CSRF in Echosim.io

Echosim.io is a nice experimental site which puts a virtual Amazon Echo in your browser! You give the site access to your microphone, and then full control over your Alexa account (which it will keep indefinitely as you are guaranteed to forget you did this), and then you speak your Alexa questions and commands to […]

Guided Access Mode Bypass

As a penetration tester who specialises in mobile apps, I get good visibility of how the enterprise is adopting/using/misusing various iOS capabilities and MDM features. One trend I’ve seen increasingly, is the use of ‘Guided Access Mode‘ to lock down devices. Guided-Access Mode (GAM), for the unfamiliar, locks the device into a single app. It’s […]

Kinda LIKE SQL Injection

TLDR: This post is about some late 90’s level hacking. But the fact is, that there just doesn’t exist a decent explanation of this vulnerability anywhere on the internet.. and yesterday, in 2018, I found another application vulnerable to it (to quite serious effect). I’m afraid that was the straw that broke the camel’s back. […]

The Happn’ing

Years ago, one of the first posts I ever wrote was about my experience scripting a bot for the dating site OKCupid. It was just a PoC bashed together over a few beers with a friend. Since then (and becoming single) I’ve scripted bits and bobs for virtually every major dating site/app… its become a bit […]

SQL Injection using System Variables in MySQL

For BSides Manchester 2015, the UK pen-testing company aptly named ‘Pentest Ltd’ held a SQL injection challenge where the injection point required structuring the payload in a specific manner with MySQL voodoo to keep the payload under 90 characters, and bypass a basic WAF. I was fairly certain the lab could also be accomplished using MySQL variables, but […]

"Bypassing" CSP’s Data-Exfiltration Protections

A long time ago now, I tweeted a challenge to see of anyone knew what the following URL would attempt to do:

Don’t worry, I don’t expect you to stare at that monstrosity. Instead I’ll just tell you; So a friend of mine was competing in WhiteHatRally last year, which is a sort of “solve the […]

Hunting bad regex with good regex.

In this post i’ll look at how a simple regex flaw I found on a web application, lead me down a pretty big exploratory hole of trying to search for regex vulnerabilities in applications… using regex; the results of which have since been useful on many of my engagements.