Links

Here are some links to cybersecurity tools and blogs that I frequently use.

Tools

• demo.sjoerdlangkemper.nl/cors.php / sakurity.com/jqueryxss - These are payloads that can be used for when a site loads an external resources and executes it as JavaScript. It may sound unlikely that a site would execute arbitrary JavaScript from other domains, but this was the default behavior of many frameworks in the past. Besides having a script payload, these also set CORS headers that allow other origins to retrieve the contents of these script.
• neverssl.com - Sometimes you want an unencrypted site, for example to test whether your intercepting proxy fails because of certificate settings or because of other things. NeverSSL doesn’t support HTTPS and doesn’t have HSTS. It’s also useful to test for captive WiFi portals that intercept all traffic and redirect you to the login page.
• httpbin.org - This site creates various HTTP responses, and is useful for testing things such as SSRF.
• CSP Evaluator - Throw in a Content-Security-Policy and it will give some things to improve.
• Copy as Markdown plugin - I use this a lot to copy the title and link of one or multiple tabs in my browser.
• Find a prime number near another number - I made this myself. I use this suspiciously often, but couldn’t tell for what exactly right now.
• jwt.io - decodes JWT tokens. This is a useful tool, but it also lures you into pasting authentication tokens into some third-party website.
• caniuse.com - lists which browsers support which features
• Chrome Platform Status - lists which features are supported or on the development roadmap for Chrome. I learned of many new security features here.
• crt.sh - a database of HTTPS certificates. Useful for finding subdomains or relations between domains. This can also be useful to test whether pinning is implemented correctly, but finding a domain that uses a specific certificate authority.
• Shodan - public port-scan database.
• Google Scholar - search engine for scientific articles.
• Anna’s Archive - books and scientific papers for download.
• GitHub Search - code search. Useful to find examples of certain code, or vulnerable code.
• Sjord/asvscontext - a list of ASVS requirements and corresponding issues. I made this to easily search all ASVS requirements and get more information behind them.

Blogs

Cybersecurity

• A Few Thoughts on Cryptographic Engineering
• April King
• Cendyne.dev
• Cryptologie
• Dhole Moments
• Doyensec’s Blog
• Emily M. Stark
• Filippo Valsorda
• Hugo Landau
• jub0bs.com
• rastating.github.io
• securitypitfalls
• Sensemaking by Shortridge
• text/plain – ericlaw

Other

• Andreas Kling – I like computers!
• Atlas of Wonders and Monsters
• Casey Handmer’s blog
• change is - matt.sh
• CounterfeitBees
• Data Colada
• Dynomight
• Escaping Flatland
• Experimental History
• Ideas and Data
• Jacob Trefethen’s blog
• JakeArchibald.com
• Jason Pargin’s Newsletter
• Low←tech magazine
• Matt Lakeman
• mhdm.dev
• Science Integrity Digest
• Slime Mold Time Mold
• The Righteous Mugwort
• Trevor Klee’s Newsletter
• Weblog @ marginalia.nu
• Yossi Kreinin - blog archive