Elusive Thoughts

Introduction The reason for this blog post is to advertise my book. First of all I would like to thank all the readers of my blog for the support and feedback on making my articles better. After 12+ years in the penetration testing industry, the time has come for me to publish my book and tranfer my knowledge to all the intersted people that like hacking and want to learn as much as possible. Also at the end of the blog you will find a sample chapter. About The Author Gerasimos is a security consultant holding a MSc in Information Security, a CREST (CRT), a CISSP, an ITILv3, a GIAC GPEN and a GIAC GAWPT accreditation. Working alongside diverse and highly skilled teams Gerasi- mos has been involved in countless comprehensive security tests and web application secure development engagements for global web applications and network platforms, counting more than 14 years in the web application and application security architecture. Gerasimos further progressing in h...

Introduction Nowadays hacking, as already mentioned in my previous articles, has been industrialized, meaning that professional hackers are constantly hired to make money out of practically anything and therefore all Web Application vulnerabilities have to be understood and defeated. This article is going to talk about what Cross Site Request Forgery (CSRF) is, explain how can someone perform a successful CSRF attack and describe how to amplify a CSRF attack (e.g. combine CSRF with other vulnerabilities). CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated (simplistically speaking). With a little help from social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of a normal user. If the targeted end user is the administ...

Intro   Elusive Thoughts are proud to present you The Teenage Mutant Ninja Turtles project.... What Teenage Mutant Ninja Turtles is? The Teenage Mutant Ninja Turtles project is three things: A Web Application payload database (heavily based on fuzzdb project for now). A Web Application error database. A Web Application payload mutator. Nowadays all high profile sites found in financial and telecommunication sector use filters to filter out all types of vulnerabilities such as SQL, XSS, XXE, Http Header Injection e.t.c. In this particular project I am going to provide you with a tool to generate Obfuscated Fuzzing Injection attacks on order to bypass badly implemented Web Application injection filters (e.t.c SQL Injections, XSS Injections e.t.c). When you test a Web Application all you need is a fuzzer and ammunition: " I saw clearly that war was upon us when I learned that my young men had been secretly buying ammunition." Chief Joseph Ammunit...

Intro This article is about explaining the Session Fixation and Session Hijacking vulnerability impact and also do a post exploitation analysis of the methodologies used from organized crime. Many people, and by many people I mean Information Security Consultants, Security System administrators and Penetration testers tend to believe that Session Fixation/Hijacking is not so serious problem and when found in a Web Applications, when they report it they characterize it as low risk or when the Web Application is vulnerable to session fixation, they believe that when the session is not passed in the URL it cannot be used in an efficient way to attack the website.Well that is wrong, and I am sure about it because I have seen lots of my clients becoming victims from organized crime. I am also reminding you that if: You become a Cross Site Script victim it might be difficult to detect the attack (especially if you allow concurrent logins). You have a Session Hijacking event it is no...

XML External Entity (XXE) Injection — Updated 2026 XML External Entity (XXE) Injection DTD Abuse // File Disclosure // Blind OOB Exfiltration // SSRF via XML XXE CWE-611 A5:2021 SSRF Blind OOB Updated 2026 Intro External entity injection is generally speaking a type of XML injection that allows an attacker to force a badly configured XML parser to "include" or "load" unwanted functionality that compromises the security of a web application. This type of attack is well documented and known since 2002, though it continues to appear in modern applications — particularly in SOAP services, file upload handlers, and legacy enterprise integrations. Taxonomy (2026): XXE was categorized as OWASP A4:2017 — XXE (its own dedicated category). In OWASP Top 10 2021, it was merged into A5:2021 — Security Misconfiguration . The primary CWE is CWE-611 (Improper Restriction of XML External Entity Reference)....