Running a python script inside a kali docker container running on Windows.

Building hacking tools in Windows using Docker

Something that I have struggled with in the past as a software developer turned penetration tester is the fact that I use two operating systems on a daily basis, and this sometimes causes friction in my workflow. Note: I really don’t intend or want this to be a discussion of the merits of one OS or IDE compared with another. I use the tools that I am familiar and productive with, and it’s totally cool if you use something different....

28 July 2020 · 5 min · 1000 words · Jakob Pennington
The docker logo, a blue whale with shipping containers on it's back.

Can Docker containers replace VMs for bug bounty hunters and penetration testers?

There were many things to consider, and we may talk about some of those things in the future, but the aspect of penetration testing I want to talk about today is the infrastructure we use to conduct a penetration test. Note: With a few minor exceptions, the same thought process applies for bug bounty hunting. If that’s more your thing, feel free to sed s/penetration testing/bug bounty hunting/g. What do we need from our infrastructure?...

22 July 2020 · 10 min · 1920 words · Jakob Pennington
A photo of a cute puppy.

Exploiting XSS via Markdown

I recently came across a web application in which I was able to exploit a Cross-Site Scripting (XSS) vulnerability through a markdown editor and rendering package. It was the first time I had come across this type of vulnerability, and I found it particularly interesting because it allowed me to bypass multiple layers of XSS filtering that was implemented in the application. Here’s a short article on how I came across the vulnerability and set about crafting an exploit....

8 February 2019 · 7 min · 1350 words · Jakob Pennington
A Superman Lego figurine on a tree stump.

Breaking into Encrypted iPhone Backups

This is a story about my favourite moment in Information Security so far. I thought, rather than just breaking down the technical part, I’d branch out and try something different. If you’re just interested in iOS security, feel free to skip ahead 👌 Note: Unfortunately, for legal reasons, I can’t crack your password for you. If you’ve ever worked in the IT industry, are good with computers, or were simply born after 1980, then you’re probably asked every other week to provide tech support....

21 November 2018 · 12 min · 2398 words · Jakob Pennington