I want to share some tips on one of my favorite vulnerability classes: blind cross-site scripting. One of the reasons I love blind XSS is that when a payload pops, it’s almost always a critical vulnerability. When I first learned about XSS Hunter (an easy-to-use online tool that facilitates the blind XSS setup), I could…
A recent branch of penetration testing has emerged around attacking Large Language Models (LLMs). The field is still young, which invites two notable consequences. To know how to hack LLMs, it’s important to understand what they are. At their over-simplified core, Large Language Models are next-word predictors (more accurately, next-token predictors) that output a “best”…
A few weeks ago, I had the pleasure of attending Hardwear.io (yes, it’s really spelled like that), a conference all about hardware security. I came in with very little hardware experience, which put me in a great position to learn from the ground up. Below are 10 takeaways to organize my thoughts and provide the…
I’m starting this post with adoration for the Critical Thinking Podcast. The podcast launched around the time I began hacking full-time, and I consider it my companion. It is required listening for bug bounty hunters, but I recommend it to anyone involved in cyber security—especially if you care about the offensive perspective (and you should)….
The story begins with HackerOne, one of the leading bug bounty platforms. For those that don’t know, many companies accept vulnerabilities as part of public vulnerability disclosure programs, or they invite established hackers to private programs. The good ones even offer rewards. This is a big change from hacking twenty years ago, when a company…
Introduction At the time of this writing, I’ve worked in cybersecurity for two+ years as a penetration testing consultant (aka an ethical hacker). Each week, I target a new company’s systems, identifying and reporting vulnerabilities that I find. The fast-paced and varied nature of this work has provided me experience with a wide range of…