Let me ask you a question dear reader, have you ever visited a website that one of your friends posts a link to only to find that the site requires you to register for an account before you can see the content? Or perhaps you visited a web site on your computer and then also... Continue Reading →
The Vulnerability A while ago I found a bunch of web servers that had the Microsoft IIS Tilde Enumeration vulnerability on them. You can read more about the vuln http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf or http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/. Essentially, you can brute force file names that are on IIS web servers and possibly retrieve them using the ye olde style Windows 8.3 naming... Continue Reading →
My Virgin CTF At DerbyCon (derbycon.com) 2014, I participated in my first conference CTF (Capture the Flag) event. For those that haven't yet done one, you take your laptop configured with your attack tools and join a network of hundreds of other conference-goers. All of you are tasked with exploiting information security weaknesses in the... Continue Reading →