My Hat My hat is not black. It is not white, either. It is not even gray. Its a technicolor-dream hat full of creativity. My technicolor-dream hat contains my “spark”. My “spark” lead, and continues to lead, my path. My decisions, or lack there of, has helped navigate my “spark” throughout my...
read more
Have you ever needed to add a custom header, such as X-Auth-Token, to a Nikto scan for authentication or otherwise? I have, and found that it was surprisingly not a trivial thing to do. Scouring around the net I found that people have been asking for this since 2012. Chris Sullo, who wrote Nikto, mentioned it wasn’t currently...
read more
The AjaxControlToolkit prior to version 15.1 has a file upload directory traversal vulnerability which on a poorly configured web server can lead to remote code execution. This vulnerability has been issued CVE-2015-4670. It is recommended to update to the latest version of AjaxControlToolkit to resolve this issue. It is also...
read more
Kaspersky Labs has announced the discovery a very sophisticated malware campaign dubbed The Mask (aka Careto) that has been in operation since 2007. The operator of the malware is still unknown, but a nation-state sponsor is suspected. The Command and Control (C2) network was shutdown shortly after Kaspersky made its announcement,...
read more
In a previous post, I described how to detect and exploit a basic cross site scripting (XSS) vulnerability. The vulnerability that was demonstrated was not being protected by any mechanism. This article will demonstrate exploiting the same vulnerability being protected by HTMLEncode() as oppose to HTMLAttributeEncode() as described...
read more
