security never sleeps

JWT Hacking 101

December 07, 2017

As JavaScript continues its quest for world domination, JSON Web Tokens (JWTs) are becoming more and more prevalent in application security.  Many applications use them, so it has become very important for me to know as much as I can and I want to share what I’ve learned. In this blog post I will discuss…

Code Featured on Mr. Robot (USA Network)

November 30, 2017

Last night’s episode of Mr. Robot (eps3.6_fredrick+tanya.chk) contained some code I wrote for a WebLogic deserialization vulnerability in my earlier blog post, Hands on with WebLogic Serialization Vulnerability. I still can’t quite believe it!   Chris Frohoff‏ (@frohoff ) the author of the “ysoserial” deserialization tool caught it and tagged me on Twitter. Much thanks to him…

SE Village @ DC25: Social Engineering with Web Analytics

July 31, 2017

This weekend I was lucky enough to have the opportunity to speak at the Social Engineering Village at DefCon25. I gave a talk regarding my research with using Google Analytics for social engineering. I made a new tool called google-analytics-attack-ng that has many new features compared to its predecessor in my previous blog post. In addition to…

All Posts