Posts

  • Mar 3, 2020

    XSS Hunting

    This post documents one of my findings from a bug bounty program. The program had around 20 web applications in scope. Luckily the first application I chose was a treasure trove of bugs, so that kept me busy for a while. When I decided to move on, I picked another one at random, which was the organisation’s recruitment application.

  • Apr 24, 2019

    Gaining Access to Card Data Using the Windows Domain to Bypass Firewalls

    This post details how to bypass firewalls to gain access to the Cardholder Data Environment (or CDE, to use the parlance of our times). End goal: to extract credit card data.

  • Jul 8, 2018

    Password Autocomplete and Modern Browsers

    On many penetration test reports (including mine), the following is reported:

  • Apr 17, 2018

    Defeating Content-Disposition

    The Content-Disposition response header tells the browser to download a file rather than displaying it in the browser window.

  • Mar 4, 2018

    Gaining Domain Admin from Outside Active Directory

    …or why you should ensure all Windows machines are domain joined.

  • Feb 10, 2018

    How to Use X-XSS-Protection for Evil

    Two important headers that can mitigate XSS are:

  • Feb 3, 2018

    Hidden XSS

    On a web test once I was having trouble finding any instances of cross-site scripting, which is very unusual.

  • Oct 14, 2017

    ASP.NET Request Validation Bypass

    …and why you should report it (maybe).

  • Jul 26, 2017

    XSS Without Dots

    A site that I discovered was echoing everything on the query string and POST data into a <div> tag.

  • Jun 29, 2017

    CSRF Mitigation for AJAX Requests

    To start with, a quick recap on what Cross-Site Request Forgery is:

  • Jun 20, 2017

    To Be (Enumerated) Or Not To Be

    Are user enumeration vulnerabilities a real security concern? User enumeration is when an application reveals whether a user exists to other users.

  • May 9, 2017

    Unterminated XSS

    I recently came up against the following injection (simplified for the purposes of this post):

  • May 1, 2017

    Umbraco LFI Exploitation

    I mentioned a Local File Inclusion vulnerability (LFI) that I discovered in Umbraco without realising it wasn't patched by the update at the time. Well, as promised here are the details on how to exploit it.

  • Apr 16, 2017

    Security Flaw or Functional Flaw?

    Having worked as a developer for over ten years before branching into pentesting, I always aimed to bake security into my work, even if I didn’t have the wealth of knowledge that I now have in order to do my day job.

  • Apr 2, 2017

    Umbraco 0-day

    During a pentesting engagement a couple of years ago I came across an undocumented security vulnerability in Umbraco, more specifically with the ClientDependency library.

subscribe via RSS