A buddy of mine, Mulitia, and I were talking about 0-days, and he mentioned finding one in Hex-Chat, a popular IRC client. It was super low severity, but still neat. If you entered “/server " followed by 20,000 random characters, the application died. I decided to try to make a working …

I’m a customer of Hover for my domain name needs. However, that will be changing because I don’t believe that they take issues seriously. The first security issue I was browsing their site, looking for a new domain, and being the constant tinkerer I am, I entered a single quote into the …

Background I was talking in Intern0t several months ago. AcidGen, from IOActive mentioned that he found a bug in XBMC. I use XBMC quite a bit at home, on various platforms, since it’s extremely wife-friendly. I hit him up, and we started talking. We had a nice Skype conversation, where we …

I have been working as a security consultant for a few months now, and one finding that is on almost every webserver I come across, is the lack of an HSTS (HTTP Strict Transport Security) implementation. This is understandable, since HSTS is still fairly new. In fact, before starting at Accuvant, I …

Continuing from the last post, we are now logged in as a user. The next step on the PDF from the agent, that we can access, is the Notes Service. I started analyzing the source code, and noticed that the text that says “yes” or “no” in the table is actually an image being …

In the previous post, I showed how to get the PDF that outlines the services running on the Monxla VM image. This article will continue where that one left off. Firstly, the PDF explains that there are 2 virtual hosts enabled on the machine. To configure my machine for these virtual hosts, I added …