Published inGeek CultureFuzzing File Uploads With Burp IntruderApps and websites often need to allow users to upload files for various reasons. Sometimes users need to upload arbitrary files, such as on…Jul 21, 2021Jul 21, 2021
Published inThe StartupHacking HTTP with HTTPfuzzSo you’ve been given a web app to pentest. Maybe it’s a banking app or a document workflow system. Either way, you need to make sure it’s…Dec 19, 2020Dec 19, 2020
Judas: back from the deadIf you’ve been reading this blog since the start, you’ll remember Judas, the pluggable open-source phishing proxy. I wrote Judas to prove…Oct 5, 2020Oct 5, 2020
Printing Money With TD Ameritrade’s APILearn how to build trading bots with TD Ameritrade’s APIAug 13, 20207Aug 13, 20207
Exploring Android apps for fun and profitSmartphones have become an extension of our bodies. We use mobile apps for everything from sending money to shooting movies, but for the…Aug 7, 2020Aug 7, 2020
Easy private networks with WireguardHTTPSI’ve been experimenting with Wireguard as a VPN to protect my internet traffic from local snoopers and communicate between all my devices…Jul 23, 2020Jul 23, 2020
Cloak and Dagger — Malware Techniques DemystifiedThe cloak and dagger attack exploits a combination of drawing over other apps and the large amount of access to other apps given to…Apr 10, 2019Apr 10, 2019
Disabling OkHttp’s SSL Pinning on Android AppsYour target has an Android application and you want to walk through their API to check for server-side vulnerabilities. You configure the…Aug 13, 20184Aug 13, 20184
Automated API testing with PostmanPostman is an excellent API testing tool for developers, QA testers and penetration testers. Its UI allows you to easily send HTTP requests…Jul 19, 20181Jul 19, 20181
Go phishing: Extending the proxyIn the last post, Judas got SOCKS proxy and SSL support to make the proxy sneakier, but all the proxy can do is dump the requests and…Mar 12, 2018Mar 12, 2018