I recently needed to access an application which required mTLS using an automated browser to facilitate security testing. The last time I attempted this (several…
Just another hacking blog...
Category: Tools and Techniques
Posts in this category are about tools and techniques that I find useful during a Penetration Test
A recent zero-day vulnerability has been publicly shared revealing a critical issue with the nginx-ldap-auth software package allowing attackers to potentially bypass authentication and disclose key information on vulnerable servers.
Some time ago I came across a site that was using xdLocalStorage after I had been looking into the security of HTML5 postMessage. I found that the library had several common security flaws around lack or origin validation and then noticed that there was already an open issue in the project for this problem, added it to my list of things to blog about and promptly forgot about it.
This week I have found the time to actually write this post which I hope will prove useful not only for those using xdLocalStorage, but more generally for those attempting to find (or avoid introducing) vulnerabilities when Web Messaging is in use.
Python script to parse directory and file names from a .DS_Store file.
As you would expect, office printers are often identified when conducting a penetration test of an office network. These devices often seem to be overlooked…
TLDR: There is a simple username enumeration issue in Office365’s ActiveSync, Microsoft do not consider this a vulnerability so I don’t expect they will fix…
Recently I needed to parse some data embedded in HTML. At first glance it appeared to be JSON, so after pulling the text out of…
Believe it or not, despite the fact it is 2016 I am still finding LanManager (LM) hashes on internal networks during penetration tests. Although in my…
JavaScript Object Notation with Padding (JSONP) is a technique created by web developers to bypass the Same Origin Policy which enforced by browsers to prevent…