Kirby < 3.9.6 XML External Entity (XXE) vulnerability — CVE-2023-38490 (2023)

Detailed write-up about an XXE on Kirby CMS (CVE-2023-38490).

What’s new in ffuf 2.0 release? (2023)

Covers new features in ffuf 2.0: scrapper, request backtracking, configuration supporting XDG_CONFIG_HOME.

Transform P3 P4 P5 vulnerabilities to P1 (2022)

How to steal user sessions by chaining low risk vulnerabilities.

Ruby 3.2.0 Preview 1 : vivre dans le futur (2022)

Overview of the new features that will come in Ruby 3.2.0: WebAssembly (WASM / WASI), ReDoS protection, Unicode v14.

Some sudo elevation of privilege vulnerabilities (2021)

An introduction to 3 sudo vulnerabilities: CVE-2019-14287, CVE-2019-18634, CVE-2021-3156.

Shodan Pentesting Guide (2020)

Delving deep into Shodan's mine.

State of the art of network pivoting in 2019 (2019)

State of the art of network pivoting, this paper covers several pivoting techniques as well as the existing tools to perform a lateral move.

GraphQL for Pentesters (2023)

Introducing GraphQL security for penetration tests: basic concepts, security considerations & reconnaissance, vulnerabilities and attacks, offensive tools.

ffuf advanced tricks (2022)

Covers advanced use case of ffuf: the configuration file, reading from standard input, avoiding false negatives with match all and filtering with regexp, use of external payload mutators.

Cracking encrypted archives (PKZIP: Zip ZipCrypto, Winzip: Zip AES, 7 Zip, RAR) (2022)

Biham and Kocher plaintext attack on ZipCrypto Zip and wordlist attack on Zip, 7-zip and RAR.

Attaques Unicode - Rump BreizhCTF 2k22 (2022)

Case transformation collision and Hostname splitting Unicode attacks.

Security.txt | Progress in Ethical Security Research (2020)

This article looks to answer the question of how widely adopted security.txt has become, 3 years on from when it was first drafted.

SSH Pentesting Guide (2020)

A Comprehensive Guide to Breaking SSH.