Friday, December 30, 2016

possible XSS execution in Javascript context

The following browser behaviour may be useful for bug bounty programs.

Thursday, December 29, 2016

bypass of php file extension blacklist for file uploads in standard ubuntu 12.04 lts LAMP setup

Weeks ago during a penetration test I bypassed a file upload filter by naming the file php. [dot].

worst virus example :)

that’s definitely the worst virus code example i have ever seen :)

Monday, December 26, 2016

how to save time using SQLMAP with file input


In the past I spent some time to recreate a request working with SQLMAP (cookies, headers, multipart forms etc).

subdomain discovery with nmap and custom subdomain files


how to discover/brute force subdomains of a domain with nmap dns-brute script and custom subdomain files.

Thursday, December 22, 2016

how to setup a rasperry pi 2 model b for wlan sniffing

The setup described below is working with a Raspberry PI 2 Model B and Whezzy as Operating System. It is not working with Raspberry Pi 3 and Jessie.

Sunday, December 4, 2016

twelve "low hanging fruits" application owners can check by themselves before ordering an penetration test.


The following 12 common security issues can easy be checked by application owners themselve before ordering a penetration test. This will not substitute the need of a penetration test but it can save time and money.