euro BruCON 5x5 cash.

Abusing a DDNS service to find IP cameras around the world.

An idea for a report writing competition

A Metasploit module for enumerating directories and files through MySQL

DNS reconnaissance against wildcard domains

A story about Hakin9, the kings of spam

A review of the Corelan Live Win32 Exploit Dev Bootcamp

Extract all URLs from a sitemap.xml file and request them through a proxy of your choosing.

Version 4.3 of CeWL adds result sorting by word count, with optional display of the count, also various bug fixes.

Hostapd Karma patches updated to hostapd version 1.0

Are signs of the zodiac used as passwords?

Did you know Linux groups can have passwords?

Custom word list generator based on tweets

Are secure web frameworks reducing long term security?

Version 4.2 of CeWL which fixes a major problem found in the spider I'm using.

This is part two of my write up of the findings from the Breaking In survey.

This is part one of my write up of the findings from the Breaking In survey.

My slides for my BSides London talk on Breaking in to Security

A set of interim results from my survey, how do I get started in security?.

A copy of my slides from OWASP Leeds covering the perils of autoconfiguring web cams with a bonus set presenting 'Whats in Amazon's buckets'

Ever wanted to ask, or help answer the question, how do I get started in security?.

A domain set up to help teach and explain DNS zone transfers.

Pipal is a password analysis tool

How I found the CHECK Team Leader Web Application exam

A description of the different attack modes in Burp Intruder

Using decompression to avoid filters

An application to parse files such as .DS_Store to reveal otherwise unlinked files on web sites.

A tool to brute force user accounts on Mobile Me

Analysing Amazons Buckets

Whats in Amazon's buckets?

A tool to brute force bucket names from Amazon S3

Going to WAR on Tomcat with Laundanum

An update to my script to mine data out of Google Profiles

A little trick to extract stored FTP details

Double tunnels to help a colleague in distress.

Tiger Scheme Check Team Member Exam - A review of the Check Team Member exam.

A Meterpreter script to download wireless profiles from Windows 7 and Vista boxes.

A short script to do frequency analysis on lines in a file.

When All You Can Do Is Read.

Nessus Through SOCKS Through Meterpreter.

A modular brute force tool currently supporting HTTP(S), MySQL and SSH.

HTTP Banner Grabbing Beyond The Root

Viewing Pages documents in Linux

Do you have a second hand Trojan in your pocket?

A custom wordlist generator with a twist.

A Metasploit module to accompany my blog post on finding interesting data in MSSQL databases.

Automating searching through MSSQL databases for interesting data.

This scan result beats any I've seen from Nessus, Nikto or Nmap

Karma comes into the modern age with patches for hostapd.

A pair of Metasploit modules to do DHCP exhaustion attack and then act as a DNS MiTM.

Convert Nessus v2 reports to CSV for easier manipulation and reporting.

Kismet log manipulation with GISKismet

Updated Metasploit sound module

Metasploit DNS MiTM and DHCP Exhaustion modules

OSSEC rules for handling Kismet alerts files

Convert a CSV file to an OSSEC rules file

Whats behind the door?

Don't just see on screen that you've got a new Metasploit session, be told by a nice lady.

Would you give out your password?

Releasing KreiosC2 version 3

The start of the PenTester Scripting project

Metasploit DNS MiTM and DHCP Exhaustion modules

Cool new Micro SD reader

New KreiosC2 language pack

Blindly Installing VMs and Using Live CDs

KreiosC2 released

New site launched