XXE is not the only vulnerability that can be introduced to a web application when processing XML files. If the values within strings are not handled correctly, it may also be possible for an attacker to introduce a cross-site scripting payload that could be triggered any under circumstance where the value is returned to a user.

Let’s take a look at an example of this in from a recent web application test.

The application itself allowed an end user to import an XML file from which it returned information to users in other areas of the application at a later…


When adding a “Password Reset” function to your application you should ensure it has same security considerations as any other critical function within the application. Attackers often spend extra time trying to break these mechanisms to gain some sort of unauthorised access.

There are some key considerations that must take place when implementing this function to ensure it cannot be abused by attackers:

  • it should essentially be impossible for an attacker to obtain in any manner a password reset token for another user
  • tokens must have a limited time span and be invalidated upon use
  • tokens must only be authorised…

When beginning any security assessment, whether it be a penetration test, bug bounty or a red team engagement, it is vitally important to perform as much recon as time will allow to ensure you discover any potential points of weakness that can be exploited which will allow you to complete your objective.

One of the key abilities to compromise a target is having enough information to find one of these weak points. For example, a small Internet footprint may mean that you need to phish users, and by performing enumeration of staff, DNS records and their technology stack you can…


After recently completing my OSCP (2nd exam attempt) I wanted to give a few non-technical tips since most guides out there seem to focus mostly on the technical side.

The approach I took for the second attempt differed a lot from the first, especially from a non-technical point of view. Whilst these tips may not be for everyone, hopefully they will help some.

Take breaks often.

The technical portion of the exam runs over 24 hours, which can be pretty gruelling, especially since you’re staring at a screen for most of that time. …


The “s” is meant to mean “secure”, right?

A little while ago, out of a mix of both boredom and curiosity, I decided to take a look at the SolarWinds free SFTP server. I tend to get a bit wary of “free” and “secure” phrases within the same product description/name as that can generally not be the case.

After some (extremely) lazy fuzzing that returned exactly what I expected, I decided to take a look around the application structure itself — config files, DLL hijacking etc. and found a couple of interesting things.

CVE-2018–16791 — Insecure Password Storage

The config…


Note: This is an older post from my old GitHub pages ‘blog’. Information was correct at the time this was posted in that location, circa mid-2017.

The Signature Problem

Traditionally, AV has always been about signatures. Malware is released, AV companies reverse it, signatures are created and released, AV now detects malware (lag time between malware release and DAT update can vary) and all is well with the world.

This has always been OK for penetration testers, as they could simply pack or crypt or write their own malware for each engagement. …


Overnight @taviso dropped a few vulnerabilities in GhostScript, including one that will cause code execution in ImageMagick.

Link to the bug report in Project Zero.

ImageMagick is not shy when it comes to the amount of vulnerabilities disclosed, with over 40 in 2018, and who can forget the marketing around ‘ImageTragick’?

The ImageMagick code execution caught my eye, mostly because it is widely used on web servers, it seemed fairly trivial to exploit, and seemed to show the most promise in turning to a remote code execution.

The PoC provided by Tavis is fairly easy to break down, with the…


When playing for the blue team, there’s a fair chance you’ll need to get some alerting in place to warn you of some potential bad in your network. The following searches were written with Splunk + sysmon, however should be portable to most SIEM solutions. You may need to tailor these searches to your own specific environment.

Note. Some alerts are a WIP. I also know they could be written better, but they work for me. :)

Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several…


“KonaKart is a java based eCommerce software platform trusted by top brands throughout the world to give them a stable, high-
performance online store”.

I was tasked with performing an assessment on an updated version of the product. This post details a path traversal that was found within the administrative panel that could allow:

  • XSS attacks
  • Exposure of private or sensitive data
  • Taking remote control of the server

The vulnerability was found to lie in an administrator’s ability to create shop products. As part of this, a ‘digital’ product can be created that can be downloaded from the store front…

Numb Shiva

itsec guy. sometimes i internet. oscp/penetration testing/red team.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store