Engineering, Application Security, and Drumming

I'm Blake, a website application security professional, and drumming devotee. I make the world better by advocating AppSec and playing percussive poetry in a 90's cover band.

Microsoft vs. Storm-0558

Last week Microsoft disclosed how China-based threat actor Storm-0558 managed to the secret keys for access to OWS and Outlook.com. There were 3 things that lead to the breach.

TunnelCrack Can Leak VPN Data

An adversary can abuse these vulnerabilities to leak traffic outside the VPN tunnel. Our tests indicate that every VPN product is vulnerable on at least one device. We found that VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable

Real World Code Review Vulnerability in a Next.js App

I recently worked on a Next.js codebase that had a vulnerability in an API endpoint called update-profile that would allow any authenticated user to modify the details for any other users...

Interesting Projects

  1. Project
    Payloads All The Things
    Type
    Pentesting
  2. Project
    Web Check
    Type
    OSINT
  3. Project
    Hurl
    Type
    Endpoint Testing
  4. Project
    Cognitive Load Handbook
    Type
    Resource
  5. Project
    Snyk
    Type
    Secure Coding
  6. Project
    Password Game
    Type
    Fun