Next.js Security Playbook (Checklist + Cheatsheet)
TL;DR Clarify scope first, then work systematically. User input + RSC or dangerouslySetInnerHTML = high XSS risk. postMessage without origin checks is almost always a bug. 0. Scope...
Notes, snippets, learnings
Blog
Here I collect posts about development, tools, and experiments.
GitHub Actions: Debugging Playwright Timeouts in Nextcloud CI
TL;DR Unit tests and build passed; Playwright timed out on multiple UI steps. The failures cluster around config import/export and sidebar interactions. Next step is to harden...
Rotate Everything in Production (Part 4): Proxy Chain Refresh, Restarts, and the 'Connection Reset' Healthcheck
This final part covers: (6) Proxy CA chain refresh (proxyprod) (6b) Proxy stack restart (systemd --user) (2b) Vault server container restart (7) Vault TLS healthcheck that ended...
Rotate Everything in Production (Part 3): Agent mTLS Login + App Leaf Certs (ncprd1, resume2me)
This part covers the workload-facing rotations: agent login mTLS certs (Vault Agent via auth/cert) app leaf cert rotation (per-app nginx-* roles + reload) Apps in scope: ncprd1,...
Rotate Everything in Production (Part 2): Admin mTLS + Vault Server TLS (and Why These Two Come First)
This part covers the first two rotations from the run: Admin client cert (mTLS to Vault) Vault server TLS cert (listener cert) These are the control-plane certs. If they fail,...
GitHub Actions: Nextcloud App CI Pipeline (Matrix + E2E)
TL;DR Build a matrix over Nextcloud branches and PHP versions. Checkout Nextcloud server + app sources, then sync the app into the server tree. Run JS unit tests, build assets,...
Rotate Everything in Production (Part 1): The Order That Keeps You Out of Trouble
This series documents the exact “rotate everything” workflow we ran in prod, and why the order matters more than the individual commands. What this post focuses on: dependency...
Caido in Practice: A Modern Proxy and the Plugins That Make It Shine
Caido is a modern web security proxy built for speed and day-to-day usability. If you’re coming from tools like Burp or ZAP, the core workflow will feel familiar—intercept traffic,...
Wiki: Vue
TL;DR Check v-html usage and any dynamic bindings like :href, :src, :style, :class. Look for open redirects in vue-router (e.g. ?redirect= or #/...). Inspect Vuex/localStorage...
Titel hier
Intro-Absatz. Abschnitt Text… echo "Codeblock"
Wiki: Tomcat
TL;DR Check common Tomcat entry points: :8080, /manager/html, /host-manager/html. Identify version from error pages, headers, or default pages. Test default creds and auth bypasses...
What I Want to Explore Next in This Lab
This Is Just the Starting Point Even after designing PKI, Vault, proxies, and basic app layouts, I still see this as the beginning of the lab, not the end. There are many...
How This Infra Supports My Nomad Lifestyle
I Don’t Sit in One Place I’m not building this in a neat office with a stable on-prem network. I move: between countries, between apartments and Airbnbs, between different network...
Wiki: Test Proxy App Integration
TL;DR App listens on 127.0.0.1:4001 with GET /__app_ok returning 200. Sidecar NGINX listens on 0.0.0.0:2001 with GET /__gw_ok returning 200 and proxies to the app. App + sidecar...
Threat Modeling My Personal Infra Project
Even a Personal VPS Deserves a Threat Model This is “just” my VPS, but: it holds real data (Nextcloud, notes), it hosts sensitive systems (Vault, PKI), it’s reachable from the...
Creating Checklists for Infra Changes and Security Tests
My Brain Is Not a Reliable Runbook When I change anything important in this setup (Vault config, PKI, proxies), it’s easy to miss steps: forget a reload, skip a test, break...
Lessons From Locking Myself Out of Vault (Multiple Times)
Yes, I Locked Myself Out More than once, I managed to: enforce mTLS on Vault, let important client certs expire, and then stare at tls: expired certificate errors. This wasn’t fun,...
Wiki: Security Concept Summary
TL;DR Only the main gateway exposes 80/443. Internal ports are loopback-only. TLS is hardened and logs are split by status. Rate limits and health endpoints are in place. Controls...
Two Nextcloud Instances Backed by Vault PKI
Why I Want Two Nextclouds I don’t just want “a cloud drive”. I want: one test instance where I can break things, one prod instance where I store real personal data. Both should: be...
Wiki: Okta
TL;DR Okta is an IDaaS provider for SSO, MFA, and user provisioning. Most issues come from misconfiguration, not Okta itself. Focus on redirect handling, token validation, and SCIM...
Using VPN/IPsec as a Secure Entry Point
Why I Want a VPN in Front of Everything Public SSH on the internet is manageable, but I’d rather: connect to my VPS through a VPN (like IPsec), expose fewer direct services, and...
Hardening SSH and Network Access to the VPS
My SSH Entry Should Not Be the Weakest Link All of this infra sits behind one obvious entry point: SSH to the VPS. So I want SSH to be: key-based only, ideally bound to my VPN...
Wiki: OAuth
TL;DR OAuth is about delegated access, not authentication by itself. Most bugs come from redirect URI, token validation, and scope handling. Always validate state, nonce, aud, iss,...
Setting Up an Android Testing Lab for Bug Bounty
Why Android Matters to Me More and more targets have mobile apps that are tightly integrated with their backend APIs. If I only test the web front-end, I miss a big part of the...
My HTTP Testing Stack: proxify, Caido and CLI Tools
How I Like to Look at HTTP Traffic For bug bounty and security testing, I want a flexible stack: a proxy I can send traffic through (proxify), an interactive UI for manual work...
Wiki: OAuth Authentication
TL;DR OAuth is a delegation protocol; authentication is layered on top. The authorization code flow is the standard for web apps. The client exchanges a code for tokens, then calls...
Turning My VPS Into a Bug Bounty Recon Node
Why I Want a Dedicated Recon Node As a bug bounty hunter, I don’t want to run everything from my laptop. A VPS can be: a stable, always-on recon box, a place to run scans over...
Wiki: NGINX Reverse Proxy (Test Proxy)
TL;DR Flow: gateway -> test-proxy -> sidecar -> app. Internal ports are loopback-only. Rootless slirp requires 10.0.2.2 to reach host loopback. Working Traffic Path...
Building a Logging Path: From Services to a Single View
Logs as My Second Brain With multiple services (Vault, proxies, apps, agents) running under different Unix users, logs can easily end up scattered: /home/*/containers/.../logs,...
Vault mTLS & Proxy Setup (Runbook)
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
End-to-End PKI & TLS Automatio
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
How I Want Apps to Consume Secrets: Vault Agents and Templates
No More Hardcoded Secrets I don’t want: app containers with static DB passwords baked in, environment variables full of long-lived credentials, or “secret.yaml” files committed by...
Wiki: Main Proxy App Integration
TL;DR App passes App+Sidecar and Test-Proxy checklists first. Health endpoints return 200: /__app_ok, /__gw_ok. Main gateway handles TLS for the app domain. Expose sidecar only on...
Designing My Reverse Proxy Chain: mainproxy, proxytest, proxyprod
Why I Don’t Want Just One Big Nginx I could put a single Nginx on the VPS and let it handle everything. But I want clearer layers: a public-facing entry proxy, internal...
Mapping Unix Users to Trust Zones on My VPS
Unix Users as Security Boundaries On a single VPS, I don’t have multiple physical machines, but I can still use: Unix users, file permissions, rootless Podman, to approximate...
Podman Global Configuration
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
Wiki: LetsEncrypt DNS-01 (Hostpoint)
TL;DR Wildcards require DNS-01. Hostpoint TXT name should be _acme-challenge.test (zone suffix is added). TTL 300s; allow 15-30 minutes for propagation. Why DNS-01 HTTP-01 only...
My Vault Access Model: Root, Admin, Services and Humans
I Don’t Want to Live on the Root Token Vault gives you a root token at initialization. It’s tempting to just keep using it for everything. But for a long-term setup I want a...
Vault Admin Setup
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
Wiki: IP Ranges
TL;DR Know the common private, CGNAT, and link-local ranges. Use IPv6 ranges explicitly during recon; they are often less protected. For bug bounty, prioritize public netblocks,...
Overview
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
Planning Certificate Rotation With Systemd Timers
Rotation Can’t Be an Afterthought Creating certificates once is easy. Remembering to rotate them before they expire is the real work. In my setup I have: admin mTLS certs with...
Wiki: GraphQL Discovery
TL;DR Use a simple { __typename } query to detect GraphQL. Use graphw00f to fingerprint implementations. Quick Detection curl -X POST http://target/graphql \ -H 'Content-Type:...
Automating Certificate Health Checks on My VPS
Why I Wrote a Certificate Health Script I don’t want to discover expired certificates only when things are already broken and logs scream tls: expired certificate. So I wrote a...
security concept summary
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
Designing a Maintenance Listener: My Break-Glass Door Into Vault
Why I Need a Break-Glass Option If all Vault listeners require valid client certificates and my admin cert expires, I’m locked out. That’s secure, but it’s also dangerous if I...
letsencyrpt dns01_hostpoint_wi
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
Surviving Expired Admin Certificates in a mTLS-Only Vault Setup
The Problem: mTLS Everywhere, No Way In One of the first real-world problems I hit with my PKI/Vault setup was simple and brutal: Vault listeners require mTLS...
Wiki: GraphQL Attack Vectors
TL;DR Recon: find endpoints and enable introspection. DoS: deep recursion, batching, aliases, and fragments. AuthZ: field-level and object-level access checks. Recon Detect GraphQL...
Building My Own PKI: Offline Root, Intermediate CAs and Vault as CA
Why I Wanted My Own PKI Most tutorials use either: completely ad‑hoc, self‑signed certificates created with random OpenSSL commands, or public CAs like Let’s Encrypt, focused on...
NGINX Reverse Proxy & Test‑Pro
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
Wiki: EspoCRM Portal on Subdomain
TL;DR Point portal.test.privsec.ch to the main gateway IP. Use SAN or separate certs for espodev and portal. Ensure Host/SNI are preserved across proxies. Set EspoCRM Portal Custom...
Designing My VPS Layout: Unix Users and Rootless Podman
Why I Care About Structure on a Single VPS I don’t want my VPS to be “just a box that runs containers”. I want it to feel like a small, real infrastructure: clear separation...
Git & SSH Agent Setup for GitH
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
Wiki: Container Network Solutions
TL;DR Rootful offers simpler networking but higher exposure risk. Rootless is safer but needs explicit forwarding and mTLS. For VPS and multi-user setups, host forwarder + mTLS is...
Wiki: Container networking options (rootful vs rootless)
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
What I’m Trying to Build With My VPS and Vault
What I Want From My VPS and Vault This whole project is my attempt to turn a simple VPS into a mini security platform: my own PKI, my own secret management, and my own little...
Wiki: Cache Oracle
TL;DR Cache-Control shows max age. Age shows current cached age. X-Cache or CF-Cache-Status indicates hit/miss. Detection Signals Cache-Control: max-age=... Age: ... X-Cache:...
Wiki: Salesforce Aura / Lightning
TL;DR Aura uses JSON payloads with message and aura.context. Many issues come from parameter tampering and over-permissive Apex methods. Focus on classname, method, and params in...
Wiki: Web Cache Poisoning
TL;DR Cache poisoning targets shared cache entries. Look for unkeyed headers or params that affect the response. Verify that poisoned content is served to other users. What It Is...
Wiki: Web Cache Deception
TL;DR Trick the cache into storing dynamic, sensitive responses. Exploit path parsing discrepancies between cache and origin. Use cache busters to avoid stale data while testing....
Wiki: Subdomain Takeover
TL;DR A takeover happens when a subdomain points to an unclaimed external service. Look for dangling CNAMEs to SaaS providers. Confirm by matching known error messages and claiming...
Wiki: HTTP Request Smuggling
TL;DR Request smuggling happens when frontend and backend parse Content-Length and Transfer-Encoding differently. Classic case: frontend uses CL, backend uses TE (CL.TE). Look for...
Wiki: Cross-Site WebSocket Hijacking
TL;DR CSWSH is CSRF on WebSocket handshakes. If the handshake relies only on cookies, a malicious site can open a WS as the victim. Impact includes unauthorized actions and data...
Wiki: ASP.NET
TL;DR Windows/IIS labs often live in 192.168.x.0/24 or 10.0.0.0/8 ranges. Azure defaults show up as 10.0.0.0/24. If you have XSS or SSRF, target common internal ranges first....
Wiki: GraphQL Testing Checklist
TL;DR Focus on introspection, authz gaps, and query limits. Test batching and persisted query policy. Keep payloads small and in scope. Test Snippets 1) Introspection enabled curl...
Tools: Web Testing Cheatsheet (curl, ffuf, nuclei)
TL;DR Start with curl to understand the app, then scale with ffuf and nuclei. Always record requests/responses for later (headers, auth, cookies). Don’t brute force blindly—be...
Tools: Recon Stack (subfinder → httpx → katana → nuclei)
TL;DR Use a simple, repeatable pipeline: discover → probe → crawl → scan. Store every stage as a file so you can diff, resume, and avoid re-running noisy steps. Prefer target lists...
Bug Bounty: Android Lab (emulator, proxy, Frida)
TL;DR Start with traffic interception; it gives the biggest return fastest. Don’t fight the tooling—keep a repeatable baseline setup. Document every device/emulator change (you...
Tools: SSH + File Transfer (scp, rsync, tunnels)
TL;DR Prefer rsync for anything bigger than a single file. Avoid hardcoding IPs/users in scripts; use ~/.ssh/config hosts. For “copy only if missing”, use rsync --ignore-existing...
Bug Bounty: HTTP Tooling (proxy → replay → automate)
TL;DR Use a proxy for understanding; use reproducible requests for reporting. Save raw requests and keep them minimal (strip noise, keep essentials). Automate only after you...
Bug Bounty: Recon Workflow (fast → deep → repeat)
TL;DR Recon is a loop, not a one-off: collect → triage → investigate → repeat. Keep outputs versioned per run so you can spot what changed. Separate discovery (wide) from...