February 17, 2022

Most modern browsers have added the “SameSite: Lax” attribute to session cookies as default when not otherwise set. The driving factor for this change is to have a better default to defend against Cross-Site Request Forgery (CSRF). Did this end CSRF as we know? Mostly, but there are some interesting gaps where it can still be a problem. This blog post will briefly cover what CSRF is, how the SameSite attribute affects it, and an interesting gap discovered in the wild.

May 7, 2021

Normally the extent of my hardware involvement with Kernelcon ends with the electronic badge. However, our event this year, HackLive, was setup to have a hardware challenge to be solved by Kingpin (Joe Grand). And through a series of circumstances, I ended up taking on the task. This blog post will cover what went into building the HackLive challenge and what came out the other side!

July 4, 2020

This year’s DefCon theme, albeit virtual, got me excited and I had a good idea for the short story contest. This blog post contains a little background and that story!

April 14, 2020

This blog post briefly documents the 2019 & 2020 electronic badges I helped build for Kernelcon. Additionally, there is a tutorial on how to build your own DIY pogopin clamp like what we used this year to program our badges.

February 3, 2020

I was recently asked by a political science professor and friend to help with a lecture at the University of Nebraska at Omaha on the topic of fake news from a technology practitioner’s perspective. I tried to help illustrate the technological and privacy challenges at play with the topic. Ultimately, I spoke on a couple…

January 14, 2020

I had the time to play this year’s SANS Holiday Hack Challenge. There were a lot of interesting challenges, especially from the defense side of the house. I wanted to cover my two favorites objectives/challenges from this year!

December 20, 2018

This blog post will discuss how I was able find a blind SQL injection, analyze a WAF, find a JSON unicode escape bypass, and then automate the bypass by writing a sqlmap tamper script.

February 6, 2018

In the previous blog post, I discussed JWTs and their common vulnerabilities. There, I mentioned a recent engagement where I discovered an Android application signing JWTs using HS512 on the client side, which set in motion a hunt to find the symmetric key and forge modified JWTs. This blog post will cover the basic Android hacking techniques and methodology used along the way. If you are new to Android application testing, this blog post will be a great resource to learn from!

December 7, 2017

As JavaScript continues its quest for world domination, JSON Web Tokens (JWTs) are becoming more and more prevalent in application security.  Many applications use them, so it has become very important for me to know as much as I can and I want to share what I’ve learned. In this blog post I will discuss…

November 30, 2017

Last night’s episode of Mr. Robot (eps3.6_fredrick+tanya.chk) contained some code I wrote for a WebLogic deserialization vulnerability in my earlier blog post, Hands on with WebLogic Serialization Vulnerability. I still can’t quite believe it!   Chris Frohoff‏ (@frohoff ) the author of the “ysoserial” deserialization tool caught it and tagged me on Twitter. Much thanks to him…