Blog

• Home
• Blog

I've always been more of a coder than a writer so entries here may be few and far between but I do have some ideas for things I'd like to get off my chest so check back occasionally or keep an eye on the RSS feed just in case.

• SteelCon 2022 Ninja RunAs SteelCon is back for 2022, so is the Ninja Run.
• Cracked Flask Lab A brief description of how to crack Flask session cookies and an introduction to the Cracked Flask Lab.
• WSL2 DNS Oddness The DNS server used by WSL2 does not return records in the same format as a normal DNS server.
• Splitting XSS Payloads Splitting an XSS payload over more than one input to get around size limits and filtering.
• Alert Function Hijacking Overriding the JavaScript alert function to find a hidden XSS.
• The CORS Demos A set of CORS requests and responses to demonstrate all the different permutations.
• Entering a new community A story about sometimes having to push through elitism to get to the real community.
• SteelCon 2019 Ninja Run An offer to take some friends running during SteelCon 2019.
• TLS certs for internal OTS hardware A walkthrough of a process which allows off the shelf hardware to automatically acquire a valid TLS certificate on startup.
• An odd quirk with XSS through JavaScript URI Working through debugging why an easy XSS exploit was failing.
• Becoming More Accessible A call out to readers to help me make the blog more accessible.
• Using HTTP Pipelining to hide requests Examples of how to use HTTP Pipelining to hide requests/
• Domain Fronting with Cloudflare A worked example of using ESNI to do domain fronting through Cloudflare.
• Domain Fronting with Cloudfront A worked example of setting up domain fronting using AWS CloudFront.
• A 101 on Domain Fronting An introduction to domain fronting with examples.
• Hiding from Bash history Some research on how to hide commands from the Bash history.
• Protecting against XSS in SVG An investigation of different ways to protect a site against malicious scripts stored in SVG files.
• vuLnDAP Walkthrough A walkthrough of my vuLnDAP project.
• Pippa's SteelCon Logic Challenge In 2017, Pippa was learning about cryptography and set a couple of crypto challenges for the SteelCon kids track, this year we are working on logic gates so she has set a challenge based on that.
• Invalid HTTP requests and bypassing rewrite rules in lighttpd Using an invalid HTTP request to bypass rewrite rules in lighttpd and the story of how I found the problem.
• SNMP Config File Injection to Shell A walk through from getting injection into an SNMP config file to getting a shell.
• dotnetsheff Headers and Cookies Slides A copy of the slides from my dotnetsheff talk on HTTP security headers and cookies.
• Programming With Google The slides and video from my talk at Wild West Hackinfest on programming by copying and pasting from Google.
• Shellshock and the Telnet USER Variable quick example of how to exploit the Shellshock vulnerability on telnet by the USER variable.
• Stealing CSRF tokens with XSS Techniques using both raw JavaScript and jQuery to use XSS to grab a CSRF token and then submit the form it protects.
• Web App Mutual Authentication Fail A write up on how a common mutual authentication scheme used by a number of banks can be easily proxied and turned against the bank.
• Accidentally Sharing CrashPlan Data A story of how Christmas generosity resulted in a friend's files being accessible by all his family.
• The plagiarism of Christian Bruhin Christian Bruhin's site takes RSS feeds from popular sites and publishes them without proper credit or attribution.
• Windows RDP client, show login page A short how-to on getting the Windows RDP client to show the server login page rather than ask for credentials itself.
• SANS Murder Board Heart Rate The results of a small experiment to see what my heart rate was like during my SANS instructor murder board.
• Asking For Technical Help I see a lot of requests for technical help with tools and projects, some good, some bad. This post covers what I like to see when someone asks a question.
• Catching API Keys With Git Hooks Using Git hooks to prevent sensitive information, such as API keys, from ending up in Git repos.
• Re-enabling the browser right click A couple of options to re-enable right click when testing a web app.
• Missing a vulnerability Asking the question, when it is acceptable to miss a vulnerability on a test.
• EE, Why no password change? Trying to understand why the EE web portal doesn't have a password change feature on its web portal.
• XSS Through CSRF A short guide to exploiting POST based reflected XSS using CSRF and iframes.
• Interactive Pentesting A write up of my recent experiences of getting clients involved during testing.
• Hacking NASL scripts A quick how-to on modifying Nessus NASL scripts to remove password obfuscation.
• Tech for Troops slides These are my slides on Wi-Fi leakage from the 2016 Tech for Troops conference.
• The Sony Hack A short article to cash in on all the page hits that are going around because of the Sony hack.
• Thank you hackers Rather than focus on a negative troll I want to say thank you to our amazing hacker community.
• Pipal Kippo Log Parser Pipal gets a Kippo log parser to show what passwords attackers are using when brute forcing SSH servers.
• Pipal email checker A new Pipal checker which looks at the relationship between email addresses and passwords.
• Comments on eBay password policies My opinion of the eBay password reset policy which prevents pasting and caps at 20 characters.
• Reproducing Vulnerabilities in Test Reports My thoughts on including steps to reproduce vulnerabilities in test reports
• Exploiting RIPv2 Part two of exploiting RIP. Here I look at RIPv2 along with its authentication mechanisms and how to crack them
• Tracking down an accidental Gmail DoS Write up of my efforts to track down what turned out to be an accidental DoS against my Gmail account
• Exploiting RIP How to set up a GNS3 lab with RIP and then exploit it
• Abusing Dynamic Trunking Protocol - DTP Using Cisco DTP to change a switch port from access to trunk mode
• Adding VLANs to the GNS3/VirtualBox Lab Expanding the lab to add VLANs and then jump between them
• Integrating GNS3 and VirtualBox The first part of a series integrating GNS3 and VirtualBox to build a lab to play with layer 2 attacks
• Building a lab with ModSecurity and DVWA A guide on how to set up a lab containing ModSecurity and DVWA
• OWASP ZAP and WebSockets Part one of my introduction to WebSockets, a general introduction to ZAP and WebSockets
• Fuzzing WebSockets with ZAP Part two of my introduction to WebSockets, this one focuses on fuzzing
• Checkers and Splitters - Pipal Goes Modular Pipal now has a modular structure allowing you to write your own Checkers and Splitters, this is a brief introduction to how they both work
• My successful entry in the BruCON 5x5 competition How I'm going to spend my share of the €25,000
• An idea for a report writing competition A lot of conferences have CTFs but how about testing people's report writing skills as well?
• DNS Reconnaissance against wildcard domains How to sort the wheat from the chaff when enumerating DNS servers which use wildcard records
• Hakin9 - The Kings Of Spam About once a fortnight I get a request to write an article for Hakin9 or one of its sister publications, this article details my attempts to stop this spam
• A review of the Corelan Live Win32 Exploit Dev Bootcamp My experience of doing the course at BruCON 2012
• Are signs of the zodiac used as passwords? I was wondering why dragon and monkey come up so often in Pipal analysis of password lists so I thought about the Chinese Zodiac
• Did you know that Linux groups can have passwords? I didn't till this afternoon, here is how you set them up
• Are secure web frameworks reducing long term security? Why I think developers should always think about security, even when someone else is taking care of it for them
• OWASP Leeds presentation slides A copy of my slides from OWASP Leeds covering the perils of autoconfiguring web cams with a bonus set presenting "Whats in Amazon's buckets"
• My CHECK Team Leader Web App Exam How I found the CHECK Team Leader Web Application exam
• Burp Intruder Attack Types A description of the different attack modes in Burp Intruder.
• Using decompression to avoid filters Decompressing data to get it past filters such as IDS.
• Bliss Buggy Push Photos of my fancy dress buggy push for Bliss and a huge thanks to sponsors and supporters.
• Analysing Mobile Me Analysis of the content I found when trawling Mobile Me accounts looking for public information.
• Mobile Me Madness A brief description of how Mobile Me allows access to its file listings and how to interpret them.
• Analysing Amazon's Buckets This application trawls Amazon's S3 system looking for public buckets and returns a list of the contents of any found.
• Whats in Amazon's buckets? The description of how I wrote a tool to brute force bucket names from the Amazon S3 system and then take it a step further.
• Going to WAR on Tomcat with Laundanum Using Laundanum to attack Tomcat servers.
• A little trick to extract FTP details Setting up fake servers then capturing the clear text.
• Double tunnels to help a colleague in distress Setting up SSH tunnels to allow external access to an internal network.
• Tiger Scheme Check Team Member Exam A review of the Check Team Member exam.
• When All You Can Do Is Read A look at what files are good to try to read when all you have is read only access to a machine, i.e. no directory listing ability.
• Nessus Through SOCKS Through Meterpreter Nessus Through SOCKS Through Meterpreter - Using a Meterpreter pivot and a SOCKS proxy to run Nessus scans through a compromised machine.
• HTTP Banner Grabbing Beyond The Root Where do you do your web banner grabbing, just in the root?
• Viewing Pages documents in Linux A short shell script to display a document created in Pages in Linux
• The Trojan in your pocket Do you know what your phone is doing?
• Finding "interesting" columns in MSSQL databases Automating searching through MSSQL databases for interesting data.
• The best scan result ever This ultrasound scan result beats any result I've seen from Nessus, Nikto or Nmap. I'm going to be a daddy!
• Kismet log manipulation with GISKismet A patch to GISKismet so it will import Kismet data which doesn't include GPS positions.
• Whats behind the door? I really want to know what is behind this door!
• Would you give out your password? A write up of an experiment where I asked a class to give me their passwords.
• #secvidofday My security video of the day.
• AP Collection A selection of AP's I tested as part of some rogue AP detection.
• PenTester Scripting How I got myself into yet another project.
• Gourmet BeEF A great photo advert for the BeEF project.
• Micro SD Card Reader A quick shot of a new micro SD card reader I got.
• Untrusted VMs Trojaning VMs and live CDs.
• Cardbus Converter Convert old PCMCIA cards to PC Express.