Blog Archives


  • Vulnerability Inheritance across Forks - The Sugar/Vtiger/SuiteCRM Story: Darren explains why vulnerabilities cross project forks and create all manner of hilarity

  • Standing Outside a Broken Phone Booth With Money in My Hand: We tried to contact organisations using details in a 20 years old RFC. We were largely ignored.

  • No 0day Necessary - Bank SSL: In the continuing series of blogs about the lack of necessity for 0day for attackers, XRL took a look to see how bad bank grade SSL was. Turns out it was far from good.

  • The Spaces Between: 2015 has been a year of breaches. We make some humble suggestions about how we can avoid another bad year in 2016.

  • OPSEC for Honeypots: Darren explores basic operation security slips when establishing honeypots and why this may well negate on threat intelligence gathering.

  • Out of Step - We are killing the thing we love: Mike explores penetration testing as a practice and pretty much alienates everyone.

  • Mail scams and Social Engineering: Sometimes attackers don't need 0day, all they need is an envelope. In this blog Ian Simons examines a real world mail fraud attack that could have ended very badly for a waste management company.

  • No 0day Necessary - Cross Domain Misconfigurations: In the first of a series of blogs about the lack of necessity for 0day for attackers, XRL took a look to see how many implementations of Cross Domain Policies we could find in the wild. The answer was quite a few.

  • Hiding in Plain Sight - A Raspberry Pi VoIP phone covert device: XRL implemented a covert network access device (derived from Raspberry Pi model B) within a standard coomercial VoIP desk phone.

  • SteelCon 2014 - Process Injection with Python: At the inaugural SteelCon Security Conference in Sheffield, Darren presented a talk on using Python for process memory manipulation, using code injection as the use case.

  • Human Interface Devices - Countering the Threat: Ian Simons discusses Human Interface Devices (HIDs) and why they pose a threat

  • Passwords: Viable or Redundant?: Ian Simons discusses the viability or otherwise of passwords as an authentication mechanism.

  • Introducing Kiryos: UK Content Filtering Bypass Device: 2014 sees the introduction of content filtering in the UK. Mike Kemp discusses why this is a bad thing, and what XRL are doing about it

  • Paranoid Android: From Phone to Spy Tool: Mike Kemp discusses the liberties being taken by mobile applications

  • The Autopsy of a Phishing Scam: A Walkthrough of a Typical Phishing Email: Ian Williams provides an overview of the less than sophisticated methods used by low level phishers and fraudsters.

  • Kicking the Bucket: Mike Kemp discusses Amazon S3 security and the problems with big data analysis (with apologies to Rapid7)

  • XSS: So how is this a problem?: Ian Williams discusses why XSS is more than JavaScript pop-ups.

  • An Intern's Tale: Our ex-intern Bobby Miah's take on working with XRL

  • Watch out for wireless technologies: Common risk assessment blind spots: Ian Williams examines common risk assessment issues with regards to the technical risks posed by wireless technology stacks.

  • The Problem With North Korea: Mike Kemp explores the much vaunted and unproved technical capacilities of North Korea in relation to computer mediated attacks.

  • Once More Unto The Breach!: Gavin Ewan shares his thoughts about working with Xiphos.

  • ...And we're back: XRL relaunch blog and site