#9

A tool for “grepping the Internet”

WARCannon, a tool released on Black Hat is supposed to enable hackers to search for vulnerabilities on a large scale using data from CommonCrawl. It would be especially useful for those doing novel research like request smuggling. Then, testing the same bug on the...

How I always remember about things to do?

Note: what works for me might not work for you. Sometimes when I have a conversation on Twitter someone suggests me making a video about a topic. I tell them that I will come back in some time with the answer if I will do it or not. Then, when I eventually do, I see...

A tool to find blind-XSS

When testing a website, ideally you have access to every user role in the system. However, it's often not the case, especially for bug bounties. Thus, access to the panel where contact us messages land is hard to obtain for most programs. However, that should not...

How to Hack APIs in 2021?

APIs are becoming more and more popular these days. That's why we, as hackers, must also follow the trend and focus more on API-related vulnerabilities. hakluke and Farah Hawa assembled a really great article about hacking APIs in 2021. It's really extensive...

HTTP/2 request smuggling

If you would tell me you only want to watch one security talk per year, without a doubt, I would tell you to watch the yearly James Kettle's research presented on DEFCON or Black Hat. This year, he came back with request smuggling but using HTTP2 which was meant...

Exploiting differences in parsers

Last week, the article about securing XML implementations has been the most popular in other newsletters. Originally, I was going to also use that one but I decided to rather go for something unique while staying within the XML subject. Namely, I want to show you how...