Walter Moar
@waltermoar.bsky.social
Today's security backgrounder article is all about weak authentication that is bypassed by spoofing HTTP headers. This type of weak authentication does occasionally happen in the real world, but it's also very common in Capture The Flag (CTF) security challenges.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-290: Authentication Bypass by Spoofing
Authentication systems verify the identity of users before granting access to protected resources. These systems rely on various…
medium.com
December 29, 2025 at 1:41 PM
Today's security backgrounder article is all about weak authentication that is bypassed by spoofing HTTP headers. This type of weak authentication does occasionally happen in the real world, but it's also very common in Capture The Flag (CTF) security challenges.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Base64 encoding: what it is, how it works, and most importantly: why it is an encoding, and not encryption. Base64 encoding turns binary into somewhat readable text, and is easily decoded too. It often finds its way into Capture The Flag (CTF) security challenges.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
CTF Basics: Understanding Base64 Encoding
This article covers the basics of Base64 encoding, a common encoding scheme that appears frequently in Capture The Flag (CTF) challenges…
medium.com
December 22, 2025 at 12:40 PM
Base64 encoding: what it is, how it works, and most importantly: why it is an encoding, and not encryption. Base64 encoding turns binary into somewhat readable text, and is easily decoded too. It often finds its way into Capture The Flag (CTF) security challenges.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
December 21, and the winter solstice is upon us. "Got to kick at the darkness 'til it bleeds daylight."
www.youtube.com/watch?v=7IX4...
www.youtube.com/watch?v=7IX4...
Bruce Cockburn - Lovers In A Dangerous Time
YouTube video by BruceCockburnVEVO
www.youtube.com
December 21, 2025 at 3:50 PM
December 21, and the winter solstice is upon us. "Got to kick at the darkness 'til it bleeds daylight."
www.youtube.com/watch?v=7IX4...
www.youtube.com/watch?v=7IX4...
Today's article is on the "Unminify" challenge, which demonstrates that minifying web page source code offers no security protection for sensitive information.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Unminify”
Explore minified web page source code and discover why sensitive data doesn’t belong in HTML
medium.com
December 18, 2025 at 12:45 PM
Today's article is on the "Unminify" challenge, which demonstrates that minifying web page source code offers no security protection for sensitive information.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Posting a new background article today on CWE-540: sensitive information in source code. CWE-540 is the parent of CWE-615, which more specifically is about source code comments.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-540: Inclusion of Sensitive Information in Source Code
Source code is the foundation of every application, containing the logic and algorithms that make software work. When developers embed…
medium.com
December 15, 2025 at 2:28 PM
Posting a new background article today on CWE-540: sensitive information in source code. CWE-540 is the parent of CWE-615, which more specifically is about source code comments.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's writeup is another example of "security through obscurity": using a strangely named file to hide sensitive information. Not a great idea to start with, and revealing the filename in the robots.txt file is the bigger downfall of this scheme.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “where are the robots”
Discover how robots.txt files reveal hidden resources and learn about forced browsing vulnerabilities
medium.com
December 11, 2025 at 1:14 PM
Today's writeup is another example of "security through obscurity": using a strangely named file to hide sensitive information. Not a great idea to start with, and revealing the filename in the robots.txt file is the bigger downfall of this scheme.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's write-up of picoCTF's "Scavenger Hunt" uses CWE-425 (Direct Request / Forced Browsing) to find sensitive information in predictable files. Follow the clues to find the flag segments.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Scavenger Hunt”
Hunt through robots.txt, .htaccess, and .DS_Store files to understand forced browsing attacks
medium.com
December 8, 2025 at 12:19 PM
Today's write-up of picoCTF's "Scavenger Hunt" uses CWE-425 (Direct Request / Forced Browsing) to find sensitive information in predictable files. Follow the clues to find the flag segments.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
New article on CWE-656 / Security Through Obscurity. Learn why "hidden" doesn't mean secure, and what actually works.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-656: Reliance on Security Through Obscurity
Security measures work best when they actively prevent unauthorized access through authentication, encryption, and access controls…
medium.com
December 4, 2025 at 2:20 PM
New article on CWE-656 / Security Through Obscurity. Learn why "hidden" doesn't mean secure, and what actually works.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
The Common Weakness in today's CWE article covers the case when unlinked files and directories under the web root are directly requested by the user. It's as simple as typing something into the URL bar, or using a common file/directory fuzzer to check predictable names.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-425: Direct Request (‘Forced Browsing’)
Web applications typically guide users through intended navigation paths using links and menus. However, if users know or guess the right…
medium.com
December 1, 2025 at 2:33 PM
The Common Weakness in today's CWE article covers the case when unlinked files and directories under the web root are directly requested by the user. It's as simple as typing something into the URL bar, or using a common file/directory fuzzer to check predictable names.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
"MatchTheRegex" is a picoCTF security challenge that introduces regular expressions. Find some input to match the regular expression, and the flag is retrieved.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “MatchTheRegex”
This writeup gives a step-by-step explanation of the picoCTF challenge “MatchTheRegex”. The best learning experience comes from working…
medium.com
November 27, 2025 at 12:13 PM
"MatchTheRegex" is a picoCTF security challenge that introduces regular expressions. Find some input to match the regular expression, and the flag is retrieved.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Reposted by Walter Moar
Petition: https://twp.ai/SADCDV
Policy: https://twp.ai/NTXx1R (guideline version)
#appsec #cybersecurity
2/2
Policy: https://twp.ai/NTXx1R (guideline version)
#appsec #cybersecurity
2/2
www.ipetitions.com
Petition Secure Canada’s Future: Adopt a Federal Secure Coding Policy for All Government Software
twp.ai
November 24, 2025 at 4:21 PM
Petition: https://twp.ai/SADCDV
Policy: https://twp.ai/NTXx1R (guideline version)
#appsec #cybersecurity
2/2
Policy: https://twp.ai/NTXx1R (guideline version)
#appsec #cybersecurity
2/2
Reposted by Walter Moar
We, as an industry, need to start giving very specific and clear advice, if we want to have better outcomes. No more high level, vague, and ambiguous advice please. #SpecificSecurity #BeSpecific
https://twp.ai/ImshpN
1/2
https://twp.ai/ImshpN
1/2
November 24, 2025 at 4:21 PM
We, as an industry, need to start giving very specific and clear advice, if we want to have better outcomes. No more high level, vague, and ambiguous advice please. #SpecificSecurity #BeSpecific
https://twp.ai/ImshpN
1/2
https://twp.ai/ImshpN
1/2
Happy Monday! Today's article is on the Common Weakness Enumeration (CWE) 552: when sensitive files or directories are left accessible. This is a big one for any kind of server, but is all too common with web servers.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-552: Files or Directories Accessible to External Parties
Applications and web servers organize files in directory structures with specific access permissions. Some files and directories are meant…
medium.com
November 24, 2025 at 12:24 PM
Happy Monday! Today's article is on the Common Weakness Enumeration (CWE) 552: when sensitive files or directories are left accessible. This is a big one for any kind of server, but is all too common with web servers.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's writeup is for the recent CTF challenge "Crack the Gate 1", which involves an authorization bypass and an encoded hint.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Crack the Gate 1”
This writeup gives a step-by-step explanation of the picoCTF challenge “Crack the Gate 1”. The best learning experience comes from working…
medium.com
November 20, 2025 at 1:12 PM
Today's writeup is for the recent CTF challenge "Crack the Gate 1", which involves an authorization bypass and an encoded hint.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
A little late on posting this backgrounder: why debug code is awesome when debugging, and why it is awesomely bad when forgotten and it goes to production.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-489: Active Debug Code
Software developers frequently add debugging features during development to test functionality, troubleshoot issues, or modify application…
medium.com
November 19, 2025 at 3:43 PM
A little late on posting this backgrounder: why debug code is awesome when debugging, and why it is awesomely bad when forgotten and it goes to production.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's CTF walkthrough is for picoCTF's "Search Source", which is similar to the last few challenges: a flag hidden within the HTML, CSS, and/or JavaScript of a website.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Search source”
This writeup gives a step-by-step explanation of the picoCTF challenge “Search source”. The best learning experience comes from working…
medium.com
November 13, 2025 at 1:46 PM
Today's CTF walkthrough is for picoCTF's "Search Source", which is similar to the last few challenges: a flag hidden within the HTML, CSS, and/or JavaScript of a website.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's backgrounder is all about the Caesar cipher, plus a special form of it called ROT13.
Gur rntyr syvrf ng zvqavtug.
medium.com/@waltermoar/...
Gur rntyr syvrf ng zvqavtug.
medium.com/@waltermoar/...
CTF Basics: Understanding the Caesar Cipher and ROT13
This article covers the basics of a cipher called the Caesar cipher. This simple cipher appears frequently in Capture The Flag (CTF)…
medium.com
November 10, 2025 at 12:28 PM
Today's backgrounder is all about the Caesar cipher, plus a special form of it called ROT13.
Gur rntyr syvrf ng zvqavtug.
medium.com/@waltermoar/...
Gur rntyr syvrf ng zvqavtug.
medium.com/@waltermoar/...
The date on the calendar says "Nov 9" but the tomatoes on the vines say "please just a little more time outdoors"
November 9, 2025 at 7:30 PM
The date on the calendar says "Nov 9" but the tomatoes on the vines say "please just a little more time outdoors"
New picoCTF writeup today for the web exploitation challenge called "Insp3ct0r". This challenge follow the themes of previous challenges "Inspect HTML" and "Includes" by searching for flags within HTML, CSS, and JavaScript comments (CWE-615).
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Insp3ct0r”
This writeup gives a step-by-step explanation of the picoCTF challenge “Insp3ct0r”. The best learning experience comes from working on the…
medium.com
November 6, 2025 at 1:58 PM
New picoCTF writeup today for the web exploitation challenge called "Insp3ct0r". This challenge follow the themes of previous challenges "Inspect HTML" and "Includes" by searching for flags within HTML, CSS, and JavaScript comments (CWE-615).
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Last week for Halloween, Bitkavach hosted the Haunted Hex CTF event (www.bitkavach.com/haunted-hex). It was great fun, and a humbling experience - they had some really tricky challenges that I'm still trying to figure out! Looking forward to more great things to come from Bitkavach.
November 5, 2025 at 2:43 PM
Last week for Halloween, Bitkavach hosted the Haunted Hex CTF event (www.bitkavach.com/haunted-hex). It was great fun, and a humbling experience - they had some really tricky challenges that I'm still trying to figure out! Looking forward to more great things to come from Bitkavach.
New backgrounder posted for Capture The Flag security challenges: the basics of web browser to web server network protocols, and some tips on how they're used in CTFs.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
CTF Basics: Understanding HTTP Requests and Responses
This article covers the basics of HTTP requests and responses, plus how to view and modify them for Capture The Flag (CTF) web exploitation…
medium.com
November 3, 2025 at 2:49 PM
New backgrounder posted for Capture The Flag security challenges: the basics of web browser to web server network protocols, and some tips on how they're used in CTFs.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Reposted by Walter Moar
TIME to fall back and set yo clocks back one hour tonite,!!
a man wearing a green hat and a red hat is making a face
Alt: Flavor flav throws on some sunglasses
media.tenor.com
November 2, 2025 at 3:14 AM
TIME to fall back and set yo clocks back one hour tonite,!!
So I asked a GenAI to write jokes about a GenXAI...
Q: Why does GenXAI refuse to answer questions sometimes?
A: It just assumes you'll figure it out yourself like it had to.
User: Please explain like I'm five.
GenXAI: When I was five, I read the manual. Here's the documentation. You'll be fine.
Q: Why does GenXAI refuse to answer questions sometimes?
A: It just assumes you'll figure it out yourself like it had to.
User: Please explain like I'm five.
GenXAI: When I was five, I read the manual. Here's the documentation. You'll be fine.
October 31, 2025 at 12:11 PM
So I asked a GenAI to write jokes about a GenXAI...
Q: Why does GenXAI refuse to answer questions sometimes?
A: It just assumes you'll figure it out yourself like it had to.
User: Please explain like I'm five.
GenXAI: When I was five, I read the manual. Here's the documentation. You'll be fine.
Q: Why does GenXAI refuse to answer questions sometimes?
A: It just assumes you'll figure it out yourself like it had to.
User: Please explain like I'm five.
GenXAI: When I was five, I read the manual. Here's the documentation. You'll be fine.
In a followup writeup to the "Inspect HTML" challenge, here's one for the picoCTF challenge "Includes". It's another very beginner challenge but a great one for learning fundamentals.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Includes”
This writeup gives a step-by-step explanation of the picoCTF challenge “Includes”. The best learning experience comes from working on the…
medium.com
October 30, 2025 at 11:17 AM
In a followup writeup to the "Inspect HTML" challenge, here's one for the picoCTF challenge "Includes". It's another very beginner challenge but a great one for learning fundamentals.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
All summer, I've been catching spiders in the house and releasing them into the fern out front.
Today, I came home and the fern was indoors.
All winter, I'll be re-catching spiders in the house...
Today, I came home and the fern was indoors.
All winter, I'll be re-catching spiders in the house...
October 30, 2025 at 2:42 AM
All summer, I've been catching spiders in the house and releasing them into the fern out front.
Today, I came home and the fern was indoors.
All winter, I'll be re-catching spiders in the house...
Today, I came home and the fern was indoors.
All winter, I'll be re-catching spiders in the house...