Here’s a little overview of my last few months:
- Thinking about using libjson? Maybe you should wait for a bug fix.
- Trying to fuzz Java code with afl-gcj was not a very pleasant experience.
- Made some efforts to show how to fuzz CGI scripts with AFL.
- My CRASS project that includes a script to grep for interesting security related tokens is constantly growing.
- Burp collaborator is blocked in certain company networks, that’s why you should setup your own private Burp collaborator instance.
- For web pentests of websites that allow image uploads I can recommend using this burp plugin together with fuzzing images (if you have your own fuzzed crash images, otherwise try the corpus from AFL).
- I did my first Hackerone report for the Twitter iOS app. I was able to intercept TLS traffic and Twitter confirmed it as a high severity issue. Hopefully I’ll be able to give more details in an upcoming blog post as soon as it’s disclosed.
- The Vallader Romansh dictionary app I wrote for Android is now available for iOS on the Apple app store as well.
- When you are a big German security news portal and write an article about misleading advertisement, you should make sure that your advertisement in the article is not misleading.