Boring old XSS During 2025 I was determined to understand what it meant to have persistence within a web environment. This led me down a massive rabbit hole… from navigation hooking to service worker attacks, I ventured forth. In the end, we managed not only to persist past navigation, but managed to persist our control over a victims browsing session even after browser close. I had the opportunity to present the research output at the following conferences:

Rise of the Pentest Agents I was fortunate enough to be apart of the NoScope pentesting agent early access development program backed by TryHackMe. Regardless of the potential controversy that was stirred up with the release of this solution, I hold firm that pentesting agents can improve the workflow of human pentesters if given direction, and can be used as a force for good to secure the world! I strongly believe in the potential NoScope has, having witnessed it first hand.

The Star Wars Sequel During Bsides Cape Town this year, I was fortunate enough to be a speaker there and had the opportunity to present the outcomes of my initial research that focused on web application firewalls and the modern state of WAFs. In the talk we took a look at a high level history of the evolution of WAFs as well as the growth of the techniques they use to detect and repel malicious behavior.

Cracking the Shield: WAF Bypass Techniques Unveiled Introduction Web Application Firewalls (WAFs) play a crucial role in safeguarding web applications by filtering and monitoring HTTP traffic between a web application and the internet. They are designed to protect against various web-based attacks, such as SQL injection, cross-site scripting (XSS), and other attacks. However, as with any security measure, WAFs are not infallible. The constant evolution of attack techniques means that even the most robust WAFs can be bypassed under certain conditions.

Exploiting the Complex: The WikiJs CSTI Vulnerability Preface In today’s tech landscape, integrating front-end and back-end technologies often necessitates complex systems. However, these intricate systems can also introduce new and exotic vulnerabilities. In this post, we’ll explore a case where a sophisticated yet complex system in the widely-used Wiki.js framework led to a critical 0-day vulnerability—CVE-2024-34710. Background Wiki.js is a powerful wiki framework built with Vue.js for the front end and Node.