I played the DEFCON29 (2021) Red Team Village CTF online with team “Son of Anton”. After qualifying in 4th place we then came 4th in the finals 🏅…

The Google CTF was hard, so I don’t feel so bad about only solving easy challenges. Writeup also available as a Gist…

Had some fun with the Car Hacking Village at this year’s remote DEFCON Safe Mode. There seems to be a growing interest in automotive security which I’ve completely ignored until now, but decided to watch a beginner talk Cluster Fuzz by @mintynet about fuzzing the CAN bus…

The python tarfile module can end up in an infinite loop when opening maliciously malformed tar files. I came across Denial of Service bug bpo39017 when browsing the python bug tracker for security issues (I didn’t discover this bug myself). The error-reproducing zipfile the reporter uploaded is direct from the fuzzer, but I wanted to understand and isolate the issue by making the smallest tarfile which reproduces the bug…

Quite a while ago, I reported an application Denial of Service vulnerability in the Socket.IO / Engine.IO parser implementations in nodejs and python. A single HTTP POST request can cause extreme CPU and memory usage, but in nodejs, a single HTTP POST request can even kill the server with a Javascript heap out of memory fatal error…

I made some progress: Running code from a micro SD card as root Downloading camera firmware Writing custom firmware patches Finding the root password hash Changing the root password…

You can remotely pan/tilt the camera so it points away from the crown jewels while you move in to steal them…

This is a write-up for a difficult Sectalks CTF challenge set by tamas which took me many hours to solve…

A Jenkins CVE caught my eye despite being just a DoS…

Due to my research into Regular Expression Denial-of-Service (REDoS), I found and (after bug bounties) finally publicly reported CVE-2020-5243 in uap-core. Dependent packages uap-python, uap-ruby, etc are/were vulnerable…

Grafana is a monitoring dashboard used to display metrics. It’s used by many infrastructure and development teams…

I ran my top-secret REDoS-finding engine over the python code in cpython and found two remotely-exploitable vulnerabilities. Making a request to a malicious web server leads to denial of service (approximately infinite CPU time)…

Apache Zeppelin is a “Web-based notebook that enables data-driven, interactive data analytics and collaborative documents…” which is very similar to Jupyter notebook. Notebook servers offer polyglot Remote Code Execution (RCE) by design, so gaining access to one would make pwning the entire Hadoop cluster and all its data fairly simple…

Think you set your S3 bucket policies correctly? Nothing accidentally public? Trust but verify…

I wrote a blog post about my experiences fuzz-testing external and internal APIs, and covered some python and Postgres oddities…

This is a walk-through of how I go about investigating Android apps. I’m not a subject matter expert, so take everything here with a pinch of salt. As a case-study, I’ll look at the Railcards app which aims to replace physical railcards with ones which can run out of battery…

One simple way to improve the robustness of any code base is static analysis. It’s not widely used because it carries a (regrettably well-deserved) reputation for being a noisy, blunt instrument, but with small tweaks static analysis can become part of the common development process. In this post, I will explain how we use it to improve the security of our code…

At SecTalks, blinken ran a Hardware Hacking 101 session where we investigated a Chinese IPcam “WiFi Smart Net Camera” v380…

I like automated city bike rental services. My new watch app for finding a bike within a city bike share scheme is available on the Pebble app store…

I accidentally came across this character while evaluating the KEY Chinese-French dictionary for Pleco (hence the French translation above)…

Companies love Slack, and lots of services integrate via their API. While slash commands are simple web hooks, bots can listen in to the conversations taking place on a channel and participate. Meet @bingo! Add your buzzword to the list, and whoever mentions the word in the channel first will get the bingo. It’s a really simple unintelligent bot…

My new watch face for celebrating year of the monkey is available on the Pebble app store. It displays the date and day of the week in Chinese characters, along with the year’s zodiac animal. The design ended up being too cluttered, maybe a little ugly, but being a sinophile I quite like it. I just wanted a watch face with the date / weekday in Chinese characters, but with the time still in easy-(for me)-to-read Arabic numerals…

Project abandoned, sorry…

Several years back I was an avid Xbox 360 fanboy. I had also just made a couple of Facebook apps as a freelancer. At the time, there was an unofficial Xbox Live Facebook app which just showed an image containing your gamertag, picture, score and recent games as a section on your profile. This data came from a now-defunct website which was a member of Microsoft’s Xbox Community Developer Program (XCDP). Only XCDP members were allowed access to the Xbox Live API…