Bypassing Modern WAF's Exemplified At XSS (Webcast)

Past Saturday, I conducted a "Webcast" on "Garage4hackers" on one of my favorite subjects in the field of Information Security i.e. "WAF Bypass". Initially, i had decided to present something on the topic of "Mobile Browser Security" due to the fact that this has been a topic I have been recently conducting a research on.

However i later realized that the "TakeAways" would not be much helpful, therefore i decided to talk about something that Bughunters/Pentesters can use in their day to day pentests and security engagements and hence i decided to present on this topic.

I must admit that the response has been overwhelming along with it, i have also managed to get a chance to learn more from the feedback and CTF responses.

I would like to specially thank "Imdadullah", "Himanshu", "Sandeep"  along with other garage4hackers members for inviting/supporting me through out the journey.  One of the best things "G4H Community" is the work they are doing for the security community by conducting free of cost Webcasts. You can find a list of other Webcasts here - ""

Bypassing Browser Security Policies for Fun and Profit (Full Presentation Video)

Blackhat has just recently released the full video for my talk on the subject of "Browser Security", If you wish to read the Whitepaper/Slides and SOP Test Suite, you can refer to my previous post on "Bypassing Browser Security Policies For Fun And Profit"

How Much Do Hackers Know About You?

The threat of black hat hackers has never been greater than now, considering the increasing organization of their efforts to make a dollar off of your digital assets and information. The common portrayal of the hacker is someone who knows enough about programming and the internet that they can seemingly access any information or know anything about anyone.

This is mostly an exaggeration. Finding information on someone is still work, sometimes very time-consuming and usually not worth the effort from a financial standpoint unless done on a large scale. It does beg the question, however, of how much hackers might know about you. Based on the trails you leave online and who you trust your information with, a hacker might already have a file with your name on it. It is a question worth investigating.

Bypassing Browser Security Policies For Fun And Profit (Blackhat Asia 2016)

Few hours back, i delivered a talk at Blackhat Asia 2016  on "Bypassing Browser Security Policies For Fun And Profit", the talk covered wide variety of topics starting from SOP bypasses, CSP bypass so on and so forth. Due to limited time i was only able to cover few topics, however, you can find rest of the topics in the WhitePaper below. The following was the abstract:

7 Qualities of Highly Effective Hackers

When asked to write on this topic, I admit that it made me fringe just a bit. Because I don't consider myself to be a highly effective hacker. I find myself as a noob everywhere that I'm trying to learn new things, or I am frustrated with the most ridiculous "hacker" material on the web, written by school-taught programmers that follow step by step instructions out of a manual that everyone has already read. Then I thought to myself.. "That's it!" That is Number One!

Facebook Account Hacked! What To Do Now?

Every single day i get emails in my inbox and on my facebook page from users querying about how to recover hacked facebook account and a common problem i see in all of them is that they are proactive. Everyone searches for Facebook account recovery softwares, Facebook hacking softwares and recovery mechanisms after their facebook or any other email account has been hacked. In this article, Gary suggests methods to identify if your computer or email account has been hacked and methods suggesting what you can do after your facebook account has been hacked.

In today’s digital world, it is unfortunately not uncommon for an account or machine to become compromised by an attacker for nefarious purposes. During your searches for a step-by-step solution, your frustration may hit the breaking point, as you scroll through page after page, listing preventative measures that it may already be too late for. No problem. In today’s article I will outline simple strategies that should get you back in control of your online accounts and devices after a breach is suspected or confirmed. These instructions will be laid out in a manner that should be quite easy for an average user to comprehend and execute. But first, let’s take a minute to understand exactly how this probably happened in the first place.

Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.