Published:
This blog posts explains that ECDSA and DSA signatures are malleable, that JWTs can be malleable as well and how this can be used to bypass some broken implementations of JWT deny lists (for revocation of JWTs or anti-replay protection).
Published:
I was reading the WebSub specification (formerly PubSubHubbub) when I found that there was a risk of reflected browser-side code injection (reflected cross site scripting, reflected XSS) in the WebSub intent verification exchange.
Published:
A list of computer security guidelines and references.
Friends don't let friends use $http_host
Published:
Two related authority-ambiguity vulnerabilities in NGINX and Debian's proxy_params configuration snippet.
Published:
If you are trying to understand the difference between the different cryptography-related formats (PKS#12, PKCS#8, PEM, X.509 certificate, DER, JWK, BEGIN ENCRYPTED PRIVATE KEY??? 🤯), you will hopefully find some useful information here (and a lot more your did not wanted to know about).
Published:
Books I have read in 2025. Should be mostly spoiler free.
Published:
Some (not so serious) cryptographic wisdom from a long time ago…
Published:
Cheat sheet for (some) reinforcement learning mathematical formulas and algorithms.
Published:
PortSwigger “Concealing payloads in URL credentials” talks about concealing XSS payloads in URL credentials. The nice thing is that this makes the payload invisible to WAFs and other server-side XSS filters. You can actually conceal the payloads in other places
Published:
My experience from the Codingame Spring Challenge 2025.
Page 1 of 12 | Previous page | Next page | JSON Feed | Atom Feed | RSS Feed