Published in better appsec·PinnedBuilding a WebAuthn Click Farm — Are CAPTCHAs Obsolete?How I built a click farm to “bypass” Cloudflare’s CAPTCHA killer with some cheap USB security keys, an Arduino, and a bit of python. Any opinions stated here are my own, not necessarily those of any past, present, or future employer. What is Attestation of Personhood? Cloudflare recently published a blog post about a potential…Webauthn9 min readWebauthn9 min read
Published in bored.engineer·Dec 1, 2022XSS on account.leagueoflegends.com via easyXDM [2016]This post contains a chain of vulnerabilities I responsibly disclosed to Riot Games in November of 2016. I’m publicly disclosing it now as the first post in a series of interesting and/or technically complex vulnerability reports/findings I’ve made over the years. …Security9 min readSecurity9 min read
Published in bored.engineer·Aug 2, 2017DEF CON 25: Slides and Source Codelinkedin/jaqen jaqen - Jaqen - Simple DNS rebindinggithub.com1 min read1 min read
Published in bored.engineer·Aug 6, 2016DEF CON 24: Slides and ExploitHere’s the slides and exploits from the DEF CON 24 talk in Las Vegas, NV. Video to follow in a few weeks. Slides v1 drive.google.com Update on the slides, these issues have all been resolved, the slides were not updated before upload to the DEF CON server bored-engineer/ps-exploits ps-exploitsgithub.com bored-engineer/ps-splunk ps-splunk - Splunk perfSONAR toolsgithub.com1 min read1 min read
Published in bored.engineer·Jul 22, 2016git init && git commit -a -m “Initial Commit”I decided to relaunch my blog with my recent domain name change. It’s unlikely I will migrate the old content, but look forward to my incoherent ramblings about security bugs and the state of the industry in the future.1 min read1 min read
![XSS on account.leagueoflegends.com via easyXDM [2016]](https://miro.medium.com/fit/c/224/224/1*sVLywJQ-aZeEg1vm6GcRRQ.png)
![XSS on account.leagueoflegends.com via easyXDM [2016]](https://miro.medium.com/fit/c/160/112/1*sVLywJQ-aZeEg1vm6GcRRQ.png)
