Today is 'The Other Tomorrow'

Finally, today is "The Other Tomorrow". The magical day which is referred for postponing tasks "it would be nice to be done one day". To be honest, I have postponed it for years. And now, huh, here it is.

Who I am

Shortly, I'm Elar and I'm web application security penetration tester in Clarified Security [1]. I'm also author and lecturer of a 4-day training "Web Application Security" [2]. I've delivered 2500 lecture hours from March 2012 to Oct 2018.

Two reasons why I started this blog

Reasons are quite different. First one is to learn and practice my English. If you detect here some weird English, you are welcome to point out my mistakes. Since my native language is Estonian, I call my English - Estonglish. Just if you are wondering why my language construction are a bit weird.

Second reason is to share the kind of information, which is not ethical to keep to myself. I'm talking about security holes in products or sites with big names. Sometimes they don't want to share information about their weaknesses and in my opinion, it is also not fare to hide it.

What to expect

During previous years I've collected ideas, information and experience, which I want to share:

• Full Disclosure of vulnerabilities in known software. I have 2 CVE's in queue to publish. Most likely I'm going to request CVE identifier [3] for 5 .. 7 more vulnerabilities;
• Full Disclosure of findings from some famous sites and reasoning of why my name is listed in some "Hall of Fame" pages;
• Interesting features and possibilities in technology - some wtf moments for me and maybe some surprising moments for you also.

I'm going to describe here only my hobby projects - due to NDA I'm not going to describe findings from pentest cases which are related with our clients and their custom software.

Static blog engine

Sometimes I ask people - "how much is 9 multiply 9?". They know the answer, 81, from memory. They have "cached" it. Otherwise they should calculate each time: 9 + 9 is 18. To add 3rd 9, it's 18 + 9 = 27 etc, until they reach to 9th 9 and the value 81.

For some reason most of web pages are working this 9 + 9 + 9 .. way. They calculate and generate the same content maybe million times. It would make more sense to calculate it once and then just serve those results.

Dynamic pages have a lot of security issues. I have built them when I worked as web application developer, I have tested them as security tester - I don't want to use one for my own blog.

So, here I am with static blog generator engine Pelican [4][5], which is written in Python [6]. As a base template I used pelican-bootstrap3 [7] with some theme from Bootswatch [8]. Additionally Disqus [9] for comments, some extra plugins [10] and custom code.

For history, this is how my blog looked on 2016-05-21:

References

• [1] - Clarified Security http://www.clarifiedsecurity.com
• [2] - Web Application Security Training http://www.clarifiedsecurity.com/web-application-security-training/
• [3] - CVE (Common Vulnerabilities and Exposures) https://cve.mitre.org/cve/
• [4] - Pelican documentation http://docs.getpelican.com/
• [5] - Pelican GitHub https://github.com/getpelican/pelican
• [6] - Python https://www.python.org/
• [7] - pelican-bootstrap3 theme https://github.com/getpelican/pelican-themes/tree/master/pelican-bootstrap3
• [8] - Bootswatch, themes for bootstrap3 http://bootswatch.com/
• [9] - Disqus https://disqus.com/
• [10] - Pelican Plugins https://github.com/getpelican/pelican-plugins