Nov 5, 2021A Konami Code for Vuln Chaining CombosAutomate finding relational vulnerabilities for a more accurate risk rating Intro Anyone else thinking about pretzel Combos right now? Yeah me neither.. This blog isn’t actually about those (sorry), it’s about vulnerability chaining in Application Security but this concept could apply to Network Security as well. I was asked recently…Appsec7 min read
Jul 9, 2021You ain’t got no problem, Jules. I’m on the Multifactor.Intro I’m so sorry it’s been nearly SEVEN MONTHS since my last blog! A lot has changed in my personal life (burnout, job change, selling ABC books, new baby, coaching youth soccer, pumpkin patch?) and I just haven’t had the time to research or write anything fun in a while. …Infosec8 min read
Jan 12, 2021My KringleCon 2020 Holiday Hack WriteupWell, its that time of year again and somehow between the crazy Q4 consulting work as a Principal Security Consultant, a new baby on the way, the holidays, and time with my family, I was able to squeak out another annual HHC by SANS. Like always, the team at Counter…Ctf2 min read
Sep 25, 2020Phishing Your Password ManagerUPDATE: The founder of 1Password responded to this blog after it was posted and explained that the majority of password managers out there leverage Mozilla’s Public Suffix List (PSL) to determine how the domain is to be treated. He looked and saw that Auth0 was not on the list for…Cybersecurity7 min read
Sep 20, 2020One Part Steganography, Four Redirectors, and a Splash of C2!Intro What do you get when you combine Google Images, QR Codes, and Remote Command Execution? This silly project of mine I’d like to share with you all, of course! Building off of my security research from my last couple of blogs, I decided to use my research using dynamic…Cybersecurity9 min read
Jul 18, 2020Proxying Exfil Data Through ImagesIntro On the heels of my last blog when I discovered how to prevent all of my phishing emails from landing on any blacklists, I realized that sometimes Gmail, Microsoft 365, and possibly other email providers will mark an email as suspicious simply because an embedded tracking pixel doesn’t really…Cybersecurity6 min read
May 25, 2020These Aren’t the Phish You’re Looking ForAn Effective Technique for Avoiding Blacklists I promised myself I would never do another phishing blog out of respect for the roughly five hundred fifty billion infosec articles already out there on the same subject. It turns out I’m a big ‘ol liar. While working on my PhishAPI framework during…Phishing15 min read
Apr 26, 2020Honeysploit: Exploiting the Exploiters“TrstdXploitz” by “L33terman6000” I’ve been wanting to perform an experiment for some time now and finally got around to it. I present to you what I think is a unique spin on an old idea, a new type of honeypot. Follow along as I explain the adventure that unfolded, including…Cybersecurity18 min read
Feb 3, 2020A Simple Solution to Credential StuffingIntro I previously wrote in another blog last year about the responsibilities companies have to protect their users when it comes to vulnerabilities and not just their own assets. Although not a continuation of that specific topic, I felt compelled to write this post due to the string of recent events…Cybersecurity8 min read
Jan 14, 20202019 KringleCon Holiday Hack Write-upMy Holiday Hack Challenge Report Update: I received an Honorable Mention! Thanks SANS! Also, I realized after reading other people’s reports that I completed a few of these objectives in unconventional ways. Specifically, The Holiday Trail, Reverse Engineering Encryption, and the SQLi Student Portal one. See the other amazing reports…Cybersecurity3 min read