Following up on my last post about XPath injections, I will document part of the process we went through to exploit CVE-2014-1409 and hopefully convince a few that this category of bugs is no joke and should be looked for during pentests.

So, what about it? Well, let me tell …

XPath injection bugs are relatively common in web applications, yet it's a vulnerability class ignored by the vast majority of pentesters.

I think that there is two main reasons for that:

• The tooling to exploit this type of vulnerabilities sucks.
• There is very few documented cases of "useful" bugs being …

This morning I have received a special spam, the kind that warrants a blog post.

It's interesting for several reasons:

• It has my name in the Subject Header
• It came through an address that I have only given to my bank
• It uses a clever old-school trick to avoid bayesian …