IntelliJ has a deprecated PasswordUtil class that statically xors secrets for storage. Some plugins like Sonarlint (from Sonarqube) still use this outdated class to store passwords and tokens.

This is the source code from the BraekerCTF 2024. I always wanted to create a large-scale, high-quality CTF, and I was working on it since Dec 2022. It is a jeopardy-style hacking competition, and it ran from 23 February 2024 to 24 February 2024. Over 700 teams participated.

Modified the original Argon2 code for some simple password cracking.

Some pentesters struggle to effectively write about pentest results, causing findings and reports to end up in the bin. To create a healthy ecosystem we should share knowledge on what makes a pentest report work. Over the years I have developed my own methods for quickly producing high-quality deliverables. By sharing this knowledge I hope you can improve your writing as well.

Legislators and technologists have not reached consensus on regulations for cryptographic control. Let's look at arguments, history and the future in order to balance the discussion and to restore trust in controlling cryptography.

This short guide aims to aid companies by increasing the cost-effectiveness of penetration testing services.

We'll reverse the Oracle Apex engine and find out how to crack its hashes with hashcat.

I started out with this article to showcase vulnerabilities in honeypot software, but ended up believing that honeypots are the next step in leveling the cyber security playing field.

The NetIQ Access Manager was vulnerable to an XXE vulnerablity, allowing attackers to perform a Denial of Service attack on the IAM platform.

Pro-actively tighten security procedures or your security team might be subject to social engineering attacks.

No tools were available for recovering a password from a pixelized screenshot, so I created a Proof of Concept. In this article I explain my algorithm and its implementation, but start with some history and the current state of deblurring techniques.

Password expiration and complexity rules are dead. We have proper password policy guidelines for over three years now. Stop trying to fix users and start fixing your infrastructure.

ViewState deserialization has been 'fixed' in .NET since 2012, but a vulnerable code snippet for creating a custom compressed ViewState is being passed around on the internet to this day.

A new Spot The Bug challenge based on a vulnerability I found during an assignment.

The lock of the front door was broken, so I hacked together a way for housemates to open the door via their phones.

How to extract the sa password hash and view the content of the master database from an MSSQL database backup (.bak).

During my time at Applied Risk I discovered a Command Injection vulnerability in Siemens Spectrum with the help of Rutger Hendriks. Siemens Spectrum is a control system for power grids.

An article about my experiences with the OSCP course.

When working for Applied Risk I got to contribute to research for hacking Building Mangement Systems. We'd found bugs and created exploits for owning buildings over the internet.

Application for cracking LoRaWAN sessions if the AppKey is known but the handshake is missed.

Patch for airodump for only logging relevant data for WPA cracking.

Example program for interfacing with the HackRF.

Some blog article I wanted to write on information security.

Program for using the Razer Tartarus Chroma on Linux because the normal drivers weren't working.

How and why I failed a couple of times during a code review / pentest.

A proper SNI configuration for lighttpd DH parameters.

Programming exercise for virus-making for getting to know assembly, Mach-O binaries and how virusses work.

Programming exercise for encrypting email. This is a mailbot in Python for Postfix for setting up PGP encrypted mail.

How I fixed the "couldn't get 'max filedescriptors'" error from Lighttpd.

Warm-up for the Spot The Bug challenge 2018 from Securify.

After reporting some vulnerabilities I found during SumOfPwn to a newspaper, they ask me to give some general internet safety tips for 2017-2018. The article contains a few of my practical tips. Here is the complete (Dutch) text I sent in regarding internet safety for the public.

Tutorial on compiling a Monero miner op OSX.

In this article I share some experiences from cracking RSA moduli in bulk by exploiting the use of common GCDs.

A short article about fixing the 'critical software update' error message when re-installing a Macbook Pro with a touch bar.

Bypassing registration for the Kobo Aura H2O so you can use it like the actual product you payed for.

Advisory for broken TLS certificate pinning in VTech DigiGo Kid Connect app that allows for a Man-in-the-Middle attack on the chat functionality.

Advisory for vulnerability that allows attackers to perform a persistent overlay attack on the browser app.

Advisory for broken TLS certificate validation in the VTech DigiGo browser.

Advisory for buffer over-read vulnerability in Virtuozzo Power Panel (VZPP) and Automator.

Advisory for Reflected Cross-Site Scripting in CM4ALL.

Programming practice to factorise an RSA modulus using very basic methods.

Crackcoin is a very basic blockchain-free cryptocurrency PoC in Python. It's a programming practice project for discovering cryptocurrencies.

Bloomhash - Instant negative hash cracking wordlist lookup

Write-up for the Spot The Bug challenge 2016 from Securify.

Briefing for the Spot The Bug challenge 2016 from Securify.

Programming practice for threaded server/client TCP sockets.

Advisory for Reflected Cross-Site Scripting vulnerability in W3 Total Cache plugin (Wordpress plugin).

Advisory for DoS via Cross-Site Request Forgery in WordPress Press This function.

Advisory for Persistent Cross-Site Scripting in Woocommerce WordPress plugin (Wordpress plugin).

Advisory for Multiple vulnerabilities in All In One WP Security & Firewall plugin login CAPTCHA (Wordpress plugin).

Advisory for Persistent Cross-Site Scripting in Instagram Feed plugin via CSRF (Wordpress plugin).

Advisory for Reflected Cross-Site Scripting vulnerability in MailPoet Newsletters plugin (Wordpress plugin).

Advisory for authorization bypass in InfiniteWP Admin Panel (Wordpress plugin).

Advisory for Persistent Cross-Site Scripting in WP Google Maps Plugin via CSRF (Wordpress plugin).

Advisory for Stored Cross-Site Scripting in Gallery - Image Gallery (Wordpress plugin).

Advisory for Weak validation of Amazon SNS push messages in W3 Total Cache (Wordpress plugin).

Advisory for Command injection in InfiniteWP Admin Panel (Wordpress plugin).

Advisory for Information disclosure race condition in W3 Total Cache (Wordpress plugin).

Programming exercise for using the canvas element from Javascript.

Script for showing ascii animations in the terminal using the Python curses library.

A Python quine I created in 2015 has been doing well on Stackoverflow.

Write-up for the Spot The Bug challenge 2015 from Securify.

Briefing for the Spot The Bug challenge 2015 from Securify.

Advisory for bypassing local address filters in the Glype web-based proxy that allows attacking the internal network of the proxy host.

Advisory for path traversal vulnerability in the Glype web-based proxy that allows an attacker to run arbitrary PHP code on the server or remove critical files from the filesystem.

Back in 2014 I thought of a hack for the Dutch train system I call trainpooling.

Advisory for Denial of Service vulnerability in HackerOne via GIF image upload.

Python script for generating custom PNG chunks for testing decoders.

Advisory for Denial of Service vulnerability in HackerOne via PNG image upload.

Advisory for Denial of Service vulnerability in HackerOne via JPG image upload.

A long time ago I worked at a helpdesk. While working there I started documenting stupid things people said over the phone (in Dutch). It was hilarious.