Hacking

Hacker sites: PHRACK, The Cult Of The Dead Cow, 2600, interhack, attrition.org🏚️
Political sites: Cryptome
Feats: the Robert Morris Internet Worm
Security holes reports: Common Weakness Enumeration, COAST, CERT, CHACS (Center for High Assurance Computer Systems), RISKS, AntiOnline, OpenWall, CVE, CWE, XSSed
Bug bounties: Bugcrowd
FAQ: 2600 FAQ🏚️, Cryptography🏚️
List of scanners

Tools

nessus
OSSEC
Acunetix
Paros
Qualys
Nikto2
ratproxy: a passive audit tool to detect server security issues
skipfish: an active audit tool to detect server security issues
DOM Snitch🏚️: heuristics to find security issues in client-side code
Burp 📡: a Web proxy allowing snooping, replay…(personal notes)
ZAP
- ZAP Chat Videos
- ZAP in Ten
mkcert: make locally-trusted development certificates
ProjectDiscovery

PayloadsAllTheThings
Have I been pwned?
PortSwigger’s Web Security Academy
Sécurisation des sites Web et des e-mails
Personal notes

Articles and videos

How can I get setuid shell scripts to work? by Maarten Litmaath ► Since I’m fed up to explain my workmates that setuid scripts are a very bad idea, I now just send them this FAQ.
IP-spoofing Demystified — (Trust-Relationship Exploitation) by "daemon9" (June 1996) ► This is a short summary of the TCP/IP protocol, how to perform IP spoofing and how to avoid it.
Perl CGI problems by "rain.forest.puppy" (9 September 1999) ► rfp explains how to break a web server because of insecure CGI Perl scripts: embedded nul, unescaped backslash and pipes commands.
A practical vulnerability analysis by "jfs" (25 September 1999) ► PC Week proposed a challenge: break into their Linux server. This is a description of the winner method.
NT Web Technology Vulnerabilities by "rain.forest.puppy" (25 December 1999) ► In this article, rfp explains some holes in IIS, Cold Fusion and MS SQL server (FYI, there are some problems with the HTML page, it is better to read the source).
Examining Remote OS Detection using LPD Querying by "f0bic" (21 February 2001) ► How to recognise an OS by sending malformed request to the lpd daemon.
Detecting Loadable Kernel Modules (LKM) by Toby Miller (6 April 2001) ► This paper explains how to detect LKM rootkits.
Remote Vulnerabilities in Bugzilla by Dave Aitel and Andrew Danforth (30 April 2001) ► A typical example of applying the methods described in the previous "rain.forest.puppy"’s article.
The Dangers of Allowing Users to Post Images by John Percival (13 June 2001) ► Some CGI scripts allowing user to post images to not check the input, this can be used to execute some GET methods.
Search Engines as a Security Threat by Julio César Hernández, José María Sierra, Arturo Ribagorda, and Benjamín Ramos (October 2001) ► Search engines can help to find vulnerable servers or can be used as anonymous proxies.
RPC without borders (surfing USA ...) by "stealth" (24 December 2001) ► SOAP::Lite is highly insecure: any loaded routine can be remotely called.
Linux kernel file offset pointer handling by Paul Starzetz (4 August 2004) ► Using a race condition on the file offset management to be able to read kernel memory.
Cache missing for fun and profit by Colin Percival (2005) ► How to measure the memory access times to analyse cache hits/misses and break a cryptographic key.
How To Break Web Software - A look at security vulnerabilities in web software by Mike Andrews (13 April 2006) ► After some general stuff about the Web, Mike describes how the security attacks are evolving and gives some examples of current common security holes: session hijacking, cross-site scripting, HTTP response splitting… He also proposes the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Escalation of privilege) framework to test Web applications.
How Cybercriminals Steal Money by Neil Daswani (19 June 2008) ► After some stats on cybercriminals deeds, Neil Daswani describes SQL injection, cross-site request forgery (XSRF), and cross-site script inclusion (XSSI) and how to avoid them.
Bash specially-crafted environment variables code injection attack🚫 by Huzaifa Sidhpurwala (26 September 2014) ► A bad Bash bug: it is possible to inject a command by putting it at the end of a function in an environment variable.
Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities by James Kettle (17 February 2015) ► Exploiting the fact that some frameworks handle a relative path to CSS files.
Krack Attacks (WiFi WPA2 Vulnerability) - Computerphile by Mike Pound and Steve Bagley (18 October 2017) ► A simple explanation of the Key Reinstallation Attack.
How a Dorm Room Minecraft Scam Brought Down the Internet — A DDoS attack that crippled the internet wasn't the work of a nation-state. It was three college kids working an online gaming hustle.↑ by Garrett M. Graff (13 December 2017) ► A non-technical, but detailed, story of the Mirai botnet.
Unearthing Z͌̈́̾a͊̈́l͊̿g̏̉͆o̾̚̚S̝̬ͅc̬r̯̼͇ͅi̼͖̜̭͔p̲̘̘̹͖t̠͖̟̹͓͇ͅ with visual fuzzing by Gareth Heyes (7 March 2018) ► Playing with combining marks, but there is no security gap to exploit here.
Data Exfiltration via Formula Injection #Part1 (19 May 2018) ► Using HTTP requests to get data from a spreadsheet or from the local filesystem.
Hackability inspector by Gareth Heyes (6 July 2018) ► A tool to analyse the JavaScript objects of a browser.
Evading CSP with DOM-based dangling markup by Gareth Heyes (18 July 2018) ► The title says it all.
Exposing Intranets with reliable Browser-based Port scanning by Gareth Heyes (9 November 2018) ► How to scan ports with Chrome, Firefox, and Edge.
XS-Searching Google’s bug tracker to find out vulnerable source code — Or how side-channel timing attacks aren’t that impractical by Luan Herrera (19 November 2018) ► Using timing to extract information from monorail.
Secure Copy Vulnerability (SCP) - Computerphile by Steve Bagley (18 January 2019) ► The description of a very old security hole found in scp.
XSS without parentheses and semi-colons by Gareth Heyes (15 May 2019) ► The title says it all: injecting JavaScript expressions containing no parentheses nor semi-colons.
Provoking browser quirks with behavioural fuzzing by Gareth Heyes (28 May 2019) ► Using fuzz testing to detect improper handling of some characters in the HTML parser and in the JavaScript parser.
Bypassing CSP with policy injection by Gareth Heyes (5 June 2019) ► Exploiting the fact that PayPal inserts a GET parameter in their CSP directive to override this one.
HTTP Desync Attacks: Request Smuggling Reborn by James Kettle (7 August 2019) ► How to exploit the fact that servers of different layers handle invalid HTTP requests differently.
A look at the Windows 10 exploit Google Zero disclosed this week — This privilege escalation vulnerability has lurked within Windows for 20 years. by Jim Salter (15 August 2019) ► A high-level description of the bug in MSCTF.DLL.
Forum cracks the vintage passwords of Ken Thompson and other Unix pioneers — Security in the early days of Unix was poor. Then, there were the passwords. by Dan Goodin (10 October 2019) ► Breaking the passwords from a 1980 BSD snapshot.
DNS Cache Poisoning - Computerphile by Mike Pound (22 July 2020) ► A high-level description of DNS poisoning.
The First Internet Worm (Morris Worm) - Computerphile by Julian Onions (30 October 2020) ► Yet another telling of the Robert Morris Internet Worm, but this one does not go in the details.
The Internet’s Most Notorious Botnet Has an Alarming New Trick — The hackers behind TrickBot have begun probing victim PCs for vulnerable firmware, which would let them persist on devices undetected. by Andy Greenberg (3 December 2020) ► The bot is checking if the UEFI is vulnerable.
OpenSSL fixes high-severity flaw that allows hackers to crash servers — The widely used code library is also purged of a certificate verification bypass. by Dan Goodin (25 March 2021) ► Two bugs are fixed: a null pointer dereference and some conditions allowing to bypass the certificate verification.
5 ways to prevent code injection in JavaScript and Node.js by Liran Tan (5 April 2021) ► Some basic information about code injection in JavaScript and an advertisement for Snyk.
Affaire Pegasus : comment des téléphones ont-ils pu être contaminés sans action de leur propriétaire ? by Charles Cuvelliez and Jean-Jacques Quisquater (9 August 2021) ► Some information about how Pegasus works.
SolarWinds and the Holiday Bear Campaign: A Case Study for the Classroom by Robert Chesney (25 August 2021) ► An overview of how Russia’s SVR performed the SolarWinds attack.
Hacking et virus informatiques (dans le monde réel) bonus: Corewar! - Passe-science #43 by Thomas Cabaret (5 November 2021) ► An introduction to buffer overflows and viruses.
The Invisible JavaScript Backdoor by Wolfgang Ettlinger (9 November 2021) ► Using invisible characters or homoglyphs to hide code instructions in JavaScript code.
How $323M in crypto was stolen from a blockchain bridge called Wormhole — Cryptocurrency carries risk. Blockchain bridges heighten it. by Dan Goodin (4 February 2022) ► The title says it all.
Attackers can force Amazon Echos to hack themselves with self-issued commands — Popular “smart” device follows commands issued by its own speaker. What could go wrong? by Dan Goodin (6 March 2022) ► The title says it all.
Linux has been bitten by its most high-severity vulnerability in years — Dirty Pipe has the potential to smudge people using Linux and Linux derivitives. by Dan Goodin (8 March 2022) ► A description of Dirty Pipe, an uninitialised variable allows an attacker to overwrite a file cached in memory.
First Microsoft, then Okta: New ransomware gang posts data from both — If you haven’t heard of Lapsus$, you have now. It probably won’t be the last time. by Dan Goodin (22 March 2022) ► Lapsus$, a new hacker group, claims to have hacked into Okta and Microsoft.
A Mysterious Satellite Hack Has Victims Far Beyond Ukraine — The biggest hack since Russia’s war began knocked thousands of people offline. The spillover extends deep into Europe. by Matt Burgess (23 March 2022) ► An attack destroyed thousands of Viasat satellite modems.
↪Mystery solved in destructive attack that knocked out >10k Viasat modems — AcidRain is the seventh wiper associated with the Russian invasion of Ukraine. by Dan Goodin (31 March 2022) ► SentinelOne analysed the modem wiper.
North Korean hackers unleashed Chrome 0-day exploit on hundreds of US targets — Critical vulnerability exploited by 2 groups both working for the North Korean government. by Dan Goodin (24 March 2022) ► The description of a complex attack using social engineering to trick receivers to visit legitimate sites containing a malicious iframe.
Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine — The attack was the first in five years to use Sandworm's Industroyer malware, which is designed to automatically trigger power disruptions. by Andy Greenberg (12 April 2022) ► The title says it all.
Hackers can infect >100 Lenovo models with unremovable malware. Are you patched? — Exploiting critical UEFI vulnerabilities could allow malware to hide in firmware. by Dan Goodin (19 April 2022) ► The title says it all.
Backdoor in public repository used new form of attack to target big firms — Dependency confusion attacks exploit our trust in public code repositories. by Dan Goodin (12 May 2022) ► A description of dependency confusion.
“PACMAN” Hack Breaks Apple M1’s Last Line of Defense — How many dominos could fall if this centerpiece CPU’s weakness pans out? by Samuel K. Moore (10 June 2022) ► A side channel attack has been found to bypass Apple’s Pointer Authentication Code.
Hardcoded password in Confluence app has been leaked on Twitter — Advisory had already warned hardcoded password was “trivial to obtain.” by Dan Goodin (22 July 2022) ► Atlassian is quite bad at security.
Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers — Grab and deploy this backend update if you offer even repo read access by Jessica Lyons Hardcastle (29 August 2022) ► Atlassian continues to have big security issues.
Une "arnaque à l'avis de passage" profite d'une faille informatique de La Poste — La ville de Montpellier semble touchée par une campagne d'escroqueries. Des habitants ont reçu de faux avis de passage de La Poste redirigeant vers un site demandant leurs coordonnées bancaires. by Pierre Monnier (30 August 2022) ► Phishing using a fake paper notice and a bug of La Poste.
Numerous orgs hacked after installing weaponized open source apps — PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording all targeted. by Dan Goodin (30 September 2022) ► North Korean hackers are using social engineering and Trojanised software.
Mystery hackers are “hyperjacking” targets for insidious spying — After decades of warnings, group figured out how to hijack virtualization software. by Andy Greenberg (30 September 2022) ► The title says it all.
USENIX Security '22 - Lend Me Your Ear: Passive Remote Physical Side Channels on PCs by Roei Schuster (27 October 2022) ► Extracting data by using the fact that the CPU interferes with the audio when using Voice-over-IP applications.
First LastPass, now Slack and CircleCI. The hacks go on (and will likely worsen) — Don’t expect victims to be forthcoming. Their alerts conceal more than they reveal. by Dan Goodin (6 January 2023) ► The title says it all.
What Twitter’s 200 Million-User Email Leak Actually Means — The exposure of hundreds of millions of email addresses puts pseudonymous users of the social network at risk. by Lily Hay Newman (6 January 2023) ► The impact of the email scraping of 2021.
More malicious packages posted to online repository. This time it’s PyPI — It’s not always easy to spot malicious impostors posing as legit downloads. by Dan Goodin (17 January 2023) ► The title says it all.
How This SQL Command Blew Up a Billion Dollar Company by Kevin Fang (13 March 2023) ► A hypothetical scenario on how Heartland Payment Systems has been hacked in 2007.
Acropalypse Now - Computerphile by Steve Bagley and Mike Pound (28 March 2023) ► It was possible to recover pixels cropped out of an Android screenshot.
Capital One's $200M Cloud Data Breach by Kevin Fang (13 April 2023) ► Capital One’s data breach in AWS by a former AWS software engineer.
Those scary warnings of juice jacking in airports and hotels? They’re mostly nonsense — Juice jacking attacks on mobile phones are nonexistent. So why are we so afraid? by Dan Goodin (1 May 2023) ► A list of possible attacks using a USB connection, but they are too complex to be wildly used in a public charging station.
LogJam Attack - Computerphile by Mike Pound (3 May 2023) ► A description of the LogJam vulnerability.
Power LED Attack - Computerphile by Mike Pound (29 June 2023) ► A side channel attack using the fact that the LED light level is impacted when the CPU computes more data.
Closing vulnerabilities in Decidim, a Ruby-based citizen participation platform — This blog post describes two security vulnerabilities in Decidim, a digital platform for citizen participation. Both vulnerabilities were addressed by the Decidim team with corresponding update releases for the supported versions in May 2023. by Peter Stöckli (28 July 2023) ► A description of two vulnerabilities: a XSS and a data exfiltration.
Hackers Could Have Scored Unlimited Airline Miles by Targeting One Platform — Flaws in the Points.com platform, which is used to manage dozens of major travel rewards programs, exposed user data—and could have let an attacker snag some extra perks. by Lily Hay Newman (3 August 2023) ► The subtitle says it all.
How Not To Secure Your Company (Target Data Breach) by Kevin Fang (4 September 2023) ► The Target Data Breach, from compromising a third-party vendor up to infecting Target’s POS systems.
TETRA Vulnerability (TETRA:BURST) - Computerphile by Tim Muller (14 September 2023) ► TETRA, a proprietary encryption mechanism for police radio communication, is broken.
Microsoft menace la sécurité nationale by Lê Nguyên Hoang (25 September 2023) ► Some little information about Microsoft hack and, as usual with Lê Nguyên Hoang, a long discourse about the importance of cybersecurity.
GPUs from all major suppliers are vulnerable to new pixel-stealing attack — A previously unknown compression side channel in GPUs can expose images thought to be private. by Dan Goodin (26 September 2023) ► A basic presentation of GPU.zip, a GPU side channel attack.
Intel fixes high-severity CPU bug that causes “very strange behavior” — Among other things, bug allows code running inside a VM to crash hypervisors. by Dan Goodin (14 November 2023) ► The subtitle says it all.
Researchers figure out how to bypass the fingerprint readers in most Windows PCs — Microsoft’s Surface didn’t even use the Microsoft-developed security protocol. by Andrew Cunningham (27 November 2023) ► Security researchers were able, using different ways, to bypass fingerprint sensor on several laptops.
Securing our home labs: Frigate code review — This blog post describes two linked vulnerabilities found in Frigate, an AI-powered security camera manager, that could have enabled an attacker to silently gain remote code execution. by Logan MacLaren and Jorge Rosillo (13 December 2023) ► Hacking a poorly secured Python application.
Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch by John Stawinski (11 January 2024) ► Using self-hosted runners to get access to some secrets.
A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data — Patching every device affected by the LeftoverLocals vulnerability—which includes some iPhones, iPads, and Macs—may prove difficult. by Lily Hay Newman and Matt Burgess (16 January 2024) ► LeftoverLocals: a vulnerability that allows data recovery from GPU memory created by another process.
MAJOR EXPLOIT: GitLab was Hacked with an IMAGE?? by Daniel Boctor (19 January 2024) ► Exploiting a wrong regex in a Perl script.
How I got scammed by Cory Doctorow (5 February 2024) ► How you can get phished even when you know about security.
Hackers can read private AI-assistant chats even though they’re encrypted — All non-Google chat GPTs affected by side channel that leaks responses sent to users. by Dan Goodin (14 March 2024) ► Using token lengths to rebuild the chatbot answers.
Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds — The company behind the Saflok-brand door locks is offering a fix, but it may take months or years to reach some hotels. by Andy Greenberg (21 March 2024) ► A team of hackers is able to reconfigure and open Dormakaba’s locks.
Back to the Hype: An Update on How Cybercriminals Are Using GenAI — Generative AI continues to be misused and abused by malicious individuals. In this article, we dive into new criminal LLMs, criminal services with ChatGPT-like capabilities, and deepfakes being offered on criminal sites. by Vincenzo Ciancaglini and David Sancho (8 May 2024) ► It seems that criminals are not yet utilising the capabilities of AI. But some are bullshitting other ones, as in other economic domains.
GhostStripe attack haunts self-driving cars by making them ignore road signs — Cameras tested are specced for Baidu's Apollo by Laura Dobberstein and David Sancho (10 May 2024) ► Yet another attack on self-driving cars.
Polyfill supply chain attack hits 100K+ sites by Simon Willison (25 June 2024) ► cdn.polyfill.io injects malware in sites using it to get polyfill.js.
‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections — Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades. by Andy Greenberg (9 August 2024) ► Two white hats found a security hole in AMD processors by reading the documentation.
Exposing The Flaw In Our Phone System by Derek Muller, Alexandre De Oliveira, and Karsten Nohl (22 September 2024) ► Why SS7 is vulnerable to hacking.
Two never-before-seen tools, from same group, infect air-gapped devices — It’s hard enough creating one air-gap-jumping tool. GoldenJackal did it 2x in 5 years. by Dan Goodin (9 October 2024) ► The title says it all.
How to Lose a Fortune with Just One Bad Click by Brian Krebs (18 December 2024) ► How scammers use social engineering and some tricks with Google to get access to someone’s Google account and steal their cryptocurrencies.
major vulnerability found in rsync (does it matter?) by "Low Level" (17 January 2025) ► A technical explanation of some of the CVEs found in rsync.
Large enterprises scramble after supply-chain attack spills their secrets — tj-actions/changed-files corrupted to run credential-stealing memory scraper. by Dan Goodin (17 March 2025) ► Yet another supply chain attack. This one via GitHub Actions.
How Hackers Steal Passwords: 5 Attack Methods Explained by Jeff Crume (24 April 2025) ► The title says it all.
Drag and Pwnd: Leverage ASCII characters to exploit VS Code by Zakhar Fedotkin (30 April 2025) ► Exploiting SOH, STX, ETX, and EOT in filenames to execute shell commands in node-pty, hence VS Code.
What Is Quishing? How Hackers Use QR Codes to Steal Your Data by Jeff Crume (2 June 2025) ► Some basic security advice about QR code usage.
it only took 2 characters by Michael B. Paulson (21 January 2026) ► When people do not know the basics of regexps.
SQL injection
- SQL Injection Attacks by Example by Steve Friedl (10 October 2007) ► A basic, detailed, and slow description of a SQL injection attack.
- Bobby Tables by Robert Cecil Martin "Uncle Bob" (3 December 2017) ► SQL is too dangerous, it should not be used anymore.
Buffer overflows and similar tricks
- Smashing The Stack For Fun And Profit⇈ (⧉) by Elias Levy "Aleph One" (November 1996) ► A very well-known article: Elias Levy "Aleph One" describes what is a buffer overflow exploit and how to exploit it.
- Ping of Death by Malachi Kenney (22 January 1997) ► At the beginning of Internet explosion, there were some major security issues: you could simply crash a machine by sending an illegal IP packet…
- TAKING ADVANTAGE OF NON-TERMINATED ADJACENT MEMORY SPACES by "twitch" (1 May 2000) ► A small variation of the buffer overflow by using contiguous buffers.
- Bypassing StackGuard and StackShield by "Bulba" and "Kil3r" (1 May 2000) ► Some new overflow techniques: overwriting the return address despite the presence of a canary, patching the atexit table and patching the global offset table.
- Smashing C++ VPTRs by "rix" (1 May 2000) ► Yet another buffer overflow technique: overwriting the VPTR table.
- SHARED LIBRARY CALL REDIRECTION VIA ELF PLT INFECTION by Silvio Cesare (1 May 2000) ► Silvio describes how to hijack the procedure linkage table (this is done by patching the executable).
- Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability by "Underground Security Systems Research" (19 July 2000) ► A nice buffer overflow in Outlook: no need to open an attachment or even to read the mail, you could be infected by a virus… An exploit is provided.
- JPEG COM Marker Processing Vulnerability in Netscape Browsers by Solar Designer (25 July 2000) ► A nice way to make Netscape execute code recorded in a JPEG file!
- Netscape SmartDownload Overflow🚫 by Frank Swiderski (13 April 2001) ► A buffer overflow in SmartDownload, no exploit provided.
- Once upon a free()... (11 August 2001) ► A description of System V and GNU C malloc implementations with some way to generate and exploit overflow in the heap.
- Vudo - An object superstitiously believed to embody magical powers⇈ by Michel Kaempf (11 August 2001) ► An impressive description of the sudo exploit (which uses a corruption of the heap) with a detailed analysis of Doug Lea malloc library.
- The advanced return-into-lib(c) exploits: PaX case study by "Nergal" (11 August 2001) ► How to circumvent OSes with a non executable stack by calling functions in the loaded shared libraries.
- No SIGSEGV anymore (24 December 2001) ► An idea still to be exploited, preloading a SIGSEGV event handler to redirect the program execution.
- Writing UTF-8 compatible shellcodes by Thomas Wana (13 July 2004) ► A description of the conditions necessary to create a shellcode which is a valid UTF8 string and some tricks to fulfil them.
Format string
- More info on format bugs.⇈ (⧉) by Pascal Bouchareine (18 July 2000) ► How to exploit format string bugs to examine the stack and execute a root shell.
- Write It Secure: Format Strings and Locale Filtering by David A. Wheeler (December 2000) ► A non-technical overview of format string exploit and locale hijacks.
Integer overflows
- Basic Integer Overflow by "blexim" (December 2002) ► A basic, yet effective, introduction to integer overflow/wrap around exploits.
- Smashing The Kernel Stack For Fun And Profit by Sinan Eren "noir" (December 2002) ► An exploit for the select() OpenBSD signed/unsigned vulnerability.
Cross-site scripting
- Cross Site Scripting Info: Encoding Examples ► Same thing from the Apache group.
- Understanding Malicious Content Mitigation for Web Developers (2 February 2000) ► Some advice to avoid cross-site scripting. But the problem is so complex that this is just an overview.
- CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests (3 February 2000) ► This CERT Advisory is a basic presentation of the cross-site scripting vulnerability.
- Cross-site scripting — Use a custom tag library to encode dynamic content🗑️ by Paul Lee (September 2002) ► After a quick presentation of some types of cross-site scripting attacks, the author describes how to easily avoid them in JSP by using a private tag.
Cross-site request forgery
- Prevent cross-site request forgery: Know the hidden danger in your browser tabs — Learn to prevent cross-site request forgery or your clients might do a hacker's bidding without knowing it🗑️ by Paul Ionescu (25 March 2014) ► The title says it all.
Race conditions
- Secure programmer: Prevent race conditions — Resource contention can be used against you by David A. Wheeler (7 October 2004) ► Some advice on avoiding race condition attacks when using files.
Signals
- Delivering Signals for Fun and Profit — Understanding, exploiting and preventing signal-handling related vulnerabilities. by Michal Zalewski (28 May 2001) ► Signal handlers are difficult to write correctly, so many of them can be exploited as security holes.
Phishing
- A Real Remedy for Phishers by Bruce Schneier (6 October 2005) ► Bruce opinion is that a company should be considered responsible when one of its customers is victim of phishing.
- Two Things That Bother Me About Google's New Firefox Extension🗑️ by Nitesh Dhanjani (15 December 2005) ► The Google’s Firefox extension to flag phishing use unencrypted HTTP request, this may be a problem.
- Identifying Suspicious URLs: An Application of Large-Scale Online Learning by Justin Ma (5 May 2010) ► A study of several algorithms to automatically classify phishing vs. benign URLs.
- Devious New Phishing Tactic Targets Tabs by Brian Krebs (24 May 2010) ► A description of a new kind of phishing attack: the tabnabbing, where a hidden type morphs into a phishing page to trap the inattentive user.
Web bugs
- Microsoft Word Documents that "Phone Home"🚫 by Richard M. Smith (30 August 2000) ► A clever way to use Web bugs: embed them in an Office document!
- Email Wiretapping🚫 by Richard M. Smith (5 February 2001) ► Even more clever, use the Web bugs to trace the forward and added text to an email you have sent.
Denial of Service
- Denial of Service via Algorithmic Complexity Attacks by Scott A. Crosby and Dan S. Wallach (2003) ► A DoS based on finding the worst case of use of a hash table, the authors propose their own version of a universal hashing to fix the issue.
- Protect your Apache server from DoS attacks↓🗑️ by Scott Robinson (12 August 2003) ► Some information on Apache and DoS attacks, but this article is not very clear and informative.
- About that hash flooding vulnerability in Node.js… by Yang Guo (11 August 2017) ► Yet another DoD attack by flooding a hash table. The V8 team had trouble to get a proper fix.
MD5 attacks
- Hash Collisions (The Poisoned Message Attack) — "The Story of Alice and her Boss" by Magnus Daum and Stefan Lucks (15 June 2005) ► The authors have created two PostScript files with the same MD5 checksum.
- Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes🚫 by Thomas Ptacek (10 September 2007) ► Encoding passwords with as a simple MD5 checksum is a bad idea, Thomas suggests some better methods.
- Google as a password cracker by Steven J. Murdoch (16 November 2007) ► Using Google to break a MD5 checksum.
- Predicting the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 by Marc Stevens, Arjen Lenstra, and Benne de Weger (30 November 2007) ► "3D5 15 DEAD": the authors have created 12 meaningful PDF files with the same MD5 checksum.
SHA-1 attacks
- Cryptanalysis of SHA-1 by Bruce Schneier (18 February 2005) ► A Chinese team has been able to divide the search space by 2¹¹. SHA-1’s future starts to look like MD5’s future.
SHA-2 attacks
- SHA2 Fatal Flaw? (Hash Length Extension Attack) - Computerphile by Mike Pound (23 September 2025) ► A description of a length extension attack on SHA2.
- ↪Coding a SHA2 Length Extension Attack - Computerphile by Mike Pound (25 September 2025) ► The continuation on the previous video: a simple implementation of the exploit.
Ajax
- Ajax Security Dangers by Billy Hoffman (2006) ► Yet another white paper on AJAX security. The only interest here is that it describes possible issues with AJAX bridging.
- Ajax Security Basics by Jaswinder S. Hayre and Jayasankar Kelath (22 June 2006) ► Some generalities about AJAX security and the difficulty to test it.
- Top 10 Ajax Security Holes and Driving Factors by Shreeraj Shah (10 November 2006) ► This is not a list of possible attacks, just random thoughts about where a malicious script could be injected.
- Mashup security — Technologies and techniques for securing UI artifacts and data in a mashup🗑️ by J. Jeffrey Hanson (4 August 2009) ► A list of security issues when building mashups, but the description is too terse to be really useful.
Clickjacking
- Clickjacking🚫 by Robert Hansen and Jeremiah Grossman (12 September 2008) ► A presentation of the attack and possible ways to exploit it.
- This Week in HTML 5 – Episode 7 by Marl Pilgrim (29 September 2008) ► The WHATWG and W3C HTML Working Group is starting to look at solutions to avoid clickjacking.
- Clickjacking: Web pages can see and hear you by Jeremiah Grossman (7 October 2008) ► A demonstration of clickjacking to get access to the camera and snoop the victim.
Java
- Java Deployment Toolkit Performs Insufficient Validation of Parameters by Tavis Ormandy (9 April 2010) ► Java Deployment Toolkit plugin allows launching javaws without any checks.
Using Google
- Google Your Site For Security Vulnerabilities🗑️ by Nitesh Dhanjani (7 October 2004) ► Using Google to find security holes on Web servers.
- Bulletproof your organization against Google hacking: Assess your vulnerability to these ten simple security searches🚫 by Ido Johnny Long, Ed Skoudis, and Alrik van Eijkelenborg (December 2004) ► A longer description of the same techniques.
Spectre, Meltdown and MDS
- L'attaque SPECTRE🚫 by David Monniaux (4 January 2018) ► A very basic, but clear, description of the problem.
- L'attaque MELTDOWN↓🚫 by David Monniaux (5 January 2018) ► The same for Meltdown. The author should have merged the two articles since they contain mostly the same words!
- Spectre & Meltdown - Computerphile by Steve Bagley (5 January 2018) ► A simple explanation of the Spectre attack.
- Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown by Eben Upton (5 January 2018) ► A basic and clear explanation of CPU optimisations and how Meltdown and Spectre exploit them.
- Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs — Two different groups of researchers found another speculative execution attack that can steal all the data a CPU touches. by Andy Greenberg (14 May 2019) ► Other security attacks related to the speculative execution have been found in Intel’s CPUs.
Zip Slip
- Zip Slip Vulnerability (5 June 2018) ► A simple exploit of the fact that the code does not check that files extracted for a Zip file are not in written in another directory.
Port Smash
- What's Behind Port Smash? - Computerphile by Steve Bagley (13 November 2018) ► A basic description of hyperthreading and how Port Smash works.
CSS timing
- A timing attack with CSS selectors and Javascript by Sigurd Kolltveit (6 October 2018) ► Timing CSS evaluation time of a page using jQuery(location.hash) to extract some information from the page.
- Abusing jQuery for CSS powered timing attacks by Gareth Heyes (22 May 2019) ► The details of using the attack on redhat.com.
Symbolic links
- Hacking Websites by Uploading files (With symlinks) by Teja Swaroop (15 October 2023) ► How to access any file on the server by uploading a symbolic link and performing a directory traversal.
log4j
- Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit — If you’ve patched using Log4J 2.15.0, it’s time to consider updating again. Stat. by Dan Goodin (15 December 2021) ► The first fix of log4j was not complete…
- Log4J & JNDI Exploit: Why So Bad? - Computerphile by Steve Bagley and Mike Pound (22 December 2021) ► A description of the log4j exploits and some thoughts on popular open-source libraries.
- Log4j : une autre vulnérabilité corrigée par Apache — Plus d'une semaine après la publication de la mise à jour 2.17 de la bibliothèque de journalisation Log4j d'Apache Logging, une faille CVE-2021-44832 l'affectant est comblée. La montée de version vers la 2.17.1 est à effectuer dès que possible. by Dominique Filippone (29 December 2021) ► The saga continues…
- Log4Shell Still Has Sting in the Tail — The cyber-vulnerability mounts a quiet comeback as organizations grow complacent by Edd Gent (28 December 2022) ► Some companies have reintroduced the security hole by installing vulnerable software.
Spring4Shell
- Patch now: RCE Spring4shell hits Java Spring framework — You didn't have any plans for the weekend anyway, did you? by Richard Speed (1 April 2022) ► A Remote Code Execution vulnerability in Spring.
- Explaining Spring4Shell: The Internet security disaster that wasn’t — Vulnerability in the Spring Java Framework is important, but it’s no Log4Shell. by Dan Goodin (2 April 2022) ► The title says it all.
Psychic Paper
- Major cryptography blunder in Java enables “psychic paper” forgeries — A failure to sanity check signatures for division-by-zero flaws makes forgeries easy. by Dan Goodin (20 April 2022) ► A major bug introduced in Java 15 allows invalid ECDSA signatures.
- Psychic Signatures (Java Vulnerability) - Computerphile by Mike Pound (23 April 2022) ► A basic description of the bug.
XZ Backdoor
- What we know about the xz Utils backdoor that almost infected the world — Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream. by Dan Goodin (1 April 2024) ► The title says it all.
- Discovering the XZ Backdoor with Andres Freund↑ (⧉) by Bryan Cantrill, Andres Freund, and Adam Leventhal (8 April 2024) ► Andres Freund explains how he detected and found the backdoor.
Hallucinated package names
- LLMs can't stop making up software dependencies and sabotaging everything — Hallucinated package names fuel 'slopsquatting' by Thomas Claburn (12 April 2025) ► Attackers create malicious packages having names hallucinated by LLMs.
- AI-generated code could be a disaster for the software supply chain. Here’s why. — LLM-produced code could make us much more vulnerable to supply-chain attacks. by Dan Goodin (29 April 2025) ► The same subject, but with more information.
Stuxnet
- The Real Story of Stuxnet — How Kaspersky Lab tracked down the malware that stymied Iran’s nuclear-fuel enrichment program by David Kushner (26 February 2013) ► The story of Stuxnet.
Bug bounty
- Google will now pay up to $30,000 for reporting a Chrome bug — You can earn bigger bucks by becoming a digital bounty hunter. by Shelby Brown and Stephen Shankland (18 July 2019) ► Some information about the improved rewards of Google’s bug bounty program.
- Finding your first bug: bounty hunting tips from the Burp Suite community by Emma Stocks (26 August 2020) ► Some advice for starting bug bounty hunting.
- Burp Suite tips from power user and "hackfluencer" Stök by Emma Stocks (29 September 2020) ► How Stök discovered Burp and his advice on using it.
Tools
- 10 open source tools that feel illegal... by Jeff Delaney (5 February 2026) ► A list of hacking tools, each being very quickly described.
- Burp
  - Introducing Burp Infiltrator by Dafydd Stuttard (26 July 2016) ► A short description of Burp Infiltrator, a tool instrumenting an application to detect that Burp scanner can control some parameters of calls to unsafe APIs.
  - Behind enemy lines: bug hunting with Burp Infiltrator by Santiago Díaz (22 June 2017) ► An example of using Burp Infiltrator.
  - OAST (Out-of-band Application Security Testing) by Dafydd Stuttard (14 July 2017) ► This article is rather some advertisement, there is little technical content.
  - Cracking the lens: targeting HTTP's hidden attack-surface↑ by James Kettle (27 July 2017) ► Attacking components of the infrastructure other than the web server: reverse proxies, analytics servers, cache servers…
  - How I accidentally framed myself for a hacking frenzy by James Kettle (21 August 2017) ► It is not a good idea to release a Burp extension referencing one of your servers.
  - Adapting Burp extensions for tailored pentesting by James Kettle (23 August 2017) ► How to get the code of an extension, build it, modify it and, possibly, propose your change.
  - When security features collide by James Kettle (6 October 2017) ► Using Cloudflare’s email protection to bypass the browser XSS filter.
  - Your recipe for BApp Store success by Paul Johnston (17 January 2018) ► Some rules to be respected by extension creators.
  - Bypassing WAFs and cracking XOR with Hackvertor by Gareth Heyes (9 October 2018) ► Gareth Heyes describes Hackvector, a Burp extension he created to easily manage text transformations (base64 encoding, hex encoding, rot, xor…).
  - Turbo Intruder: Embracing the billion-request attack by James Kettle (25 January 2019) ► Turbo Intruder is an extension aimed at speed of request generation and answer analysis.
  - Burp for Beginners: How to Use Intruder by Katie Paxton-Fear (4 July 2020) ► A presentation of Intruder’s features.
  - How to resend individual requests with Burp Repeater (28 July 2020) ► A description of Burp Repeater.
  - A guide to the Burp Suite user interface (13 August 2020) ► A short overview of Burp.
  - Web Security Academy - your questions answered by Emma Stocks (3 December 2020) ► A FAQ about PortSwigger’s Web Security Academy.
  - Burp Suite roadmap for 2021 by Dafydd Stuttard (25 January 2021) ► A list of the latest and the future features of Burp Suite Enterprise Edition, Burp Suite Professional, and Burp Scanner.
  - Improved CI/CD integrations in Burp Suite Enterprise Edition by Dayna Shoemaker (23 March 2021) ► The title says it all.
  - Introducing Bambdas by Emma Stocks (14 November 2023) ► Requests can now be filtered using your own filter written in Java.
  - Introducing DAST scanning in the Cloud, with Burp Suite Enterprise Edition — We’re excited to announce that Burp Suite Enterprise Edition is now available in PortSwigger’s secure cloud. You can now free up testing time with scalable, automated DAST scanning, without the burden of maintaining infrastructure. by Mike Eaton (18 April 2024) ► The title says it all.
  - Shadow Repeater:AI-enhanced manual testing by Gareth Heyes (20 February 2025) ► Shadow Repeater is an extension generating variations, when you already generated some yourself in Repeater, using AI.
  - Introducing HTTP Anomaly Rank by James Kettle (11 November 2025) ► A simple heuristique to detect interesting answers among a huge collection: allocate more attention to fields that have different values, but not too many.
  - Functional PoCs in less than a minute? Julen Garrido Estévez puts Burp AI to the test by Julen Garrido Estévez (16 January 2026) ► Some examples and advice on using Burp AI.
- ZAP
  - ZAP in Ten - The Interface by Simon Bennetts ► An introduction to ZAP UI.
  - ZAP Chat 01 Introduction by Simon Bennetts (15 September 2023) ► An introduction to the series.
  - ZAP Chat 02 Authentication Tester by Simon Bennetts and "ZAP" (15 September 2023) ► A presentation of Authentication Tester which is a much simpler way to configure automated login to the SUT.
- Acunetix
  - Acunetix Premium Demo (15 September 2020) ► A marketing presentation of Acunetix.
Advice
- The Ultra-Secure Network Architecture🚫 by Jeff Hall ► The title says it all.
- Create effective passwords — Strategies for computer-based systems🗑️ by Rob Shimonski (1 September 2002) ► How to avoid bad passwords.
- Love and Authentication -- Addressing the problem of password reset by Markus Jakobsson (12 August 2008) ► After describing the issues with current password resetting mechanisms, Markus Jakobsson proposes a new technique based on user preferences.
- Prevent cross-site scripting attacks by encoding HTML responses🗑️ by Usha Ladkani (30 July 2013) ► A basic description of XSS and how to avoid it.
- Attacking Web Applications - Sasha Goldshtein by Sasha Goldshtein (9 October 2013) ► A good presentation of the most common Web security holes: SQL/OS injection, HTTPS, CSRF, XSS…
- Security 101: An introduction to software security - Allen Holub by Allen Holub (9 October 2013) ► Some very basic generalities on security.
- 5 developer tools for detecting and fixing security vulnerabilities by Ingrid E. (12 May 2021) ► A too short description of Dependabot, Renovate, Snyk, GitGuardian, and Webhint.
- Mitigating SSRF in 2023↑ by Laurence Tennant (20 March 2023) ► A presentation of possible SSRF mitigations.
- System administration
  - Know Your Enemy
    - Know Your Enemy by Lance Spitzner (23 May 1999) ► Lance describes the methodology used by Script Kiddies (a.k.a. crackers) to scan networks and find vulnerable systems.
    - ↪Know Your Enemy: II by Lance Spitzner (23 May 1999) ► This second part explains how to secure system logs, research them for scanning patterns and find out the tools used by the Script Kiddy.
    - ↪Know Your Enemy: III by Lance Spitzner (23 May 1999) ► This last part describes the typical Script Kiddy activity once he introduced a system: checking that they are alone, clearing log files, install a backdoor…
    - ↪Know Your Enemy: A Forensic Analysis by Lance Spitzner (23 May 2000) ► Lance restarts the "Know You Enemy" series, he describes how a Script Kiddy broke in a Red Hat 6.0 box.
    - ↪Know Your Enemy: Motives by the Honeynet Project (27 June 1999) ► Yet another break in (this time a Solaris 2.6 box), this one is very similar to the previous one, but this time Lance reports some crackers’ IRC logs.
    - ↪Know Your Enemy - Worms at War by the Honeynet Project (9 November 2000) ► Some Windows 98 worms created by guys wanting to win a distributed.net challenge.
  - How To Eliminate The Ten Most Critical Internet Security Threats by SANS Institute (1 June 2000) ► This list (which is regularly updated) describes the most common holes used to break in a computer. It is a must read if you are a system administrator.
  - Introduction to Ngrep by William Stearns (2002) ► A quick presentation of ngrep: a tool to grep network packets.
  - A Buffer Overflow Study Attacks & Defenses (⧉) by Pierre-Alain Fayolle and Vincent Glaume (March 2002) ► The current status of some buffer overflows (with a presentation of their mechanisms) and some Linux patches to avoid them.
  - 10 common network security design flaws🗑️ by Brien Posey (23 October 2009) ► Some short basic pieces of advice for designing a network.
- Coding
  - A Lab engineers check list for writing secure Unix code (⧉) by Gene Spafford and Danny Smith (23 May 1996) ► Yet another list of do and don’t to write secure programs.
  - How to find security holes by Kragen Sitaker (26 February 1999) ► As confessed by the author, this document is badly structured. But the ideas presented here are a good introduction to some security issues, so this paper is worth reading.
  - Source Code Review Guidelines by Adam Shostack (11 September 1999) ► This is the code review process used by Acme Widgets aimed at ensuring security compliance.
  - Input Validation in C and C++🗑️ by John Viega and Matt Messier (20 June 2003) ► The usual advice for string manipulation: use strlcpy and strlcat, use a string library…
  - Secure Cooking with C and C++ — Recipe 3.1: Understanding Basic Data Validation🗑️ by Matt Messier and John Viega (22 July 2003) ► Some rules to validate input data: perform validation at input and component levels, prefer whitelisting to blacklisting, take care to quotes…
  - ↪Secure Cooking with C and C++, Part 2 — Recipe 3.8: Evaluating URL Encodings🗑️ by Matt Messier and John Viega (29 July 2003) ► How to encode and decode URLs.
  - ↪Secure Cooking with C and C++, Part 3 — Recipe 3.9: Validating Email Addresses🗑️ by Matt Messier and John Viega (5 August 2003) ► The authors propose a routine to validate an email address.
  - Secure programmer: Validating input — Best practices for accepting user data🗑️ by David A. Wheeler (23 October 2003) ► Yet another overview of the verification of input validity. This one gives a good overview of the problem (filename, locale, UTF8, email, cross-sire scripting, URL…).
  - The Lazy Programmer's Guide to Secure Computing by Marc Stiegler (11 March 2010) ► An introduction to the Principle Of Least Authority (POLA).
Non computer hacking
- Traffic Lights by "plunkett" (December 2002) ► Wanna hack traffic lights in South Africa?
- Automated Denial-of-Service Attack Using the U.S. Post Office by Bruce Schneier (15 April 2003) ► The Slashdot effect: a spammer gets flooded by junk mail… This is a real DoS attack, but in meatspace instead of cyberspace as usual.
- Hacking the hotel through the TV by Joris Evers (31 July 2005) ► Or you may prefer playing with the hotel TV?
- FREE MEAL AT MC'DONALD'S (REMI GAILLARD) 🍟 by Rémi Gaillard (19 September 2007) ► How to have a free lunch in a MacDrive.
- The Hustlers Who Make $6,000 a Month by Gaming Citi Bikes — The bike-sharing program rewards users who help redistribute bikes around New York City. A few riders have figured out how to turn that into profit. by Christopher Maag (19 September 2024) ► How to earn money by moving Lyft’s bikes.
- Scam Alert: Pig Butchering, Recruitment Scams & More! by Jeff Crume (25 November 2024) ► The 101 of Pig Butchering. I wonder why IBM produces such basic videos.