/ Recent content on CptWin - InfoSec and Tech Hugo -- gohugo.io en-us Sun, 02 Jul 2023 00:00:00 +0000 /about/ Sun, 02 Jul 2023 00:00:00 +0000 /about/ Hi, I’m Dajne Win (also known as CptWin). This site is an attempt to collate my ramblings, research, and interesting things. Most of it is about computer security and technology. My socials: /post/2023-06-14-hardware-hacking-to-bypass-bios-passwords/ Wed, 14 Jun 2023 00:00:00 +0000 /post/2023-06-14-hardware-hacking-to-bypass-bios-passwords/ My writeup posted up on the CyberCX Blog https://blog.cybercx.co.nz/bypassing-bios-password The TLDR Proof of Concept (PoC) /post/2021-07-24-_blank-burp-plugin/ Sat, 24 Jul 2021 00:00:00 +0000 /post/2021-07-24-_blank-burp-plugin/ This is a follow up post to the _blank Links write up I did recently. Burp Suite is a tool I use daily for pentesting, one of it’s important functions is the ability to extend the tool itself with plugins. Given my history of writing tons of Java (ಠ_ಠ) I figured I should take a look at extending the tool I use everyday. You can technically write Burp Suite plugins in Python or Ruby. /post/2021-07-17-underscoreblanklinks/ Sat, 17 Jul 2021 00:00:00 +0000 /post/2021-07-17-underscoreblanklinks/ I’ve had this post half written up for some time, and recently set aside some time to actually get it written. Quite often during pentesting I have come across a web application that has functionality that allows users to set links in their profile, LinkedIn or Twitter for example. Sometimes these links are fully controllable, you can point them at any URL. If the link is controllable and the link has a target attribute of _blank, then an attack (dubbed “tab-nabbing”) can be performed. /post/2020-07-14-ask-me-anything---nz-cyber-security-challenge-2020/ Tue, 14 Jul 2020 00:00:00 +0000 /post/2020-07-14-ask-me-anything---nz-cyber-security-challenge-2020/ /post/2019-03-02-password-hashing-work-factor-recommendations-in-2019/ Sat, 02 Mar 2019 00:00:00 +0000 /post/2019-03-02-password-hashing-work-factor-recommendations-in-2019/ So you’ve decided to store hashed versions of your application user’s passwords, great start! You’ve done a bit of reading and decided you want to use a specialised password hashing algorithm. You implement it with the default security configuration in your favourite cryptography library, and you’re all set right? Many developers don’t take the final step to investigate the default configuration when implementing specialised password based hashing algorithms. However, the default configuration often does not provide the level of security required for current implementation. /post/2018-12-15-first/ Sat, 15 Dec 2018 00:00:00 +0000 /post/2018-12-15-first/ Obligatory Hello World post!