TechEarl
Topic · Security

Security

Hands-on web security: SQL injection, XSS, SSRF, RCE, and the labs to practice all of them.

146 articlesWritten by Ishan Karunaratne
Web security guides on SQL injection, XSS, SSRF, RCE, with hands-on labs and tooling cheat sheets.
More in Security
The API security tools worth using in 2026: Burp Suite, mitmproxy, OWASP ZAP, kiterunner, Postman, jwt_tool, graphql-cop. Compared with honest trade-offs.

The Best API Security Tools in 2026

The API security tools I actually reach for in 2026: Burp Suite, mitmproxy, OWASP ZAP, kiterunner, Postman, jwt_tool, graphql-cop, and the commercial platforms. Strengths, weaknesses, and how I decide which to use.

Clickjacking tools worth using in 2026: PoC generators, ZAP, Burp Active Scanner, DNSChkr HTTP headers, Mozilla Observatory, double-click PoCs.

The Best Clickjacking Tools in 2026

The clickjacking tools I actually reach for in 2026: PoC generators, OWASP ZAP, DNSChkr HTTP Security Headers, Mozilla Observatory, Burp Active Scanner, and the post-Yibelo double-clickjacking PoC repos. Honest framing on a thin tool space.

The XSS tools worth using in 2026: XSStrike, Dalfox, kxss, Burp Suite with DOM Invader, BeEF, XSS Hunter, ZAP, and Caido. Honest trade-offs.

The Best XSS Tools in 2026

The cross-site scripting tools I actually reach for in 2026: XSStrike, Dalfox, kxss/Gxss, Burp Suite with DOM Invader, BeEF, XSS Hunter, OWASP ZAP, and Caido. Strengths, weaknesses, and how I decide which to use.

The insecure deserialization tools worth using in 2026: ysoserial, ysoserial.net, marshalsec, PHPGGC, Burp scanner, GadgetInspector. Honest trade-offs.

The Best Deserialization Tools in 2026

The insecure deserialization tools I actually use in 2026: ysoserial for Java, ysoserial.net for .NET, marshalsec, PHPGGC, Burp's Java Deserialization Scanner, GadgetInspector, and the honest story on Python pickle. Strengths, weaknesses, and how I pick.

LFI and path traversal tools worth using in 2026: LFImap, LFISuite, dotdotpwn, ffuf with SecLists, Burp Intruder, kadimus. Honest trade-offs.

The Best LFI and Path Traversal Tools in 2026

The LFI and path traversal tools I actually reach for in 2026: LFISuite, LFImap, dotdotpwn, ffuf with SecLists, Burp Intruder, kadimus, and PayloadsAllTheThings. Honest strengths, weaknesses, and when each one wins.

The SSRF tools worth using in 2026: SSRFmap, Gopherus, Burp Collaborator, interactsh, ffuf, and cloud-metadata payload kits. Honest trade-offs.

The Best SSRF Tools in 2026

The SSRF tools I actually reach for in 2026: SSRFmap, Gopherus, Burp Collaborator, interactsh, ffuf, and the PayloadsAllTheThings cloud-metadata kit. Strengths, weaknesses, and how I decide which to use.

The SQL injection tools worth using in 2026: sqlmap, ghauri, jSQL Injection, NoSQLMap, Burp Suite. Compared with honest trade-offs.

The Best SQL Injection Tools in 2026

The SQL injection tools I actually reach for in 2026: sqlmap, ghauri, jSQL Injection, NoSQLMap, Havij (and why I do not use it), plus Burp Suite's role and the manual workflow. Strengths, weaknesses, and how I decide which to use.

The CSRF tools worth using in 2026: Burp Suite, OWASP ZAP, xsrfprobe, Param Miner, and the manual Origin/SameSite workflow. Honest trade-offs.

The Best CSRF Tools in 2026

The CSRF tools I actually reach for in 2026: Burp Suite's PoC generator, OWASP ZAP, xsrfprobe, Param Miner for hidden token discovery, plus the manual Origin and SameSite workflow. Honest framing on a defence class that mostly won.

XXE tools worth running in 2026: XXEinjector, Burp with Collaborator, interactsh, oxml_xxe, docem, ffuf. Honest trade-offs and libxml reality.

The Best XXE Tools in 2026

The XXE tools I actually reach for in 2026: XXEinjector, Burp Suite with Collaborator, interactsh, oxml_xxe, docem, PayloadsAllTheThings, and ffuf. Why XXE is a manual-heavy class, what libxml hardening changed, and how I decide.

The remote code execution tools worth using in 2026: commix, SSTImap, msfvenom, Sliver, Burp Collaborator. Compared with honest trade-offs.

The Best RCE Tools in 2026

The remote code execution tools I actually reach for in 2026: commix for OS command injection, SSTImap for template injection, msfvenom and Metasploit for payloads, Sliver for the C2 layer, and Burp Collaborator for blind variants. Honest trade-offs.

Visitors see a fake Cloudflare verification on your WordPress site asking them to paste a command. That's ClickFix. Detection, removal, and persistence cleanup so it doesn't return.

The Fake Cloudflare Verification Attack on WordPress (ClickFix): What It Is and How to Remove It

Visitors to your WordPress site see a fake 'Cloudflare verification' page telling them to paste a command into Windows Run or Terminal. That's ClickFix, the social-engineering campaign that first appeared in early 2024 and exploded across compromised WordPress sites by autumn. What it does, where the injection lives in your site, and how to clean it without missing the persistence.

How Scattered Spider breached MGM Resorts in 2023 with one help-desk phone call, reset Okta access, and caused a 10-day ransomware outage. Caesars paid.

The MGM Breach: A Phone Call to the Help Desk, a $100M Outage

In September 2023, Scattered Spider breached MGM Resorts with a single phone call to the IT help desk, reset an employee's access, and triggered a ransomware outage that took down slot machines, hotel keys, and reservations for ten days. Caesars was hit the same way and paid. A post-mortem of the help-desk attack chain.

How the 2023 MOVEit breach (CVE-2023-34362) used a SQL injection zero-day and the LEMURLOOT web shell to hit thousands of organisations. The attack chain.

The MOVEit Breach: SQL Injection at Supply-Chain Scale

In 2023 the Cl0p gang exploited a SQL injection zero-day in MOVEit Transfer to breach thousands of organisations and tens of millions of people in weeks. It is proof that SQL injection still causes the largest breaches, and a lesson in managed-file-transfer supply-chain risk. A post-mortem of the attack chain.

Practical LFImap reference by task: targeting, traversal, PHP wrappers, command injection, RFI, cookies, proxying, output. Real upstream flags.

LFImap Cheat Sheet: Every Flag I Actually Use

A field-tested LFImap reference: target selection, traversal wordlists, PHP wrappers (filter/input/data/expect/file), command injection, RFI, log/proxy/cookie shaping, second-order requests, and the `PWN` placeholder. Grounded in the real argparse surface.

How the 2022 Uber breach used MFA fatigue plus a WhatsApp pretext, then a hardcoded admin credential in a PowerShell script to reach the PAM vault. The lessons.

The 2022 Uber Breach: MFA Fatigue and a Hardcoded Password

In September 2022, an attacker spammed an Uber contractor with MFA prompts, then messaged them on WhatsApp pretending to be IT to get one approved. Inside, they found a hardcoded admin password in a script that unlocked Uber's secrets vault. A post-mortem of the MFA-fatigue attack chain.

Step-by-step LFImap walkthrough: baseline, /etc/passwd read, php://filter source disclosure, php://input RCE, log poisoning. Docker reproducible.

LFImap Tutorial: Exploiting a Vulnerable App End to End

A complete LFImap walkthrough against a deliberately vulnerable lab app: endpoint identification, baseline scan, traversal, php://filter source disclosure, php://input RCE, and log poisoning. Every step reproducible with one docker compose command.

How Log4Shell (CVE-2021-44228) turned a logged string into remote code execution via a JNDI lookup, why it spread so far, and the patch-saga lessons.

Log4Shell: How a Logging Line Became Remote Code Execution

In December 2021, a flaw in Log4j (CVE-2021-44228) let an attacker run code on a server simply by getting a malicious string logged. Because Log4j is everywhere in the Java world, it became one of the most widely exploited vulnerabilities ever disclosed. A post-mortem of the JNDI attack chain, the messy patch saga, and the lessons.

How the 2021 Robinhood breach used a vishing call to a customer-support employee to reach support systems and expose data on roughly 7 million people.

The Robinhood Breach: One Phone Call to Support, 7 Million Exposed

In November 2021, an attacker phoned a Robinhood customer-support employee, social-engineered their way into support systems, and walked out with data on roughly 7 million people. No malware, no exploit, just a convincing phone call to a help desk. A post-mortem of the support-tool attack chain.

How the 2021 Colonial Pipeline ransomware attack started with a single leaked VPN password and no MFA, caused a fuel crisis, and what it teaches about access.

The Colonial Pipeline Attack: One Password, No MFA, a Fuel Crisis

In May 2021, ransomware shut down the largest fuel pipeline in the US and sparked panic buying across the East Coast. The way in was a single leaked password for an unused VPN account with no multi-factor authentication. A post-mortem of the attack chain, the ransom, and the lessons.

Practical Dalfox v3 reference by task: targeting, parameter mining, blind XSS, evasion, pipeline integration with kxss and waybackurls, output formats.

Dalfox Cheat Sheet: Every Flag I Actually Use

A field-tested Dalfox v3 reference: target specification, detection tuning, parameter mining, blind XSS callbacks, evasion, pipeline patterns, and output shaping. Updated for the v3 Rust rewrite that consolidates everything under `dalfox scan`.

The workload profile (-w), optimized kernels (-O), device selection, benchmark-driven tuning, the attack ordering that beats any flag, and the ceiling you cannot tune past.

Speed Up Hashcat: Workload, Optimized Kernels, and Tuning

hashcat slow? Most of the speed is in two things: the workload flags and the order you run attacks. I cover the workload profile, optimized kernels and their length cap, device selection, benchmark-driven tuning, and why attack ordering beats every flag. Tested on hashcat 7.1.2.

How the July 2020 Twitter hack used phone spear-phishing to reach the internal admin console and hijack Obama, Musk, and Apple accounts.

The 2020 Twitter Hack: Vishing to God-Mode in a Day

In July 2020, attackers phoned their way into Twitter, reached the internal admin console, and hijacked Obama, Musk, Bezos, Apple, and dozens more for a Bitcoin scam. No malware, no software exploit, just phone calls. A post-mortem of the attack chain and the lessons.

Dalfox v3 walkthrough: scan subcommand, captured request files, stored and DOM XSS, blind callbacks, cookie theft. Reproducible against one lab.

Dalfox Tutorial: Exploiting a Vulnerable App End to End

A complete Dalfox walkthrough against a deliberately vulnerable XSS lab: reflected, stored, and DOM sinks, captured request files, blind callbacks, custom payloads, and a working cookie-theft chain. Updated for the Dalfox v3 Rust rewrite (May 2026) with the unified scan subcommand.

Step-by-step commix walkthrough: capture, detect, classic / blind, os-shell, reverse TCP, file read/write, escapeshellcmd argument injection.

commix Tutorial: Exploiting a Vulnerable App End to End

A complete commix walkthrough against a deliberately vulnerable lab app: identify the sink, capture the request, run the classic, time-based, and file-based techniques, pop an os-shell, catch a reverse TCP, and exploit the escapeshellcmd argument-injection gap.

How the 2019 Capital One breach used SSRF to reach the AWS EC2 metadata service, steal IAM credentials, and exfiltrate 100M+ records. Why IMDSv2 exists.

The Capital One Breach: SSRF and the Cloud Metadata Service

In 2019, a misconfigured firewall let an attacker use SSRF to reach the AWS metadata service, steal the server's IAM credentials, and exfiltrate the data of over 100 million Capital One applicants. It is the canonical cloud-SSRF breach and a prominent example of the attack class IMDSv2 was designed to mitigate. A post-mortem of the attack chain.

Hashcat vs John the Ripper on speed, hash coverage, file formats, attack engine, and usability, with a clear decision table for when to reach for each.

Hashcat vs John the Ripper: Which Should You Use?

Hashcat or John the Ripper? They overlap but have different sweet spots. I compare them on speed, hash and file-format coverage, the attack engine, and usability, and give a straight answer for when to reach for each. Most people end up using both.

Practical SSRFmap reference: request capture, every module, per-module options, handler setup, AWS / GCP / Azure metadata recipes, custom modules.

SSRFmap Cheat Sheet: Every Module and Flag I Actually Use

A field-tested SSRFmap reference: target capture, the real module list (readfiles, portscan, redis, fastcgi, mysql, smtp, axfr, aws, gce, alibaba, digitalocean, github, zabbix, postgres, docker, socksproxy, smbhash, tomcat, memcache, networkscan, custom), handler setup, cloud metadata workflows, and where Burp Repeater is still the better tool.

Step-by-step SSRFmap walkthrough: capture, detect, read files, portscan, bypass an allowlist, steal IMDS credentials, confirm blind SSRF.

SSRFmap Tutorial: Exploiting a Vulnerable App End to End

A complete SSRFmap walkthrough against a deliberately vulnerable lab: identify the sink, capture the Burp request, run detection, read local files, scan internal hosts, bypass a broken allowlist, hit the IMDS mock, and confirm blind SSRF out of band.

Why UpdraftPlus and other in-WordPress backup plugins fail when the site is compromised, plus a working 3-2-1 setup with restic or borg, retention policy, and a verification routine.

Off-Server WordPress Backups (3-2-1) With Verified Restores

The backup plugin running inside WordPress is the same WordPress the attacker just compromised. A 3-2-1 backup strategy with restic or borg, stored outside the trust boundary, and verified by monthly test restores. Configuration, retention, and the exact restore sequence after a compromise.

Capture the handshake or PMKID with hcxdumptool, convert with hcxpcapngtool, crack with hashcat -m 22000 and a wordlist, realistic expectations, and why WPA3 changes the game.

How to Crack a WPA/WPA2 Wi-Fi Password with Hashcat

How to recover your own WPA/WPA2 Wi-Fi password: capture the handshake or PMKID, convert it to the hashcat 22000 format, and crack it with a wordlist. I cover the full toolchain, realistic expectations for this slow hash, and why WPA3 resists the whole approach. Lab use only. Tested on hashcat 7.1.2.

The *2john extract-then-crack workflow for encrypted ZIP, RAR, PDF, and Office files, with real output, the hashcat alternative, and why these are slow hashes. Tested on 1.9.0-jumbo-1.

Crack ZIP, RAR, and PDF Passwords with John the Ripper

Forgot the password on an encrypted ZIP, RAR, PDF, or Office file? John the Ripper extracts a crackable hash from it and recovers the password. I walk the *2john workflow with real output, the hashcat alternative, and why a wordlist beats brute force here. Tested on 1.9.0-jumbo-1.

Practical XXEinjector reference by task: target options, request file format, OOB vs direct modes, PHP filter wrappers, file enumeration, and listeners.

XXEinjector Cheat Sheet: Every Flag I Actually Use

A field reference for XXEinjector: target options, request file format with the XXEINJECT marker, OOB and direct modes, PHP filter wrappers, file enumeration, logging, and custom listeners. Grouped by what you are trying to do.

The four ways attackers silently disable Wordfence, Sucuri Security, iThemes Security Pro (Solid Security), Patchstack, MalCare, and Jetpack Scan. Plus the above-doc-root attack class where the malware lives outside WordPress and no plugin can ever see it. Server-side monitoring that doesn't depend on WordPress being trustworthy.

Why Wordfence (or Any Security Plugin) Keeps Getting Silently Disabled

WordPress security plugins running inside WordPress can be disabled by anything that runs inside WordPress, including the malware they're supposed to catch. The four mechanisms attackers use to silently turn off Wordfence, Sucuri, Jetpack, WP Activity Log, and similar tools, plus the server-side monitoring layer that doesn't depend on WordPress being trustworthy.

Practical fuxploider reference by task: target, true/false regex, extension fuzzing, cookies, headers, proxy, threading, and post-upload pivot.

fuxploider Cheat Sheet: Every Flag I Actually Use

A field-tested fuxploider reference: target shaping, true/false response detection, extension fuzzing, cookies and headers, proxying, threading, and what to do once a webshell uploads. Grounded in the real argparse surface.

Crack bcrypt with hashcat -m 3200, understand why it is thousands of times slower than MD5, what the cost factor does to crack time, and the only attack that makes sense.

How to Crack a bcrypt Hash (and Why It's So Slow)

bcrypt is the hash you mostly cannot crack, and that is the point. I cover the hashcat command (-m 3200), why bcrypt is deliberately glacial, how the cost factor multiplies crack time, realistic GPU expectations, and the only attack worth running against it. Tested on hashcat 7.1.2.

Step-by-step fuxploider walkthrough: baseline, extension bypass, MIME forge, double-extension, drop a webshell, pivot to Weevely.

fuxploider Tutorial: Exploiting a Vulnerable App End to End

A complete fuxploider walkthrough against a deliberately vulnerable upload lab: baseline, extension bypass via .phar, lying about MIME, the double-extension trick against Apache AddHandler, a working webshell, and a Weevely pivot. Reproducible with one docker compose command.

Where Windows NTLM hashes come from, why they fall fast, the optimal hashcat attack (-m 1000), realistic crack times on modern GPUs, and how NTLM differs from NetNTLMv2.

How to Crack NTLM Hashes with Hashcat

NTLM is the hash behind Windows and Active Directory passwords, and it is fast and unsalted, which is why a password audit cracks weak ones in seconds. I cover the hashcat command, where the hashes come from, realistic crack times, and the NetNTLMv2 distinction. Tested on hashcat 7.1.2.

A complete hardened wp-config.php template for WordPress with comments on every setting: DISALLOW_FILE_EDIT, FORCE_SSL_ADMIN, salt rotation, file permissions.

A Hardened wp-config.php Template (with Comments on Every Choice)

wp-config.php is the first PHP file WordPress loads. The defaults from the stock installation are minimal; the hardened defaults take five minutes to apply and close most of the attack surface that lives below the plugin layer. A complete annotated template covering disabled file editing, forced HTTPS, secure salt rotation, debug behavior, and the file permissions that matter.

Why MD5 falls in seconds, the optimal hashcat attack (-m 0), salted MD5 variants, the truth about MD5 decrypt sites, and why no app should store passwords as MD5.

How to Crack an MD5 Hash with Hashcat

MD5 is the easy case: fast, unsalted, and broken for passwords, which makes it the perfect place to learn cracking. I cover the hashcat command, salted MD5 variants, why MD5 decrypt sites are not what they claim, and why MD5 has no business storing a password. Tested on hashcat 7.1.2.

How hashcat rule functions mutate wordlist words, the best64 ruleset with real output, stacking rules, writing your own, and the big public rulesets. Tested on hashcat 7.1.2.

Hashcat Rules: More Cracks From the Same Wordlist

Rules are the highest-yield technique in cracking: one wordlist word becomes hundreds of plausible variants. I cover the rule functions, best64 with real generated output, stacking, writing your own, and the big public rulesets. Tested on hashcat 7.1.2.

Built-in and custom charsets, increment mode, keyspace maths, and the policy-shaped masks that crack passwords a plain brute force never would in time. Tested on hashcat 7.1.2.

Hashcat Mask Attack (-a 3): Smart Brute Force That Finishes

A mask attack is brute force with a brain: you tell hashcat the shape of the password and it skips the quadrillions of strings nobody picks. I cover the charsets, custom charsets, increment mode, the keyspace maths, and the masks that actually crack real passwords. Tested on hashcat 7.1.2.

How the 2017 Equifax breach exploited an unpatched Apache Struts RCE (CVE-2017-5638) to steal 147M records, and how an expired cert blinded detection.

The Equifax Breach: An Unpatched Bug and a Blind Sensor

In 2017, attackers exploited an unpatched Apache Struts remote code execution flaw to breach Equifax and steal the data of 147 million people. A patch had been available for months, and an expired certificate had blinded the network monitoring for 19 months. A post-mortem of the RCE attack chain and the failures around it.

What rockyou.txt is and where to get it, the curated wordlists worth having, how to optimise and order them, and how to generate target-specific lists with crunch, cewl, and hashcat.

Password Cracking Wordlists: RockYou and Beyond

A cracker is only as good as the candidates it tries, and the wordlist is the most important one. I cover rockyou.txt and where to get it, the curated lists worth having, how to optimise and order them, and how to build target-specific lists with crunch, cewl, and hashcat --stdout.

Practical sqlmap evasion: tamper scripts that still bypass Cloudflare, AWS WAF, ModSecurity. Request shaping, fingerprint reduction, manual fallback.

sqlmap Evasion and Anti-Detection: WAF Bypass in Practice

How to get sqlmap past commercial WAFs. Tamper scripts that still work, request shaping (delays, chunked encoding, HPP), fingerprint reduction, when tamper chains fail and you need to drop to manual Burp Repeater, and the defender's view of what these techniques look like in the logs.

Identify any hash by prefix and length or with a tool, then map it to the right hashcat -m mode and John format. Fingerprint table, dnschkr Hash Identifier, name-that-hash.

How to Identify a Hash Type (and Find the Hashcat Mode)

Before you can crack a hash you have to know what it is. I cover identifying a hash on sight from its prefix and length, the tools that do it for you, and the part most guides skip: mapping the algorithm to the right hashcat -m mode and John format.

Thousands of hits to admin-ajax.php are usually WordPress Heartbeat and plugins, not an attack. How to read the action parameter and the fix that does not break your site.

admin-ajax.php High Traffic: Attack or Normal?

Thousands of hits to wp-admin/admin-ajax.php are almost always your own site: WordPress Heartbeat and plugins, not a DDoS. How to read the action parameter, when it is a real attack, and why blocking the file breaks your site.

Host-header SQL injection in multi-tenant SaaS routing. Vulnerable tenant-lookup code, manual exploit, sqlmap commands, the defence.

Host Header SQL Injection: Multi-Tenant Routing Gone Wrong

Host header SQL injection happens in multi-tenant SaaS apps that look up the tenant by hostname. Same pattern applies to X-Forwarded-Host. The vulnerable code, how to test it by hand, the sqlmap one-liner, and the defence that scales with tenant count.

Fill in your hash file, wordlist and format, then copy ready-to-run John the Ripper commands for the *2john extractors and every cracking mode. Full flag reference. Tested on 1.9.0-jumbo-1.

John the Ripper Cheat Sheet: Extract, Crack, Show

Set your hash file, wordlist, and format once, and every John the Ripper command below fills in with your values, ready to copy. The *2john extractors, all four cracking modes, the full flag reference, and the format list. Tested on 1.9.0-jumbo-1.

Why SSH reports REMOTE HOST IDENTIFICATION HAS CHANGED, when it is safe, and how to clear the stale known_hosts entry with ssh-keygen -R.

Fix SSH "Host Key Verification Failed"

Why SSH warns that the remote host identification has changed, when it is safe to clear, and the one command that removes the stale known_hosts entry: ssh-keygen -R.

JSON-body SQL injection in REST APIs, GraphQL resolvers, ORM raw-query calls. Vulnerable code, curl exploit, sqlmap commands with --data, defence.

SQL Injection in JSON Request Bodies (REST and GraphQL APIs)

JSON-body SQL injection is the modern face of the bug: REST APIs, GraphQL resolvers, and ORM raw-query escape hatches. How developers paint themselves into the corner with template strings around JSON fields, the manual exploit, sqlmap commands with --data and *, and the defence.

Disable direct root login over SSH and the console, lock the root password, and use a normal account plus sudo instead, safely.

How to Disable Root Login on Linux

Disable direct root login over SSH and on the console, lock the root password, and move everyone to a normal account plus sudo, without locking yourself out.

Fill in your hash file, wordlist, mode and mask, then copy ready-to-run hashcat commands for every attack mode. Full flag reference, charset table, common modes. Tested on hashcat 7.1.2.

Hashcat Cheat Sheet: Build the Command, Copy, Crack

Set your hash file, wordlist, hash mode, and mask once at the top, and every command below fills in with your values, ready to copy and run. Then the full flag reference grouped by task, the mask charset table, and the common -m modes. Tested on hashcat 7.1.2.

How a SQL injection on legacy TalkTalk pages exposed 156,959 customers in 2015. The ICO's £400,000 fine, the unpatched 3.5-year-old bug, and the lessons.

The TalkTalk Breach: How One SQL Injection Cost £77 Million

In October 2015 a SQL injection flaw on three forgotten legacy webpages exposed 156,959 TalkTalk customers. The regulator called it preventable: the underlying bug had a fix available for three and a half years. A practitioner's post-mortem of the attack, the ICO verdict, and the engineering lessons.

Install John the Ripper jumbo, extract hashes from files with *2john, run your first crack, use single/wordlist/incremental/mask modes, and know when John beats hashcat. Tested on 1.9.0-jumbo-1.

John the Ripper: The Complete Guide (Jumbo, with Real Examples)

John the Ripper is the cracker that runs anywhere and pulls a hash out of almost any encrypted file. I walk the jumbo install, auto-detection, the *2john extractors that are its killer feature, your first real crack, the cracking modes, and where John still beats hashcat. Tested on 1.9.0-jumbo-1.

Referer-header SQL injection in click-attribution, analytics, anti-CSRF logging. Vulnerable code, curl exploit, sqlmap commands, defence.

Referer Header SQL Injection: A Practical Guide

Referer-header SQL injection lives in click-attribution tables, marketing analytics, and anti-CSRF logging. Same shape as User-Agent injection but distinct enough to need its own treatment. Vulnerable code, curl exploit, sqlmap commands, defence.

Create a hardware-backed SSH key on a YubiKey with ssh-keygen -t ed25519-sk. How FIDO2/U2F SSH keys work, ed25519-sk vs ecdsa-sk, resident keys, and the OpenSSH and firmware versions you need.

SSH Keys With a YubiKey (FIDO2 / U2F)

Generate a hardware-backed SSH key on a YubiKey with one ssh-keygen command. How FIDO2/U2F SSH keys work, the difference between ed25519-sk and ecdsa-sk, resident keys, and the firmware and OpenSSH versions you need.

Step-by-step WordPress malware removal: identify the attack vector (files, database, .htaccess, wp-config), clean every layer, rotate credentials, and lock down to prevent reinfection. Cross-platform scripts for Linux and macOS.

How to Remove WordPress Malware: The Practitioner's Playbook

A step-by-step methodology for finding and removing malware from a compromised WordPress site, written by a Security+ certified engineer who's been cleaning sites since the early WordPress 2.x era. Covers every attack vector: file backdoors, database injections, .htaccess hijacks, wp-config tampering, and recurring reinfection. Originally written in 2016, updated regularly as new patterns emerge.

X-Forwarded-For SQL injection in geolocation lookups, IP ban lists, audit logs. Vulnerable code, curl exploit, sqlmap commands, the fix.

X-Forwarded-For SQL Injection: The Proxy Header Bug

X-Forwarded-For SQL injection lives in geolocation tables, audit logs, IP-based ban lists, and rate-limit lookups. Same family includes X-Real-IP, X-Client-IP, True-Client-IP. The vulnerable code, manual exploit with curl, sqlmap commands, and the fix.

The complete guide to password cracking: the offline-hash workflow, every attack mode and when to use it, fast vs slow hashes, realistic crack times, and the defences that win.

Password Cracking: How It Actually Works (Beginner to Advanced)

Password cracking is not guessing at a login form. It is an offline maths problem against a stolen hash. I walk the whole workflow, every attack mode and when to use each, the fast-vs-slow hash divide that decides everything, and what the clock actually looks like on modern hardware.

Step-by-step sqlmap walkthrough: capture, detect, fingerprint, enumerate, dump, read files, pop a shell. Reproducible with one docker compose up.

sqlmap Tutorial: Exploiting a Vulnerable App End to End

A complete sqlmap walkthrough against a deliberately vulnerable lab app: target identification, baseline, capture, detection, fingerprinting, enumeration, dumping, file read, and OS shell. Every step reproducible with one docker compose command.

LUKS disk encryption with cryptsetup on Linux: luksFormat to encrypt a block device, luksOpen to unlock it, then mkfs and mount. Includes header backup and keyslot management.

LUKS Disk Encryption With cryptsetup

Set up LUKS disk encryption with cryptsetup: format a block device, open it, put a filesystem on it, and mount it. The four commands, plus the header backup nobody warns you about.

How the 2005 Samy worm used stored XSS and a chain of filter bypasses to self-propagate across a million MySpace profiles in under a day. The lessons.

The Samy Worm: How One XSS Took Down MySpace in 20 Hours

In 2005, a single stored XSS payload on one MySpace profile spread to over a million accounts in under 20 hours and forced the site offline. It is the first great XSS worm, and a masterclass in defeating input filters. A post-mortem of how the Samy worm worked and what it teaches.

Every HTTP request field that carries SQL injection: URL, body, User-Agent, Referer, Cookie, X-Forwarded-For, Host, Authorization, custom headers.

SQL Injection in HTTP Requests: Every Vector Attackers Use

A practical map of every place SQL injection can live inside an HTTP request: query string, URL path, request body (form, JSON, XML, multipart filename), and every header from User-Agent to Authorization. Where attackers look, why developers miss each one, and where to start hardening.

Practical sqlmap reference by task: targeting, fingerprinting, enumeration, dumping, file access, OS shell, evasion, tamper scripts.

sqlmap Cheat Sheet: Every Flag I Actually Use

A field-tested sqlmap reference: target specification, request shaping, detection tuning, DBMS fingerprinting, enumeration, dumping, file system access, OS command execution, evasion, and tamper scripts. Grouped by what you are actually trying to do.

Every major social engineering technique: phishing, vishing, smishing, MFA fatigue, help-desk pretexting, BEC, SIM swap. How each works and how to defend.

Social Engineering Attacks: The Complete Taxonomy

A practitioner's map of how attackers breach the human layer: phishing, spear-phishing, vishing, smishing, MFA fatigue, help-desk pretexting, business email compromise, and SIM swapping. How each works, the real breaches it caused, and how to defend against it.

An ordered SQL injection learning path: understand the bug, find it, exploit every variant and vector, automate with sqlmap, beat WAFs, and defend it.

Learn SQL Injection: A Structured Path from Zero to Defence

An ordered learning path for SQL injection, from understanding the bug to finding it, exploiting every variant and vector, automating with sqlmap, getting past WAFs, defending at every layer, and learning from the real breaches it caused. Read these in sequence and you go from zero to working competence.

How SQL injection opened the 2008 Heartland breach of ~130M cards. The pivot to payment networks, the packet sniffer, and why PCI compliance was not enough.

The Heartland Breach: SQL Injection as the Front Door

The 2008 Heartland Payment Systems breach exposed around 130 million card numbers, the largest of its era. SQL injection was only the entry point: the attackers used it to land on the corporate network, spent months pivoting to the payment systems, then sniffed card data in transit. A post-mortem on the attack chain, the compliance illusion, and the lessons.

Complete SQL injection guide: union, error-based, boolean blind, time blind, out-of-band, second-order, NoSQL. Exploits and defence.

SQL Injection: Variants, Exploitation, and Defence

How SQL injection actually works, what every major variant looks like (union-based, error-based, boolean blind, time blind, out-of-band, second-order, NoSQL), how to exploit each one against a vulnerable app, and how to defend against them at the code, query, and infrastructure layers.

WPScan v3.8+ usage reference for WordPress security audits: install on Linux/macOS, API token setup, the command patterns that matter (enumerate users, vulnerable plugins, brute force), JSON output, and how WPScan compares to Wordfence, Sucuri, and WPSec.

WPScan Usage Guide and Man Page (2026)

WPScan v3.8+ usage reference for WordPress security audits: install on Linux/macOS, API token setup, the command patterns that matter (enumerate users, vulnerable plugins, brute force), JSON output, and how WPScan compares to Wordfence, Sucuri, and WPSec.

The complete taxonomy of web application security vulnerabilities, from injection attacks to supply chain attacks

Web Application Security Vulnerabilities: The Complete Taxonomy

A practitioner's map of every major web application vulnerability class: SQL injection, XSS, CSRF, SSRF, RCE, file upload, path traversal, authentication and session attacks, deserialization, clickjacking, XXE, supply chain, DoS, DNS, and API attacks. How each works, how to exploit it in a lab, and how to defend against it.