Bobo T. Jones

you are here

Breather

I am publishing an incomplete post on proxies along with this one. Not exactly sure what happened but as I tried to compose that post, I found myself getting uncomfortably frustrated. Angry, even. In the grand scheme of things (and in hindsight), it was always likely that web application penetration testing was a stopgap discipline. The shittiness of most web pentesting tools makes that abundantly clear. There was no point to finishing the post because I learned what I needed to learn: the reason I hated doing that work is because while I was good at it, the value of it was obviously decreasing over time. The only people who respect that line of work are other web pentesters. Everyone else shat on us. Even though the sexier hacking was less likely to be exploited in the wild; that will also change in the near future.

Read more →

Proxies

No surprise, it has not taken long for me to hit something of a productivity sandbar. The post I started writing for today is about proxies… specifically, web proxies for web application assessment work. The goto standard for this tool is Burp Suite from PortSwigger. I have linked to the Community Edition, which is the free version. I’ve never been a fan of Burp, even though PortSwigger has made a fair number of positive changes to the tool over the past maybe 15 years. But I still remember the version that would hang on large server responses or freeze entirely, which was problematic because it did not automatically save any logs or state. I lost a lot of work over those years and I am naturally wired to hold a grudge for a long time.

Read more →

Secrets Scanning

Secrets scanning is a checkbox for a pentest but it should also be part of a healthy security operations practice. Before I get to the review of the secrets scanning tools, I want to take a wee detour and share a useful Unix (yes, Unix) tool: script(1). The script command logs everything in a terminal session. Most of the tools I am reviewing are run on the command line in a shell and sometimes it is the case that not all of the work I am doing gets saved in a way that is useful for later. It is very useful at the start of a day to run the script command:

Read more →

ProjectDiscovery Part 2: nuclei

Continuing with the theme of running a pentest, nuclei is a logical next step in the discovery phase after subfinder, in that you have a bunch of targets and you’re going to scan them for known vulnerabilities.

The gist of vulnerability scanning is that there are databases of vulnerabilities scattered around the internet. My goto is the Common Vulnerabilities and Exposures (CVEs) database. These databases are not exhaustive; I’ve personally found and facilitated the remediation of dozens of exploitable oopsies and there are no CVEs (or really anything) with my name on them. Occasionally someone I worked with on an assessment will send me a CVE for something I found and we’ll share a sensible chuckle. See also,

Read more →

ProjectDiscovery Part 1: subfinder

The first phase of a penetration test is almost always discovery. Up until the middle of 2025, I was still using older versions of OWASP amass and Sublist3r for discovery… until a coworker gently mocked me and told me to use subfinder instead.

It was A Moment for me. I realized just how stale my skills had gotten over the last 4 years. An elephant has never sat on me but I’m pretty sure that’s what it feels like when one does. It hurt. That was the inspiration for this sabbatical project, to catch up on all of the training I was promised over the decades but never seem to get. Meanwhile, the “bills for skills” problem in security is a clusterfuck… we’re all expected to know how to hack into anything and everything, even as tech stacks get more bloated and convoluted, to learn on our own AND pay for the 999 services necessary to, you know, practice? Let’s learn together. My treat.

Read more →

Starting Line

Reluctantly crouched…

This morning, I created a GitHub repo: bigbookofcyber. The inspiration for this work comes from the awesome repos. I started with enaqx/awesome-pentest. While I have shared this repo with many people who are new to the cybersecurity industry, I have not had much time in the past to download, build and use these tools. Because I was busy working. One of my goals for my current sabbatical is to evaluate as much security tooling as I can grind through, starting with the stuff that is most popular and currently maintained. As I work my way through the top 100 of the nearly 2000 repos I have found so far, I will write at least one post for each. This should keep me occupied for a while.

Read more →