External articles

Kirby < 3.9.6 XML External Entity (XXE) vulnerability — CVE-2023-38490 (2023)

Detailed write-up about an XXE on Kirby CMS (CVE-2023-38490).

What’s new in ffuf 2.0 release? (2023)

Covers new features in ffuf 2.0: scrapper, request backtracking, configuration supporting XDG_CONFIG_HOME.

Ruby 3.2.0 Preview 1 : vivre dans le futur (2022)

Overview of the new features that will come in Ruby 3.2.0: WebAssembly (WASM / WASI), ReDoS protection, Unicode v14.

Some sudo elevation of privilege vulnerabilities (2021)

An introduction to 3 sudo vulnerabilities: CVE-2019-14287, CVE-2019-18634, CVE-2021-3156.

State of the art of network pivoting in 2019 (2019)

State of the art of network pivoting, this paper covers several pivoting techniques as well as the existing tools to perform a lateral move.

GraphQL for Pentesters (2023)

Introducing GraphQL security for penetration tests: basic concepts, security considerations & reconnaissance, vulnerabilities and attacks, offensive tools.

ffuf advanced tricks (2022)

Covers advanced use case of ffuf: the configuration file, reading from standard input, avoiding false negatives with match all and filtering with regexp, use of external payload mutators.

Cracking encrypted archives (PKZIP: Zip ZipCrypto, Winzip: Zip AES, 7 Zip, RAR) (2022)

Biham and Kocher plaintext attack on ZipCrypto Zip and wordlist attack on Zip, 7-zip and RAR.

Attaques Unicode - Rump BreizhCTF 2k22 (2022)

Case transformation collision and Hostname splitting Unicode attacks.

Security.txt | Progress in Ethical Security Research (2020)

This article looks to answer the question of how widely adopted security.txt has become, 3 years on from when it was first drafted.

Internal articles

Presentations

SafetyNet Attestation API bypass (2023) 🇫🇷

Rump at BreizhCTF 2k23 presenting SafetyNet Attestation API bypass

Cracking hashed known_hosts (2022) 🇬🇧

Cracking hashed SSH known_hosts presentation

XSS classification model (2020) 🇬🇧

Types of XSS evolution

Markdown (2016) 🇬🇧

Mardown for daily usage

GraphQL for Pentesters (2022) 🇬🇧

Introducing GraphQL security for penetration tests

Unicode Attacks (2022) 🇫🇷

Rump at BreizhCTF 2k22 presenting two unicode attacks

OTP (2017) 🇫🇷

One-time pad cryptography

Create python package (2016) 🇬🇧

How to create a simple python package