decal's security shed

internet hacking

DoD  → 4-Layer Department of Defense ARPANet Model 7-Layer Open Systems Interconnect Internet Model ←  OSI


Republished & re-edited IDS/IPS Evasion Techniques

IDS/IPS Evasion for URI's

Whitepapers & Blogs

Tickling CGI Problems: A whitepaper created with LaTeX (a document prepation system created mostly by Donald Knuth) about hacking web-based and standalone scripts written in Tcl/Tk (Mar 2011 Vulnerability Research)

Software Testing: Test Design and the Project Life Cycle (Dec 2002 Collegiate Term Paper)

Measuring (not so) recent BIND nameserver patching

Combinatoric Input Set Generation

Exploit One-Liners

Vendor-Coordinated Software Security Advisories

Veritas Storage Foundation Arbitrary File Read Vulnerability

Veritas Storage Foundation Memory Disclosure Vulnerability

PartyGaming PartyPoker Malicious Update Vulnerability

Cygwin Installation and Update Process can be Subverted Vulnerability

Lenovo SystemUpdate SSL Certificate Issuer Spoofing Vulnerability

Directory Traversal in IronWebMail
Mirror #1 -

FreeBSD ircII port contains a remote overflow

Media References

PaulDotCom Security Weekly Episode 119 - Tech Segment: Software Update Security with Derek Callaway

Cenzic's SANS Contest Winner Headed to Las Vegas

Conferences as a Speaker

CanSecWest 2009  Binary Clone Wars: Software Whitelisting for Malware Prevention and Coordinated Incident Response
  Stop Malware Forever  [Whitepaper]

SOURCE Boston 2009  Binary Clone Wars: Software Whitelisting for Malware Prevention and Coordinated Incident Response
  Security Sovereignty: Binary Clone Wars  [Slides]

Derbycon 2013  Uncloaking IP Addresses on IRC
  Technical Lecture and Proof-of-Concept Demo  [Video]

Derbycon 2014  Project SCEVRON: SCan EVrything with ruby RONin
  Technical Lecture and Proof-of-Concept Demos  [Video]

BSides Delaware 2013  Uncloaking IP Addresses on IRC
High-level Description of Technique  [Video]

Spot The Fed: Online Edition

Conferences as an Attendee

DEFCON (DEFense readiness CONdition)

Black Hat Briefings USA

HOPE (Hackers On Planet Earth)

ShmooCon ("The Moose!")

Derbycon (reference to old hat style)

SummerCon (self-explanatory, traditionally small & old school)

SANS Network Security Vegas (course curriculum and commercial expo--put on by the folks from ISC)

SOURCE Boston (includes venture capitalists)

Security BSides (local infosec events)


Security Mailing List Archive

The Exploit Database (EDB)
An ultimate archive of exploits and vulnerable software. A great resource for penetration testers, vulnerability researchers, and security addicts alike. Our aim is to collect exploits from submittals and mailing lists and concentrate them in one, easy to navigate database. - gain practical 'hands-on' experience in digital security - Gathering references to IT-security related stuff
This project has appeared as an attempt to index, summarize and to catalog links to software security related stuff. You can treat this project as one big, centralized bookmark.
OWASP SecLists Project
SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.
Internet Engineering Task Force Tools

Internet Assigned Numbers Authority Self-Explanatory (Aggregator of Exploit Distribution Sites)

©Dell SecureWorks, Inc.

ZDNet's Zero Day Blog

System of Systems Blog at WordPress Where I Published Many Articles

Commercially-Linked Twitter Account That I Used to Tweet From

My Current Personal Twitter Account

CVE Search at Circl

#BugBounty Tweets

Hacking the Web

"The Art of the Web" (Links Page)

Monitoring Web Indexing Robots

Free malware analysis service

Browse W3C's Open Source Software

Architecture of the Web, Volume One

SANS CWE (Common Weakness Enumeration) Top 25


The latest information on how to use the technology that runs the web: HTML, CSS, JavaScript and more.

security.txt The latest news and insights from Google on security and safety on the Internet


The Matrix of W3C Specifications (includes SOAP)

OWASP: Open Web Application Security Project

Web Application Security Consortium

CGISecurity - Web Site and Application Security News web application security forum web application security lab (RSnake's old abandoned site) aims at delivering the most comprehensive enumeration of all known web service attacks.

Wikipedia Web Security Exploits Category

Wikipedia Free web server software Category

Web-based .htpasswd File and Site Access Manager

Mozilla Security Blog

FireFox Developer Tools

MDN Web Security

Open Data Protocols - Simple Open Standards for Open Data

Extensible Business Reporting Language

Incapsula Botopedia

Searchable List of User-Agents (Spiders, Robots, Crawler, Browser, etc.)

SRI Hash Generator

HTTP Extensions for Distributed Authoring: WebDAV


What browser am I using?

HTML Living Standard

WHATWG HTML: The Living Standard A technical specification for Web developers

 Can I Use? Compare Browsers (CSS, HTML5, SVG, etc.)

iOS UIWebView Browser Tests

Ping, HTTP & SSL Tests + ProCSSor (cleans/organizes CSS

Help Desk Software powered by SmarterTrack 10.2 © 2003-2015 SmarterTools Inc.

Apache Tomcat 7 Security Considerations

LFI Exploitation via php://input [a.k.a. how to web-shell a site]

Developing Single Page Web Applications using Java 8, Spark, MongoDB and AngularJS

Server-side: Dynamic Content, Part 1

Object RTC (ORTC) is a free, open project that enables mobile endpoints to talk to servers and web browsers with Real-Time Communications (RTC) capabilities via native and simple Javascript APIs

Fine-Grained Transclusions of Multimedia Documents in HTML

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol

Unicode Transformation Formats: UTF-8 & Co.

Everthing HTML, CSS and JavaScript, the most common languages used in making web pages.

WAVE (WCAG/ARIA Guidelines Checker

Easy Checks - A First Review of Web Accessibility

Website Accessibility Evaluation Report Generator

Accessibility related add-ons for Mozilla FireFox and Thunderbird

PageSpeed Module: open-source server modules for Apache/NGINX by Google that optimize your site automatically

IDS/IPS Evasion for URI's

HTML5 tag list (refer to for the latest)

HTTP Status Codes

Universal Resource Identifiers in WWW

IETF Hypertext Transfer Protocol (HTTP/1.1) RFC's

RFC7230: Message Syntax and Routing

RFC7231: Semantics and Content

RFC7232: Conditional Requests

RFC7233: Range Requests

RFC7234: Caching

RFC7235: Authentication

IETF "DarkWeb" RFC's

RFC7685: A TLS ClientHello Padding Extension


IETF "DarkWeb" RFC's

RFC7685: A TLS ClientHello Padding Extension


RFC7686: The ".onion" Special-Use Domain Name

Browser Hacking

browserling: live interactive cross-browser testing from your browser

Beautify, unpack, deobfuscate JavaScript and HTML, make JSON/JSONP readable, etc.

Spreadsheet comparison of security issues in major browser versions

Web Browser Security Checklist for Identity Theft Protection

Opera: Security specifications support in Opera Presto

Heap Feng Shui in JavaScript (Alexander Sotirov at BlackHat Europe 2007)

PURL: Persistent Uniform Resource Locators

Default Passwords

Top 500 Passwords


Default Passwords |

Default Router Passwors

Default passwords list

Virus.Org Default Password Database

Router IP Address - Default: IP Address, Username, & Password

Password Generators

Perfect Passwords | GRC's Ultra High Security Password Generator

Random Password Generator

Javascript 8-character pronouncable password generator

Strong Password Generator

Cygnius Password Strength Test

CertExam: Switch Simulator Labs

TCP/IP Protocols

The Art of Unspoofing

BIND 8.3.3 Unspoofing Patch

BIND 4.9.9 Unspoofing Patch

Cisco Secure PIX Firewall Version 5.0 Command Reference

ACME Bandwidth Chart

Internet Assigned Numbers Authority: Protocol Registries

Numbering Resource Organization

Provider of Internationalized Domain Name Solutions

amavisd-new is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssassin

LBNL's Network Research Group

Official IETF RFC's (Internet standards proposals.)

arny's unix / net / hack page

USENET newsgroup name list generated by  tin -rnq  on 19-Jul-2012

The Honeynet Project

Mailing list thread about AS 7007 Incident!

As seen in the presentation "Hide and Seek: Post-Exploitation Style" from ShmooCon 2013

SCADA Security Mailing List Archive

UPnP Database

Pen Testing Cheat Sheets and Tools

toolswatch: Hackers Arsenal

SecTools, home of NMap


ImmunitySec Resources: Free Software

The Packetfactory RFC SourceBook

Shiar's Cheat Sheets

Underscores in DNS - and lots of other DNS idiosyncrasies

Apache Rivet and Websh - from recent Tcl-Apache integration efforts

Troubleshooting SSL/TLS communications using network dumps is a free service that checks your IPv6 and IPv4 connectivity and speed

A blog based on community contributed data about MicroTik RouterOS

The Measurement Factory

The HTTP/1.1 verb PUT under Apache: Safe or Dangerous?

Stanford Computer Security Laboratory

Connected: The Internet Encyclopedia @
MH & xmh: Email for Users & Programmers

Collaboration and Reporting Framework for InfoSec Teams

bgp-stats Mailing List Archive

CSE545 Lecture Slides from PSU: Interdomain Routing Security

Cisco Enterprise Campus Infrastructure Best Practices Guide

BGP Routing Table Analysis Reports from 1994 to Present

UDP port forwarding with socat

RFC2663: IP Network Address Translator (NAT) Terminology and Considerations"

RFC4301: Security Architecture for the Internet Protocol

Clarifications and Implementation Notes for DNS Security (DNSSEC)

Root DNSSEC - Information about DNSSEC for the Root Zone

This is psyced, a scalable multi-protocol multi-casting chat, messaging and social server solution to build decentralized chat networks upon, released as open source. Powerful, not bloated, not too hard to get into.

NTP Architecture, Protocol and Algorithms

NTP Security Algorithms

NTP Security Protocol

NTP Security Model

RFC5906: Network Time Protocol Version 4: Autokey Specification

Avoid RFC 2317 style delegation of ""

Wikipedia Routing Algorithms Category

Wikipedia Onion Routing Article

IP Hijacking Wikipedia Article

CISSP Glossary Flash Cards

The Computer Technology Documentation Project

Note: The DNS section is excellent.

(D)DoS Attacks

Wikipedia Denial-of-service Attacks Category

"Big Data" Structures & Text Formatting

Structured Abstracts in MEDLINE

[Valid XHTML 1.0 Transitional]  [Valid CSS!]    [Unikbd Enkbdd]