CyberChef is a tool I use all the time. It’s capable of many things starting with decoding Base64 or Hex, through hashing and encryption, up to making HTTP requests. It’s often much quicker to do things here than to code them. The basic usage is very simple but I’m...
Articles by Issue
Smashing the state machine: the true potential of web race conditions
James Kettle’s research is a yearly must-read for every web hacker. This time, he took a look at race condition bugs, discovered interesting ways of finding them and created tooling that will make hunting race conditions easier for us. After reading the article, I...
DevTools #4 – But where to actually set breakpoints?
This is the fourth and last issue of the series about using DevTools. After reading this, you will have all the tools needed to successfully work with JavaScript. Well, all apart from one. The most important one - the experience. Because I can’t give you that. But...
Public Office Hours by Louis Nyffenegger
Louis Nyffenegger is a founder of PentesterLab. Even though I don’t know him personally, I have big respect for him as a hacker, teacher and as a person. He just decided to offer public office hours where you can chat about careers, learning or even startups. I...
Even more ways to bypass URL validation
While I was reading this tweet from Justin Gardner about leaking Oauth codes, I found a cool research paper in a reply by SickSec. The paper was about URL validations and I didn’t think I will find something new. But I have. For example, these two bypasses I wasn’t...
The Trail of Bits Testing Handbook
Trail of Bits is a company I have massive respect for. Thus, I’m very happy they are releasing their testing handbook where they will describe their usage of different tools for testing. Not only does it cover installation and normal usage but also things like...
JSluice: Extract URLs, paths, secrets and more from JS files
TomNomNom is the author of many great hacking tools. This time, he released something I think we’ve been missing because, to me, the existing tooling didn’t seem good enough. It’s a tool to extract URLs, paths, secrets and other interesting data from JavaScript files....
Whose Input Is It Anyways? by Rael Sasiak-Rushby
Rael Sasiak-Rushby presented a talk titled “Whose Input Is It Anyways?” on BSides Leeds. The talk was interesting to me because he focused on the aspect of working with developers and understanding their struggles. It will be especially useful for those of you who...
Exploiting HTTP Parsers Inconsistencies
I feel like I say it over and over again but it’s just because it’s true. Inconsistencies are the origins of many bugs. In the modern web, with so many things to be parsed by so many different parsers, they are everywhere. Thus, I love blogposts highlighting them like...
DevTools #3 – Debugging client-side JavaScript
In the last two issues of this course, we covered the browser’s Elements, Console and Network tabs, and then different ways to set breakpoints. In this issue, we finally get to what to do when our browser hits the breakpoint. This is a massive help for understanding...