lanmaster53.com

I love teaching for a lot of reasons. One of the reasons is because I learn so much when I teach. Sounds weird doesn't it? Why would the person teaching be learning? Well, It's probably not what you think. Some of what I learn comes directly from the students, but a lot comes from debugging issues on the fly and some dumb-luck discovery when someone in the class accidentally clicks somewhere or mistypes something. Recently I was teaching a class, and a combination of these led to a pretty neat discovery that I want to share with the community. ... more

Training has been a significant part of my professional life since 2009. I've never written about my training pursuits, so as I march into my tenth year of training, fifth year of Practical Web Application Penetration Testing (PWAPT), and the first year of Practical Burp Suite Pro: Advanced Tactics (PBAT), I'd like to share a little about where I've been, where I'm at, and where I'm going, while specifically addressing my various courses. ... more

Most of you are probably well aware of the ongoing beta for Burp Suite Pro v2. While Portswigger recommends continuing to use the latest v1 stable version for commercial testing, many are anxious to get started with the features that Portswigger shared with us last year. Let me help you. I've been actively transitioning for six months now and would like to share with you a resource I've built along the way. ... more

If you're my age (born in the early 1980s) and know how to code, then it has likely been a differentiator for you in your career. I can't think of a single thing I've done professionally where my ability to understand programming concepts and write code has not benefited me in some way. However, coding is fast becoming a more common skill set amongst the younger generations. Teaching our kids to code is now more of a necessity and less of a luxury. ... more

While I don't do active defense in any part of my professional life, I enjoy developing active defense techniques for web technologies. Lately I've been dabbling in active defense mechanisms for Cross-Site Scripting (XSS) attacks, and as the developer of the HoneyBadger geolocation framework, incorporating the research into new reporting techniques and agents. ... more

Raise your hand if you've ever had sqlmap fail to find or exploit a vulnerability you knew to exist? I imagine there's a lot of folks with their hands up right now. Okay, put your hands down. ... more

So, a couple weeks ago Matt Svensson (@TechNerdings) dropped me a DM in Twitter:

Random other thing that I am curious if you guys have seen anything on... I just got an email from the local eye clinic. I hit the "spam" button on Gmail to report spam and unsubscribe. What I didn't realize is that it actually opens the unsubscribe link in the browser. Good news, easy unsubscribe. Maybe.....if you properly craft the spam...you could use the unsubscribe button to open a malicious web page?

Um... yeah! I immediately thought of how great a CSRF-via-email attack vector this was. Think about it. Users are trained not to click links, but in the case of Gmail, they're taught to click the handy-dandy "Report Spam" button to report it to the spam filter. But wait a second. The handy-dandy "Report Spam" button will go the extra step and unsubscribe the user from future attacks as well if the user so desires... and they do. ... more