Posts

#theme-toggle, .top-link { display: none; } @media (prefers-color-scheme: dark) { :root { --theme: #1d1e20; --entry: #2e2e33; --primary: rgba(255, 255, 255, 0.84); --secondary: rgba(255, 255, 255, 0.56); --tertiary: rgba(255, 255, 255, 0.16); --content: rgba(255, 255, 255, 0.74); --hljs-bg: #2e2e33; --code-bg: #37383e; --border: #333; } .list { background: var(--theme); } .list:not(.dark)::-webkit-scrollbar-track { background: 0 0; } .list:not(.dark)::-webkit-scrollbar-thumb { border-color: var(--theme); } }

CVSS v4.0 Public Preview

CVSS v4.0 will be published on October 1, 2023, with major changes compared to CVSS v3.1. This blog posts discusses these changes in detail and provides example vulnerabilities to clarify the new concepts.

Prompt Injection

This blog post covers the basics of prompt injection and provides you with some common techniques to reveal the system prompt.

Brute-Forcing One-Time Passwords

One-time passwords are much more likely to be guessed than you think. This blog post discusses the probability of brute-forcing them, how to do it effectively and how to defend against attacks.

JavaScript Analysis for Pentesters

Pentesting web applications thoroughly requires you to analyze their JavaScript. I’ve summarized my knowledge from 5 years of pentests into this blog post.

HTTP Strict Transport Security

Did you know the HSTS header can be used as a tracking mechanism? Or that Firefox caps the number of stored HSTS entries at 1024? Starting with the very basics, this blog post will cover all of the above topics.