Political sites: Cryptome
Feats: the Robert Morris Internet Worm
Security holes reports: Common Weakness Enumeration, COAST, CERT, CHACS (Center for High Assurance Computer Systems), RISKS, AntiOnline, OpenWall, CVE, CWE, XSSed
Bug bounties: Bugcrowd
FAQ: 2600 FAQ🏚️, Cryptography🏚️
List of scanners
Tools
- nessus
- OSSEC
- Acunetix
- Paros
- Qualys
- Nikto2
- ratproxy: a passive audit tool to detect server security issues
- skipfish: an active audit tool to detect server security issues
- DOM Snitch🏚️: heuristics to find security issues in client-side code
- Burp📡: a Web proxy allowing snooping, replay…(personal notes)
- ZAP
- mkcert: make locally-trusted development certificates
- ProjectDiscovery
PayloadsAllTheThings
Have I been pwned?
PortSwigger’s Web Security Academy
Sécurisation des sites Web et des e-mails
Personal notes
Articles and videos
- How can I get setuid shell scripts to work? by ► Since I’m fed up to explain my workmates that setuid scripts are a very bad idea, I now just send them this FAQ.
- IP-spoofing Demystified — (Trust-Relationship Exploitation) by (June 1996) ► This is a short summary of the TCP/IP protocol, how to perform IP spoofing and how to avoid it.
- Perl CGI problems by (September 9th, 1999) ► rfp explains how to break a web server because of insecure CGI Perl scripts: embedded nul, unescaped backslash and pipes commands.
- A practical vulnerability analysis by (September 25th, 1999) ► PC Week proposed a challenge: break into their Linux server. This is a description of the winner method.
- NT Web Technology Vulnerabilities by (December 25th, 1999) ► In this article, rfp explains some holes in IIS, Cold Fusion and MS SQL server (FYI, there are some problems with the HTML page, it is better to read the source).
-
Examining Remote OS Detection using LPD Querying by (February 21st, 2001) ► How to recognise an OS by sending malformed request to the
lpddaemon. - Detecting Loadable Kernel Modules (LKM) by (April 6th, 2001) ► This paper explains how to detect LKM rootkits.
- Remote Vulnerabilities in Bugzilla by and (April 30th, 2001) ► A typical example of applying the methods described in the previous ’s article.
- The Dangers of Allowing Users to Post Images by (June 13th, 2001) ► Some CGI scripts allowing user to post images to not check the input, this can be used to execute some GET methods.
- Search Engines as a Security Threat by , , , and (October 2001) ► Search engines can help to find vulnerable servers or can be used as anonymous proxies.
-
RPC without borders (surfing USA ...) by (December 24th, 2001) ►
SOAP::Liteis highly insecure: any loaded routine can be remotely called. - Linux kernel file offset pointer handling by (August 4th, 2004) ► Using a race condition on the file offset management to be able to read kernel memory.
- Cache missing for fun and profit by (2005) ► How to measure the memory access times to analyse cache hits/misses and break a cryptographic key.
- How To Break Web Software - A look at security vulnerabilities in web software by (April 13th, 2006) ► After some general stuff about the Web, Mike describes how the security attacks are evolving and gives some examples of current common security holes: session hijacking, cross-site scripting, HTTP response splitting… He also proposes the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Escalation of privilege) framework to test Web applications.
- How Cybercriminals Steal Money by (June 19th, 2008) ► After some stats on cybercriminals deeds, describes SQL injection, cross-site request forgery (XSRF), and cross-site script inclusion (XSSI) and how to avoid them.
- Bash specially-crafted environment variables code injection attack🚫 by (September 26th, 2014) ► A bad Bash bug: it is possible to inject a command by putting it at the end of a function in an environment variable.
- Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities by (February 17th, 2015) ► Exploiting the fact that some frameworks handle a relative path to CSS files.
- Krack Attacks (WiFi WPA2 Vulnerability) - Computerphile by and (October 18th, 2017) ► A simple explanation of the Key Reinstallation Attack.
- How a Dorm Room Minecraft Scam Brought Down the Internet — A DDoS attack that crippled the internet wasn't the work of a nation-state. It was three college kids working an online gaming hustle.↑ by (December 13th, 2017) ► A non-technical, but detailed, story of the Mirai botnet.
- Unearthing Z͌̈́̾a͊̈́l͊̿g̏̉͆o̾̚̚S̝̬ͅc̬r̯̼͇ͅi̼͖̜̭͔p̲̘̘̹͖t̠͖̟̹͓͇ͅ with visual fuzzing by (March 7th, 2018) ► Playing with combining marks, but there is no security gap to exploit here.
- Data Exfiltration via Formula Injection #Part1 (May 19th, 2018) ► Using HTTP requests to get data from a spreadsheet or from the local filesystem.
- Hackability inspector by (July 6th, 2018) ► A tool to analyse the JavaScript objects of a browser.
- Evading CSP with DOM-based dangling markup by (July 18th, 2018) ► The title says it all.
- Exposing Intranets with reliable Browser-based Port scanning by (November 9th, 2018) ► How to scan ports with Chrome, Firefox, and Edge.
- XS-Searching Google’s bug tracker to find out vulnerable source code — Or how side-channel timing attacks aren’t that impractical by (November 19th, 2018) ► Using timing to extract information from monorail.
-
Secure Copy Vulnerability (SCP) - Computerphile by (January 18th, 2019) ► The description of a very old security hole found in
scp. - XSS without parentheses and semi-colons by (May 15th, 2019) ► The title says it all: injecting JavaScript expressions containing no parentheses nor semi-colons.
- Provoking browser quirks with behavioural fuzzing by (May 28th, 2019) ► Using fuzz testing to detect improper handling of some characters in the HTML parser and in the JavaScript parser.
- Bypassing CSP with policy injection by (June 5th, 2019) ► Exploiting the fact that PayPal inserts a GET parameter in their CSP directive to override this one.
- HTTP Desync Attacks: Request Smuggling Reborn by (August 7th, 2019) ► How to exploit the fact that servers of different layers handle invalid HTTP requests differently.
- A look at the Windows 10 exploit Google Zero disclosed this week — This privilege escalation vulnerability has lurked within Windows for 20 years. by (August 15th, 2019) ► A high-level description of the bug in MSCTF.DLL.
- Forum cracks the vintage passwords of Ken Thompson and other Unix pioneers — Security in the early days of Unix was poor. Then, there were the passwords. by (October 10th, 2019) ► Breaking the passwords from a 1980 BSD snapshot.
- DNS Cache Poisoning - Computerphile by (July 22nd, 2020) ► A high-level description of DNS poisoning.
- The First Internet Worm (Morris Worm) - Computerphile by (October 30th, 2020) ► Yet another telling of the Robert Morris Internet Worm, but this one does not go in the details.
- The Internet’s Most Notorious Botnet Has an Alarming New Trick — The hackers behind TrickBot have begun probing victim PCs for vulnerable firmware, which would let them persist on devices undetected. by (December 3rd, 2020) ► The bot is checking if the UEFI is vulnerable.
- OpenSSL fixes high-severity flaw that allows hackers to crash servers — The widely used code library is also purged of a certificate verification bypass. by (March 25th, 2021) ► Two bugs are fixed: a null pointer dereference and some conditions allowing to bypass the certificate verification.
- 5 ways to prevent code injection in JavaScript and Node.js by (April 5th, 2021) ► Some basic information about code injection in JavaScript and an advertisement for Snyk.
- Affaire Pegasus : comment des téléphones ont-ils pu être contaminés sans action de leur propriétaire ? by and (August 9th, 2021) ► Some information about how Pegasus works.
- SolarWinds and the Holiday Bear Campaign: A Case Study for the Classroom by (August 25th, 2021) ► An overview of how Russia’s SVR performed the SolarWinds attack.
- Hacking et virus informatiques (dans le monde réel) bonus: Corewar! - Passe-science #43 by (November 5th, 2021) ► An introduction to buffer overflows and viruses.
- The Invisible JavaScript Backdoor by (November 9th, 2021) ► Using invisible characters or homoglyphs to hide code instructions in JavaScript code.
- How $323M in crypto was stolen from a blockchain bridge called Wormhole — Cryptocurrency carries risk. Blockchain bridges heighten it. by (February 4th, 2022) ► The title says it all.
- Attackers can force Amazon Echos to hack themselves with self-issued commands — Popular “smart” device follows commands issued by its own speaker. What could go wrong? by (March 6th, 2022) ► The title says it all.
- Linux has been bitten by its most high-severity vulnerability in years — Dirty Pipe has the potential to smudge people using Linux and Linux derivitives. by (March 8th, 2022) ► A description of Dirty Pipe, an uninitialised variable allows an attacker to overwrite a file cached in memory.
- First Microsoft, then Okta: New ransomware gang posts data from both — If you haven't heard of Lapsus$, you have now. It probably won't be the last time. by (March 22nd, 2022) ► Lapsus$, a new hacker group, claims to have hacked into Okta and Microsoft.
- A Mysterious Satellite Hack Has Victims Far Beyond Ukraine — The biggest hack since Russia’s war began knocked thousands of people offline. The spillover extends deep into Europe. by (March 23rd, 2022) ► An attack destroyed thousands of Viasat satellite modems.
- ↪Mystery solved in destructive attack that knocked out >10k Viasat modems — AcidRain is the seventh wiper associated with the Russian invasion of Ukraine. by (March 31st, 2022) ► SentinelOne analysed the modem wiper.
- North Korean hackers unleashed Chrome 0-day exploit on hundreds of US targets — Critical vulnerability exploited by 2 groups both working for the North Korean government. by (March 24th, 2022) ► The description of a complex attack using social engineering to trick receivers to visit legitimate sites containing a malicious iframe.
- Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine — The attack was the first in five years to use Sandworm's Industroyer malware, which is designed to automatically trigger power disruptions. by (April 12th, 2022) ► The title says it all.
- Hackers can infect >100 Lenovo models with unremovable malware. Are you patched? — Exploiting critical UEFI vulnerabilities could allow malware to hide in firmware. by (April 19th, 2022) ► The title says it all.
- Backdoor in public repository used new form of attack to target big firms — Dependency confusion attacks exploit our trust in public code repositories. by (May 12th, 2022) ► A description of dependency confusion.
- “PACMAN” Hack Breaks Apple M1’s Last Line of Defense — How many dominos could fall if this centerpiece CPU’s weakness pans out? by (June 10th, 2022) ► A side channel attack has been found to bypass Apple’s Pointer Authentication Code.
- Hardcoded password in Confluence app has been leaked on Twitter — Advisory had already warned hardcoded password was "trivial to obtain." by (July 22nd, 2022) ► Atlassian is quite bad at security.
- Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers — Grab and deploy this backend update if you offer even repo read access by (August 29th, 2022) ► Atlassian continues to have big security issues.
- Une "arnaque à l'avis de passage" profite d'une faille informatique de La Poste — La ville de Montpellier semble touchée par une campagne d'escroqueries. Des habitants ont reçu de faux avis de passage de La Poste redirigeant vers un site demandant leurs coordonnées bancaires. by (August 30th, 2022) ► Phishing using a fake paper notice and a bug of La Poste.
- Numerous orgs hacked after installing weaponized open source apps — PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording all targeted. by (September 30th, 2022) ► North Korean hackers are using social engineering and Trojanized software.
- Mystery hackers are “hyperjacking” targets for insidious spying — After decades of warnings, group figured out how to hijack virtualization software. by (September 30th, 2022) ► The title says it all.
- USENIX Security '22 - Lend Me Your Ear: Passive Remote Physical Side Channels on PCs by (October 27th, 2022) ► Extracting data by using the fact that the CPU interferes with the audio when using Voice-over-IP applications.
- First LastPass, now Slack and CircleCI. The hacks go on (and will likely worsen) — Don't expect victims to be forthcoming. Their alerts conceal more than they reveal. by (January 6th, 2023) ► The title says it all.
- What Twitter’s 200 Million-User Email Leak Actually Means — The exposure of hundreds of millions of email addresses puts pseudonymous users of the social network at risk. by (January 6th, 2023) ► The impact of the email scrapping of 2021.
- More malicious packages posted to online repository. This time it’s PyPI — It's not always easy to spot malicious impostors posing as legit downloads. by (January 17th, 2023) ► The title says it all.
- How This SQL Command Blew Up a Billion Dollar Company by (March 13th, 2023) ► A hypothetical scenario on how Heartland Payment Systems has been hacked in 2007.
- Acropalypse Now - Computerphile by and (March 28th, 2023) ► It was possible to recover pixels cropped out of an Android screenshot.
- Capital One's $200M Cloud Data Breach by (April 13th, 2023) ► Capital One’s data breach in AWS by a former AWS software engineer.
- Those scary warnings of juice jacking in airports and hotels? They’re mostly nonsense — Juice jacking attacks on mobile phones are nonexistent. So why are we so afraid? by (May 1st, 2023) ► A list of possible attacks using a USB connection, but they are too complex to be wildly used in a public charging station.
- LogJam Attack - Computerphile by (May 3rd, 2023) ► A description of the LogJam vulnerability.
- Power LED Attack - Computerphile by (June 29th, 2023) ► A side channel attack using the fact that the LED light level is impacted when the CPU computes more data.
- Closing vulnerabilities in Decidim, a Ruby-based citizen participation platform — This blog post describes two security vulnerabilities in Decidim, a digital platform for citizen participation. Both vulnerabilities were addressed by the Decidim team with corresponding update releases for the supported versions in May 2023. by (July 28th, 2023) ► A description of two vulnerabilities: a XSS and a data exfiltration.
- Hackers Could Have Scored Unlimited Airline Miles by Targeting One Platform — Flaws in the Points.com platform, which is used to manage dozens of major travel rewards programs, exposed user data—and could have let an attacker snag some extra perks. by (August 3rd, 2023) ► The subtitle says it all.
- How Not To Secure Your Company (Target Data Breach) by (September 4th, 2023) ► The Target Data Breach, from compromising a third-party vendor up to infecting Target’s POS systems.
- TETRA Vulnerability (TETRA:BURST) - Computerphile by (September 14th, 2023) ► TETRA, a proprietary encryption mechanism for police radio communication, is broken.
- Microsoft menace la sécurité nationale by (September 25th, 2023) ► Some little information about Microsoft hack and, as usual with , a long discourse about the importance of cybersecurity.
- GPUs from all major suppliers are vulnerable to new pixel-stealing attack — A previously unknown compression side channel in GPUs can expose images thought to be private. by (September 26th, 2023) ► A basic presentation of GPU.zip, a GPU side channel attack.
- Intel fixes high-severity CPU bug that causes “very strange behavior” — Among other things, bug allows code running inside a VM to crash hypervisors. by (November 14th, 2023) ► The subtitle says it all.
- Researchers figure out how to bypass the fingerprint readers in most Windows PCs — Microsoft's Surface didn't even use the Microsoft-developed security protocol. by (November 27th, 2023) ► Security researchers were able, using different ways, to bypass fingerprint sensor on several laptops.
- Securing our home labs: Frigate code review — This blog post describes two linked vulnerabilities found in Frigate, an AI-powered security camera manager, that could have enabled an attacker to silently gain remote code execution. by and (December 13th, 2023) ► Hacking a poorly secured Python application.
- Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch by (January 11th, 2024) ► Using self-hosted runners to get access to some secrets.
- A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data — Patching every device affected by the LeftoverLocals vulnerability—which includes some iPhones, iPads, and Macs—may prove difficult. by and (January 16th, 2024) ► LeftoverLocals: a vulnerability that allows data recovery from GPU memory created by another process.
- MAJOR EXPLOIT: GitLab was Hacked with an IMAGE?? by (January 19th, 2024) ► Exploiting a wrong regex in a Perl script.
- How I got scammed by (February 5th, 2024) ► How you can get phished even when you know about security.
- Hackers can read private AI-assistant chats even though they’re encrypted — All non-Google chat GPTs affected by side channel that leaks responses sent to users. by (March 14th, 2024) ► Using token lengths to rebuild the chatbot anwers.
- Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds — The company behind the Saflok-brand door locks is offering a fix, but it may take months or years to reach some hotels. by (March 21st, 2024) ► A team of hackers is able to reconfigure and open Dormakaba’s locks.
- Back to the Hype: An Update on How Cybercriminals Are Using GenAI — Generative AI continues to be misused and abused by malicious individuals. In this article, we dive into new criminal LLMs, criminal services with ChatGPT-like capabilities, and deepfakes being offered on criminal sites. by and (May 8th, 2024) ► It seems that criminals are not yet utilising the capabilities of AI. But some are bullshitting other ones, as in other economic domains.
- GhostStripe attack haunts self-driving cars by making them ignore road signs — Cameras tested are specced for Baidu's Apollo by and (May 10th, 2024) ► Yet another attack on self-driving cars.
- Polyfill supply chain attack hits 100K+ sites by (June 25th, 2024) ► cdn.polyfill.io injects malware in sites using it to get polyfill.js.
- ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections — Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades. by (August 9th, 2024) ► Two white hats found a security hole in AMD processors by reading the documentation.
- Exposing The Flaw In Our Phone System by , , and (September 22nd, 2024) ► Why SS7 is vulnerable to hacking.
- Two never-before-seen tools, from same group, infect air-gapped devices — It's hard enough creating one air-gap-jumping tool. GoldenJackal did it 2x in 5 years. by (October 9th, 2024) ► The title says it all.
- How to Lose a Fortune with Just One Bad Click by (December 18th, 2024) ► How scammers use social engineering and some tricks with Google to get access to someone’s Google account and steal their cryptocurrencies.
-
major vulnerability found in rsync (does it matter?) by (January 17th, 2025) ► A technical explanation of some of the CVEs found in
rsync. - Large enterprises scramble after supply-chain attack spills their secrets — tj-actions/changed-files corrupted to run credential-stealing memory scraper. by (March 17th, 2025) ► Yet another supply chain attack. This one via GitHub Actions.
- How Hackers Steal Passwords: 5 Attack Methods Explained by (April 24th, 2025) ► The title says it all.
-
Drag and Pwnd: Leverage ASCII characters to exploit VS Code by (April 30th, 2025) ► Exploiting
SOH,STX,ETX, andEOTin filenames to execute shell commands innode-pty, hence VS Code. - What Is Quishing? How Hackers Use QR Codes to Steal Your Data by (June 2nd, 2025) ► Some basic security advice about QR code usage.
-
SQL injection
- SQL Injection Attacks by Example by (October 10th, 2007) ► A basic, detailed, and slow description of a SQL injection attack.
- Bobby Tables by (December 3rd, 2017) ► SQL is too dangerous, it should not be used anymore.
-
Buffer overflows and similar tricks
- Smashing The Stack For Fun And Profit⇈ (⧉) by (November 1996) ► A very well-known article: describes what is a buffer overflow exploit and how to exploit it.
- Ping of Death by (January 22nd, 1997) ► At the beginning of Internet explosion, there were some major security issues: you could simply crash a machine by sending an illegal IP packet…
- TAKING ADVANTAGE OF NON-TERMINATED ADJACENT MEMORY SPACES by (May 1st, 2000) ► A small variation of the buffer overflow by using contiguous buffers.
-
Bypassing StackGuard and StackShield by and (May 1st, 2000) ► Some new overflow techniques: overwriting the return address despite the presence of a canary, patching the
atexittable and patching the global offset table. - Smashing C++ VPTRs by (May 1st, 2000) ► Yet another buffer overflow technique: overwriting the VPTR table.
- SHARED LIBRARY CALL REDIRECTION VIA ELF PLT INFECTION by (May 1st, 2000) ► Silvio describes how to hijack the procedure linkage table (this is done by patching the executable).
- Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability by (July 19th, 2000) ► A nice buffer overflow in Outlook: no need to open an attachment or even to read the mail, you could be infected by a virus… An exploit is provided.
- JPEG COM Marker Processing Vulnerability in Netscape Browsers by (July 25th, 2000) ► A nice way to make Netscape execute code recorded in a JPEG file!
- Netscape SmartDownload Overflow🚫 by (April 13th, 2001) ► A buffer overflow in SmartDownload, no exploit provided.
-
Once upon a free()... (August 11th, 2001) ► A description of System V and GNU C
mallocimplementations with some way to generate and exploit overflow in the heap. -
Vudo - An object superstitiously believed to embody magical powers⇈ by (August 11th, 2001) ► An impressive description of the
sudoexploit (which uses a corruption of the heap) with a detailed analysis of Doug Leamalloclibrary. - The advanced return-into-lib(c) exploits: PaX case study by (August 11th, 2001) ► How to circumvent OSes with a non executable stack by calling functions in the loaded shared libraries.
- No SIGSEGV anymore (December 24th, 2001) ► An idea still to be exploited, preloading a SIGSEGV event handler to redirect the program execution.
- Writing UTF-8 compatible shellcodes by (July 13th, 2004) ► A description of the conditions necessary to create a shellcode which is a valid UTF8 string and some tricks to fulfil them.
-
Format string
- More info on format bugs.⇈ (⧉) by (July 18th, 2000) ► How to exploit format string bugs to examine the stack and execute a root shell.
- Write It Secure: Format Strings and Locale Filtering by (December 2000) ► A non-technical overview of format string exploit and locale hijacks.
-
Integer overflows
- Basic Integer Overflow by (December 2002) ► A basic, yet effective, introduction to integer overflow/wrap around exploits.
-
Smashing The Kernel Stack For Fun And Profit by (December 2002) ► An exploit for the
select()OpenBSD signed/unsigned vulnerability.
-
Cross-site scripting
- Cross Site Scripting Info: Encoding Examples ► Same thing from the Apache group.
- Understanding Malicious Content Mitigation for Web Developers (February 2nd, 2000) ► Some advice to avoid cross-site scripting. But the problem is so complex that this is just an overview.
- CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests (February 3rd, 2000) ► This CERT Advisory is a basic presentation of the cross-site scripting vulnerability.
- Cross-site scripting — Use a custom tag library to encode dynamic content🗑️ by (September 2002) ► After a quick presentation of some types of cross-site scripting attacks, the author describes how to easily avoid them in JSP by using a private tag.
-
Cross-site request forgery
- Prevent cross-site request forgery: Know the hidden danger in your browser tabs — Learn to prevent cross-site request forgery or your clients might do a hacker's bidding without knowing it🗑️ by (March 25th, 2014) ► The title says it all.
-
Race conditions
- Secure programmer: Prevent race conditions — Resource contention can be used against you by (October 7th, 2004) ► Some advice on avoiding race condition attacks when using files.
-
Signals
- Delivering Signals for Fun and Profit — Understanding, exploiting and preventing signal-handling related vulnerabilities. by (May 28th, 2001) ► Signal handlers are difficult to write correctly, so many of them can be exploited as security holes.
-
Phishing
- A Real Remedy for Phishers by (October 6th, 2005) ► Bruce opinion is that a company should be considered responsible when one of its customers is victim of phishing.
- Two Things That Bother Me About Google's New Firefox Extension🗑️ by (December 15th, 2005) ► The Google’s Firefox extension to flag phishing use unencrypted HTTP request, this may be a problem.
- Identifying Suspicious URLs: An Application of Large-Scale Online Learning by (May 5th, 2010) ► A study of several algorithms to automatically classify phishing vs. benign URLs.
- Devious New Phishing Tactic Targets Tabs by (May 24th, 2010) ► A description of a new kind of phishing attack: the tabnabbing, where a hidden type morphs into a phishing page to trap the inattentive user.
-
Web bugs
- Microsoft Word Documents that "Phone Home"🚫 by (August 30th, 2000) ► A clever way to use Web bugs: embed them in an Office document!
- Email Wiretapping🚫 by (February 5th, 2001) ► Even more clever, use the Web bugs to trace the forward and added text to an email you have sent.
-
Denial of Service
- Denial of Service via Algorithmic Complexity Attacks by and (2003) ► A DoS based on finding the worst case of use of a hash table, the authors propose their own version of a universal hashing to fix the issue.
- Protect your Apache server from DoS attacks↓🗑️ by (August 12th, 2003) ► Some information on Apache and DoS attacks, but this article is not very clear and informative.
- About that hash flooding vulnerability in Node.js… by (August 11th, 2017) ► Yet another DoD attack by flooding a hash table. The V8 team had trouble to get a proper fix.
-
MD5 attacks
- Hash Collisions (The Poisoned Message Attack) — "The Story of Alice and her Boss" by and (June 15th, 2005) ► The authors have created two PostScript files with the same MD5 checksum.
- Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes🚫 by (September 10th, 2007) ► Encoding passwords with as a simple MD5 checksum is a bad idea, Thomas suggests some better methods.
- Google as a password cracker by (November 16th, 2007) ► Using Google to break a MD5 checksum.
- Predicting the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 by , , and (November 30th, 2007) ► "3D5 15 DEAD": the authors have created 12 meaningful PDF files with the same MD5 checksum.
-
SHA-1 attacks
- Cryptanalysis of SHA-1 by (February 18th, 2005) ► A Chinese team has been able to divide the search space by 211. SHA-1’s future starts to look like MD5’s future.
-
Ajax
- Ajax Security Dangers by (2006) ► Yet another white paper on AJAX security. The only interest here is that it describes possible issues with AJAX bridging.
- Ajax Security Basics by and (June 22nd, 2006) ► Some generalities about AJAX security and the difficulty to test it.
- Top 10 Ajax Security Holes and Driving Factors by (November 10th, 2006) ► This is not a list of possible attacks, just random thoughts about where a malicious script could be injected.
- Mashup security — Technologies and techniques for securing UI artifacts and data in a mashup🗑️ by (August 4th, 2009) ► A list of security issues when building mashups, but the description is too terse to be really useful.
-
Clickjacking
- Clickjacking🚫 by and (September 12th, 2008) ► A presentation of the attack and possible ways to exploit it.
- This Week in HTML 5 – Episode 7 by (September 29th, 2008) ► The WHATWG and W3C HTML Working Group is starting to look at solutions to avoid clickjacking.
- Clickjacking: Web pages can see and hear you by (October 7th, 2008) ► A demonstration of clickjacking to get access to the camera and snoop the victim.
-
Java
-
Java Deployment Toolkit Performs Insufficient Validation of Parameters by (April 9th, 2010) ► Java Deployment Toolkit plugin allows launching
javawswithout any checks.
-
Java Deployment Toolkit Performs Insufficient Validation of Parameters by (April 9th, 2010) ► Java Deployment Toolkit plugin allows launching
-
Using Google
- Google Your Site For Security Vulnerabilities🗑️ by (October 7th, 2004) ► Using Google to find security holes on Web servers.
- Bulletproof your organization against Google hacking: Assess your vulnerability to these ten simple security searches🚫 by , , and (December 2004) ► A longer description of the same techniques.
-
Spectre, Meltdown and MDS
- L'attaque SPECTRE🚫 by (January 4th, 2018) ► A very basic, but clear, description of the problem.
- L'attaque MELTDOWN↓🚫 by (January 5th, 2018) ► The same for Meltdown. The author should have merged the two articles since they contain mostly the same words!
- Spectre & Meltdown - Computerphile by (January 5th, 2018) ► A simple explanation of the Spectre attack.
- Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown by (January 5th, 2018) ► A basic and clear explanation of CPU optimisations and how Meltdown and Spectre exploit them.
- Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs — Two different groups of researchers found another speculative execution attack that can steal all the data a CPU touches. by (May 14th, 2019) ► Other security attacks related to the speculative execution have been found in Intel’s CPUs.
-
Zip Slip
- Zip Slip Vulnerability (June 5th, 2018) ► A simple exploit of the fact that the code does not check that files extracted for a Zip file are not in written in another directory.
-
Port Smash
- What's Behind Port Smash? - Computerphile by (November 13th, 2018) ► A basic description of hyperthreading and how Port Smash works.
-
CSS timing
-
A timing attack with CSS selectors and Javascript by (October 6th, 2018) ► Timing CSS evaluation time of a page using
jQuery(location.hash)to extract some information from the page. - Abusing jQuery for CSS powered timing attacks by (May 22nd, 2019) ► The details of using the attack on redhat.com.
-
A timing attack with CSS selectors and Javascript by (October 6th, 2018) ► Timing CSS evaluation time of a page using
-
Symbolic links
- Hacking Websites by Uploading files (With symlinks) by (October 15th, 2023) ► How to access any file on the server by uploading a symbolic link and performing a directory traversal.
-
log4j- Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit — If you've patched using Log4J 2.15.0, it's time to consider updating again. Stat. by (December 15th, 2021) ► The first fix of log4j was not complete…
- Log4J & JNDI Exploit: Why So Bad? - Computerphile by and (December 22nd, 2021) ► A description of the log4j exploits and some thoughts on popular open-source libraries.
- Log4j : une autre vulnérabilité corrigée par Apache — Plus d'une semaine après la publication de la mise à jour 2.17 de la bibliothèque de journalisation Log4j d'Apache Logging, une faille CVE-2021-44832 l'affectant est comblée. La montée de version vers la 2.17.1 est à effectuer dès que possible. by (December 29th, 2021) ► The saga continues…
- Log4Shell Still Has Sting in the Tail — The cyber-vulnerability mounts a quiet comeback as organizations grow complacent by (December 28th, 2022) ► Some companies have reintroduced the security hole by installing vulnerable software.
-
Spring4Shell
- Patch now: RCE Spring4shell hits Java Spring framework — You didn't have any plans for the weekend anyway, did you? by (April 1st, 2022) ► A Remote Code Execution vulnerability in Spring.
- Explaining Spring4Shell: The Internet security disaster that wasn’t — Vulnerability in the Spring Java Framework is important, but it's no Log4Shell. by (April 2nd, 2022) ► The title says it all.
-
Psychic Paper
- Major cryptography blunder in Java enables “psychic paper” forgeries — A failure to sanity check signatures for division-by-zero flaws makes forgeries easy. by (April 20th, 2022) ► A major bug introduced in Java 15 allows invalid ECDSA signatures.
- Psychic Signatures (Java Vulnerability) - Computerphile by (April 23rd, 2022) ► A basic description of the bug.
-
XZ Backdoor
- What we know about the xz Utils backdoor that almost infected the world — Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream. by (April 1st, 2024) ► The title says it all.
- Discovering the XZ Backdoor with Andres Freund↑ (⧉) by , , and (April 8th, 2024) ► explains how he detected and found the backdoor.
-
Hallucinated package names
- LLMs can't stop making up software dependencies and sabotaging everything — Hallucinated package names fuel 'slopsquatting' by (April 12th, 2025) ► Attackers create malicious packages having names hallucinated by LLMs.
- AI-generated code could be a disaster for the software supply chain. Here’s why. — LLM-produced code could make us much more vulnerable to supply-chain attacks. by (April 29th, 2025) ► The same subject, but with more information.
-
Stuxnet
- The Real Story of Stuxnet — How Kaspersky Lab tracked down the malware that stymied Iran’s nuclear-fuel enrichment program by (February 26th, 2013) ► The story of Stuxnet.
-
Bug bounty
- Google will now pay up to $30,000 for reporting a Chrome bug — You can earn bigger bucks by becoming a digital bounty hunter. by and (July 18th, 2019) ► Some information about the improved rewards of Google’s bug bounty program.
- Finding your first bug: bounty hunting tips from the Burp Suite community by (August 26th, 2020) ► Some advice for starting bug bounty hunting.
- Burp Suite tips from power user and "hackfluencer" Stök by (September 29th, 2020) ► How Stök discovered Burp and his advice on using it.
-
Tool
-
Burp
- Introducing Burp Infiltrator by (July 26th, 2016) ► A short description of Burp Infiltrator, a tool instrumenting an application to detect that Burp scanner can control some parameters of calls to unsafe APIs.
- Behind enemy lines: bug hunting with Burp Infiltrator by (June 22nd, 2017) ► An example of using Burp Infiltrator.
- OAST (Out-of-band Application Security Testing) by (July 14th, 2017) ► This article is rather some advertisement, there is little technical content.
- Cracking the lens: targeting HTTP's hidden attack-surface↑ by (July 27th, 2017) ► Attacking components of the infrastructure other than the web server: reverse proxies, analytics servers, cache servers…
- How I accidentally framed myself for a hacking frenzy by (August 21st, 2017) ► It is not a good idea to release a Burp extension referencing one of your servers.
- Adapting Burp extensions for tailored pentesting by (August 23rd, 2017) ► How to get the code of an extension, build it, modify it and, possibly, propose your change.
- When security features collide by (October 6th, 2017) ► Using Cloudflare’s email protection to bypass the browser XSS filter.
- Your recipe for BApp Store success by (January 17th, 2018) ► Some rules to be respected by extension creators.
- Bypassing WAFs and cracking XOR with Hackvertor by (October 9th, 2018) ► describes Hackvector, a Burp extension he created to easily manage text transformations (base64 encoding, hex encoding, rot, xor…).
- Turbo Intruder: Embracing the billion-request attack by (January 25th, 2019) ► Turbo Intruder is an extension aimed at speed of request generation and answer analysis.
- Burp for Beginners: How to Use Intruder by (July 4th, 2020) ► A presentation of Intruder’s features.
- How to resend individual requests with Burp Repeater (July 28th, 2020) ► A description of Burp Repeater.
- A guide to the Burp Suite user interface (August 13th, 2020) ► A short overview of Burp.
- Web Security Academy - your questions answered by (December 3rd, 2020) ► A FAQ about PortSwigger’s Web Security Academy.
- Burp Suite roadmap for 2021 by (January 25th, 2021) ► A list of the latest and the future features of Burp Suite Enterprise Edition, Burp Suite Professional, and Burp Scanner.
- Improved CI/CD integrations in Burp Suite Enterprise Edition by (March 23rd, 2021) ► The title says it all.
- Introducing Bambdas by (November 14th, 2023) ► Requests can now be filtered using your own filter written in Java.
- Introducing DAST scanning in the Cloud, with Burp Suite Enterprise Edition — We’re excited to announce that Burp Suite Enterprise Edition is now available in PortSwigger’s secure cloud. You can now free up testing time with scalable, automated DAST scanning, without the burden of maintaining infrastructure. by (April 18th, 2024) ► The title says it all.
- Shadow Repeater:AI-enhanced manual testing by (February 20th, 2025) ► Shadow Repeater is an extension generating variations, when you already generated some yourself in Repeater, using AI.
-
ZAP
- ZAP in Ten - The Interface by ► An introduction to ZAP UI.
- ZAP Chat 01 Introduction by (September 15th, 2023) ► An introduction to the series.
- ZAP Chat 02 Authentication Tester by and (September 15th, 2023) ► A presentation of Authentication Tester which is a much simpler way to configure automated login to the SUT.
-
Acunetix
- Acunetix Premium Demo (September 15th, 2020) ► A marketing presentation of Acunetix.
-
Burp
-
Advice
- The Ultra-Secure Network Architecture🚫 by ► The title says it all.
- Create effective passwords — Strategies for computer-based systems🗑️ by (September 1st, 2002) ► How to avoid bad passwords.
- Love and Authentication -- Addressing the problem of password reset by (August 12th, 2008) ► After describing the issues with current password resetting mechanisms, Markus Jakobsson proposes a new technique based on user preferences.
- Prevent cross-site scripting attacks by encoding HTML responses🗑️ by (July 30th, 2013) ► A basic description of XSS and how to avoid it.
- Attacking Web Applications - Sasha Goldshtein by (October 9th, 2013) ► A good presentation of the most common Web security holes: SQL/OS injection, HTTPS, CSRF, XSS…
- Security 101: An introduction to software security - Allen Holub by (October 9th, 2013) ► Some very basic generalities on security.
- 5 developer tools for detecting and fixing security vulnerabilities by (May 12th, 2021) ► A too short description of Dependabot, Renovate, Snyk, GitGuardian, and Webhint.
-
System administration
-
Know Your Enemy
- Know Your Enemy by (May 23rd, 1999) ► Lance describes the methodology used by Script Kiddies (a.k.a. crackers) to scan networks and find vulnerable systems.
- ↪Know Your Enemy: II by (May 23rd, 1999) ► This second part explains how to secure system logs, research them for scanning patterns and find out the tools used by the Script Kiddy.
- ↪Know Your Enemy: III by (May 23rd, 1999) ► This last part describes the typical Script Kiddy activity once he introduced a system: checking that they are alone, clearing log files, install a backdoor…
- ↪Know Your Enemy: A Forensic Analysis by (May 23rd, 2000) ► Lance restarts the "Know You Enemy" series, he describes how a Script Kiddy broke in a Red Hat 6.0 box.
- ↪Know Your Enemy: Motives by (June 27th, 1999) ► Yet another break in (this time a Solaris 2.6 box), this one is very similar to the previous one, but this time Lance reports some crackers’ IRC logs.
- ↪Know Your Enemy - Worms at War by (November 9th, 2000) ► Some Windows 98 worms created by guys wanting to win a distributed.net challenge.
- How To Eliminate The Ten Most Critical Internet Security Threats by (June 1st, 2000) ► This list (which is regularly updated) describes the most common holes used to break in a computer. It is a must read if you are a system administrator.
-
Introduction to Ngrep by (2002) ► A quick presentation of
ngrep: a tool to grep network packets. - A Buffer Overflow Study Attacks & Defenses (⧉) by and (March 2002) ► The current status of some buffer overflows (with a presentation of their mechanisms) and some Linux patches to avoid them.
- 10 common network security design flaws🗑️ by (October 23rd, 2009) ► Some short basic pieces of advice for designing a network.
-
Know Your Enemy
-
Coding
- A Lab engineers check list for writing secure Unix code (⧉) by and (May 23rd, 1996) ► Yet another list of do and don’t to write secure programs.
- How to find security holes by (February 26th, 1999) ► As confessed by the author, this document is badly structured. But the ideas presented here are a good introduction to some security issues, so this paper is worth reading.
- Source Code Review Guidelines by (September 11th, 1999) ► This is the code review process used by Acme Widgets aimed at ensuring security compliance.
-
Input Validation in C and C++🗑️ by and (June 20th, 2003) ► The usual advice for string manipulation: use
strlcpyandstrlcat, use a string library… - Secure Cooking with C and C++ — Recipe 3.1: Understanding Basic Data Validation🗑️ by and (July 22nd, 2003) ► Some rules to validate input data: perform validation at input and component levels, prefer whitelisting to blacklisting, take care to quotes…
- ↪Secure Cooking with C and C++, Part 2 — Recipe 3.8: Evaluating URL Encodings🗑️ by and (July 29th, 2003) ► How to encode and decode URLs.
- ↪Secure Cooking with C and C++, Part 3 — Recipe 3.9: Validating Email Addresses🗑️ by and (August 5th, 2003) ► The authors propose a routine to validate an email address.
- Secure programmer: Validating input — Best practices for accepting user data🗑️ by (October 23rd, 2003) ► Yet another overview of the verification of input validity. This one gives a good overview of the problem (filename, locale, UTF8, email, cross-sire scripting, URL…).
- The Lazy Programmer's Guide to Secure Computing by (March 11th, 2010) ► An introduction to the Principle Of Least Authority (POLA).
-
Non computer hacking
- Traffic Lights by (December 2002) ► Wanna hack traffic lights in South Africa?
- Automated Denial-of-Service Attack Using the U.S. Post Office by (April 15th, 2003) ► The Slashdot effect: a spammer gets flooded by junk mail… This is a real DoS attack, but in meatspace instead of cyberspace as usual.
- Hacking the hotel through the TV by (July 31st, 2005) ► Or you may prefer playing with the hotel TV?
- FREE MEAL AT MC'DONALD'S (REMI GAILLARD) 🍟 by (September 19th, 2007) ► How to have a free lunch in a MacDrive.
- The Hustlers Who Make $6,000 a Month by Gaming Citi Bikes — The bike-sharing program rewards users who help redistribute bikes around New York City. A few riders have figured out how to turn that into profit. by (September 19th, 2024) ► How to earn money by moving Lyft’s bikes.
- Scam Alert: Pig Butchering, Recruitment Scams & More! by (November 25th, 2024) ► The 101 of Pig Butchering. I wonder why IBM produces such basic videos.