Hacking My Bank

I have around 17 years experience making people feel bad by finding errors in their code. I like to think I'm pretty good at it.

My computing hobby developed into a career in internet marketing as services moved online. Converting knowledge from my hobby to improve the efficacy of marketing campaigns was easier than hacking banks... Or so I thought. I was recently employed by the leading marketing agency located in Brighton.

They are owned by a large multinational conglomerate which reported an anual revenue of $10 billion in 2014...


Mocking the military

Disclaimer: This post is probably not safe for work. Bad language, political views, and oxford commas aplenty.

This article covers a few basic cross site scripting bugs in Department of Defence and Ghost Security websites. The idea is to highlight how even the most security conscience among us can forget to check for the most basic exploits.


How To: Not get hacked

Most people don't really care about security. We hope and believe our computers take care of security for us. Posting the latest Facebook update pretending to be our cat is far more important. The cat and mouse game could work, if your computer was the cat. It's not. The best we can do is play catch-up and hope the hackers take more time to develop an exploit than it takes to run an instantaneous, worldwide, fix. Of course, there is no such thing.


Scoot.co.uk XSS

I am an SEO engineer at heart. Always on the lookout for opportunities from which links and/or citations can be gleaned. Often, while looking for link placements I find sites with security vulnerabilities. I always try to work with affected sites to help secure the attack vector with mixed results. More often than not the sites get patched and everyone is happy. Sometimes I get ignored. Sometimes I get a generic "we will fix it" reply but the exploit gets ignored. The site in question passes the information stored on its site onto several authoritative websites in the UK, some of which are the biggest news organisations we have…


An XSS attack in action

Cross site scripting attacks, commonly called XSS, are becoming more and more prevalent as the power of JavaScript has evolved way beyond simple DOM manipulation. Using the power of embeded JavaScript can be beneficial for an attacker for several reasons including…


Blocking proxies tutorial

Since a lot of people proxy Ddos, it’s useful to protect your site against it. You have three options if you have total control over the server...

  • Detect proxies and block them on firewall/mod_security level
  • Detect them via PHP and block them via .htaccess
  • Detect and block them via .htaccess

AV Arcade XSS Exploit

During registration, the user name field of the AV Arcade script is open to possible XSS attack. Code will be processed on the members page. The code can be overflown to the homepage fairly easily. XSS can be used.



A serious TCP/IP Vulnerability known as “SockStress” has been found, exploited, and information released by a Security group called Outpost24. The SockStress TCP/IP Vulnerability has had wide implications for server and website owners.

This latest vulnerability not only has severe implications for many web masters, designers and programmers, but also affects routing servers and any system with TCP stack processes exposed to the outside world.


Javascript Security

JavaScript is designed as an open scripting language. It is not intended to replace proper security measures, and should never be used in place of proper encryption.

JavaScript has its own security model, but this is not designed to protect the Web site owner or the data passed between the browser and the server. The security model is designed to protect the user from malicious Web sites, and as a result, it enforces strict limits on what the page author is allowed to do. They may have control over their own page inside the browser, but that is where their abilities end.