Programming

Solving the November 13th Detective Nevil Mystery Challenge

Solving the November 13th Detective Nevil Mystery Challenge

Overview Each week on Friday, we post a social media challenge known as “Detective Nevil Mystery Challenge”.  On November 13th of 2020, we released a challenge that contained a payload and it was only solved by one person on twitter.  That challenge is as follows: I decided it might be a good idea to do …

Solving the November 13th Detective Nevil Mystery Challenge Read More »

LD_PRELOAD: Not-So-Random

Not-So-Random: Using LD_PRELOAD to Hijack the rand() Function

    Today I wanted to continue the series on using LD_PRELOAD.  In today’s post we are going to use LD_PRELOAD to hijack the rand() function in a simple random number guessing game to control the generation of random numbers and effectively be able to cheat in this simple game by making it extremely predictable.  The code …

Not-So-Random: Using LD_PRELOAD to Hijack the rand() Function Read More »

It’s Okay, We’re All On the SameSite

With Google’s recent announcement that all cookies without a SameSite flag will be treated as having SameSite=Lax set by default in Chrome version 80, surely Cross-Site Request Forgery will be dead? Well, not quite… In this post I’m going to demonstrate a scenario in which the SameSite default won’t actually stop a CSRF attack from …

It’s Okay, We’re All On the SameSite Read More »

Twelve Days of XSSmas

This series of daily mini-posts, running from December 12, 2018 to December 24, 2018, is intended to provide cross-site scripting (XSS) related tips. This will range from filter-evasion and payload minification tricks, to old (but still good) classic XSS tips, to scripts that make (or contribute to) interesting proof-of-concept payloads. Day 1 – Template Literals …

Twelve Days of XSSmas Read More »

Three C-Words of Web App Security: Part 2 – CSRF

This is the second in a three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to set the scene for those less versed in web application history. In July, I posted part one, which was Three C-Words of Web App Security: …

Three C-Words of Web App Security: Part 2 – CSRF Read More »

An Introduction to Javascript for XSS Payloads

I recently got the opportunity to speak at B-Sides Charleston on cross-site scripting (XSS) payload development. For me, this was a really enjoyable opportunity because of my background. I was a software developer specializing in web apps for about 10 years. I did web development as a hobby for more than 10 years before that. …

An Introduction to Javascript for XSS Payloads Read More »

Scroll to Top