📄️ Brute-Forcing One-Time Passwords
One-time passwords are much more likely to be guessed than you think. This blog post discusses the probability of brute-forcing them, how to do it effectively and how to defend against attacks.
📄️ Burp Suite Certified Practitioner
I passed the Burp Suite Certified Practitioner exam in my third attempt and compiled my insights, so you can learn from my mistakes. This guide will help you to pass the exam and get certified!
📄️ CVE Crowd: Conditions for Posts to Be Listed
This blog post goes into detail what conditions accounts and posts have to fulfill to be listed on CVE Crowd.
📄️ CVSS v4.0 Public Preview
CVSS v4.0 will be published on October 1, 2023, with major changes compared to CVSS v3.1. This blog posts discusses these changes in detail and provides example vulnerabilities to clarify the new concepts.
📄️ HTTP Strict Transport Security
Did you know the HSTS header can be used as a tracking mechanism? Or that Firefox caps the number of stored HSTS entries at 1024? Starting with the very basics, this blog post will cover all of the above topics.
📄️ JavaScript Analysis for Pentesters
Pentesting web applications thoroughly requires you to analyze their JavaScript. I've summarized my knowledge from 5 years of pentests into this blog post.
📄️ Prompt Injection
This blog post covers the basics of prompt injection and provides you with some common techniques to reveal the system prompt.
📄️ Security of Diffie-Hellman-Merkle Key Exchange
This blog post discusses the security of the Diffie-Hellman-Merkle key exchange. It contains a bit of theory, takes a look at possible attack vectors and evaluates its implementation in SSH.
📄️ What I Learned About Mastodon
This short blog post gives an introduction into Mastodon. It discusses the basics of servers, mobile apps, federation, timelines and some social features.