SQL Injection using System Variables in MySQL

For BSides Manchester 2015, the UK pen-testing company aptly named ‘Pentest Ltd’ held a SQL injection challenge where the injection point required structuring the payload in a specific manner with MySQL voodoo to keep the payload under 90 characters, and bypass a basic WAF. I was fairly certain the lab could also be accomplished using MySQL variables, but […]

"Bypassing" CSP’s Data-Exfiltration Protections

A long time ago now, I tweeted a challenge to see of anyone knew what the following URL would attempt to do:

Don’t worry, I don’t expect you to stare at that monstrosity. Instead I’ll just tell you; So a friend of mine was competing in WhiteHatRally last year, which is a sort of “solve the […]

Hunting bad regex with good regex.

In this post i’ll look at how a simple regex flaw I found on a web application, lead me down a pretty big exploratory hole of trying to search for regex vulnerabilities in applications… using regex; the results of which have since been useful on many of my engagements.

WordPress – CSRF>XSS>Shell>Profit.

I did a small penetration test in 2013/14 for a client’s WordPress site, which has since been my go-to anecdote for explaining the potential for XSS… probably because, to non-sec folk, what it achieved sounds amazing, although its really rather easy to explain how and why it worked. This is that anecdote…

Threema Revisited.

So the Treema bug I found a few years ago was fairly cool in my opinion, something a bit different anyway. So it was disappointing that Threema didn’t respond to me at all and then released a patched/updated Threema to the AppStore with something like “general improvements’ in the change-log.. lovely.. very general. Well, anyway… process this for a second […]

Threema Local Authentication Bypass

I sent Threema an email disclosing this and got an auto-reply saying that they commonly take a week to reply to customer messages. Since I hate waiting for things and its not a total remote RCE flaw, lets just put it here for now. The flaw allows gaining local access to a user’s Threema application, […]

The OkBot.py

For a while I was trying to do the whole online dating lark. I had some fun with it but the problem with a site like OkCupid (my poison of choice) is that you can never really tell how ‘well’ you are doing. Obviously you are doing well if you are meeting people and having fun […]