Play with permissive CORS

    Hello folks,

    While i was playing with a ‘code search engine’ tool called publicwww, i decided to gather some top Alexa domains and to look for some permissive CORS. I tried the following researches, site:fr "type=\"password\"", the same for the TLDs .org and .com, in order to spot webpages with a login form.

    Read more ...

    A fun case of XSS and other web concepts

    Hello folks,

    I would like to share with you a practical case of reflected XSS while i was looking at my national health service account. Right now the XSS has been patched (we have an efficient dedicated national service where we can report such issues).

    Read more ...

    Fingerprinting Web Application static files

    Hello folks,

    Today i would like to share with you the first version of a script i wrote to help determining the version of a software.

    So what the hell am i talking about?

    Ok let me explain the context: You are looking at a website and trying to get the exact version of the underlying CMS, let say Drupal. We know that Drupal has suffered from the Drupalgeddon for versions 7.X before 7.32. So you can have at look at some obvious files (CHANGELOG.txt), but what happens if the webmaster deleted these files? How to maximize the chance to find the right version or at least the smallest delta as possible ?

    Read more ...

    MITM Part 2 - Hands on with MITM and HTTPS

    Hi everybody,

    I already wrote some articles talking about the importance of implementing the HTTP Strict Transport Security (HSTS) and to secure all the webpages, even the landing page.

    Why all the pages should be secure ?

    Because all the trafic should be hidden from prying eyes. If an attacker could interfer with only one page, several options are available to him. He can strip all secure headers, redirect trafic, change web page content, force HTTP trafic, and so on.

    Read more ...

    Format String with GDB

    Bonjour à tous,

    Aujourd’hui un petit article qui traitera d’un cas simple de Format String où nous exploiterons un buffer passé en argument. L’idée de cet article fait suite à la machine Pegasus 1 de vulnhub que je vous recommande chaudement.

    J’essaierai d’être assez pédagogue, le cas ci-dessous étant un cas basique sans contournement des protections de la pile.

    Read more ...