Automate finding relational vulnerabilities for a more accurate risk rating Intro Anyone else thinking about pretzel Combos right now? Yeah me neither.. This blog isn’t actually about those (sorry), it’s about vulnerability chaining in Application Security but this concept could apply to Network Security as well. I was asked recently…

Intro I’m so sorry it’s been nearly SEVEN MONTHS since my last blog! A lot has changed in my personal life (burnout, job change, selling ABC books, new baby, coaching youth soccer, pumpkin patch?) and I just haven’t had the time to research or write anything fun in a while. …

Well, its that time of year again and somehow between the crazy Q4 consulting work as a Principal Security Consultant, a new baby on the way, the holidays, and time with my family, I was able to squeak out another annual HHC by SANS. Like always, the team at Counter…

UPDATE: The founder of 1Password responded to this blog after it was posted and explained that the majority of password managers out there leverage Mozilla’s Public Suffix List (PSL) to determine how the domain is to be treated. He looked and saw that Auth0 was not on the list for…

Intro What do you get when you combine Google Images, QR Codes, and Remote Command Execution? This silly project of mine I’d like to share with you all, of course! Building off of my security research from my last couple of blogs, I decided to use my research using dynamic…

Intro On the heels of my last blog when I discovered how to prevent all of my phishing emails from landing on any blacklists, I realized that sometimes Gmail, Microsoft 365, and possibly other email providers will mark an email as suspicious simply because an embedded tracking pixel doesn’t really…

An Effective Technique for Avoiding Blacklists I promised myself I would never do another phishing blog out of respect for the roughly five hundred fifty billion infosec articles already out there on the same subject. It turns out I’m a big ‘ol liar. While working on my PhishAPI framework during…

“TrstdXploitz” by “L33terman6000” I’ve been wanting to perform an experiment for some time now and finally got around to it. I present to you what I think is a unique spin on an old idea, a new type of honeypot. Follow along as I explain the adventure that unfolded, including…

Intro I previously wrote in another blog last year about the responsibilities companies have to protect their users when it comes to vulnerabilities and not just their own assets. Although not a continuation of that specific topic, I felt compelled to write this post due to the string of recent events…