Did default SameSite:Lax put the nail in the coffin for CSRF? Mostly, but not always!
February 17, 2022
Most modern browsers have added the “SameSite: Lax” attribute to session cookies as default when not otherwise set. The driving factor for this change is to have a better default to defend against Cross-Site Request Forgery (CSRF). Did this end CSRF as we know? Mostly, but there are some interesting gaps where it can still be a problem. This blog post will briefly cover what CSRF is, how the SameSite attribute affects it, and an interesting gap discovered in the wild.
HackLive’s Hardware Challenge
May 7, 2021
Normally the extent of my hardware involvement with Kernelcon ends with the electronic badge. However, our event this year, HackLive, was setup to have a hardware challenge to be solved by Kingpin (Joe Grand). And through a series of circumstances, I ended up taking on the task. This blog post will cover what went into building the HackLive challenge and what came out the other side!
Prints: A DefCon 28 Short Story
July 4, 2020
This year’s DefCon theme, albeit virtual, got me excited and I had a good idea for the short story contest. This blog post contains a little background and that story!
Kernelcon Electronic Badges and Pogopin Hackery
April 14, 2020
This blog post briefly documents the 2019 & 2020 electronic badges I helped build for Kernelcon. Additionally, there is a tutorial on how to build your own DIY pogopin clamp like what we used this year to program our badges.
Chrome Extension to Detect Images of Fake Tweets
February 3, 2020
I was recently asked by a political science professor and friend to help with a lecture at the University of Nebraska at Omaha on the topic of fake news from a technology practitioner’s perspective. I tried to help illustrate the technological and privacy challenges at play with the topic. Ultimately, I spoke on a couple…
SANS Holiday Hack Challenge 2019 – Objectives 8 & 9
January 14, 2020
I had the time to play this year’s SANS Holiday Hack Challenge. There were a lot of interesting challenges, especially from the defense side of the house. I wanted to cover my two favorites objectives/challenges from this year!
Bypassing WAFs with JSON Unicode Escape Sequences
December 20, 2018
This blog post will discuss how I was able find a blind SQL injection, analyze a WAF, find a JSON unicode escape bypass, and then automate the bypass by writing a sqlmap tamper script.
Android Reversing to Find JWT Key
February 6, 2018
In the previous blog post, I discussed JWTs and their common vulnerabilities. There, I mentioned a recent engagement where I discovered an Android application signing JWTs using HS512 on the client side, which set in motion a hunt to find the symmetric key and forge modified JWTs. This blog post will cover the basic Android hacking techniques and methodology used along the way. If you are new to Android application testing, this blog post will be a great resource to learn from!
JWT Hacking 101
December 7, 2017
As JavaScript continues its quest for world domination, JSON Web Tokens (JWTs) are becoming more and more prevalent in application security. Many applications use them, so it has become very important for me to know as much as I can and I want to share what I’ve learned. In this blog post I will discuss…
Code Featured on Mr. Robot (USA Network)
November 30, 2017
Last night’s episode of Mr. Robot (eps3.6_fredrick+tanya.chk) contained some code I wrote for a WebLogic deserialization vulnerability in my earlier blog post, Hands on with WebLogic Serialization Vulnerability. I still can’t quite believe it! Chris Frohoff (@frohoff ) the author of the “ysoserial” deserialization tool caught it and tagged me on Twitter. Much thanks to him…