Walter Moar
@waltermoar.com
"Who doesn't love cookies?" is the teaser for this picoCTF security challenge: guessing types of edible cookies causes HTTP cookies to be set. The solution, as with most HTTP cookie vulnerabilities, is manipulating the predictable cookie values to discover the flag.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Cookies”
Manipulate HTTP cookies to learn why server-side security cannot rely on user controlled data
medium.com
January 29, 2026 at 2:01 PM
"Who doesn't love cookies?" is the teaser for this picoCTF security challenge: guessing types of edible cookies causes HTTP cookies to be set. The solution, as with most HTTP cookie vulnerabilities, is manipulating the predictable cookie values to discover the flag.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's writeup is on the picoCTF security challenge called "Power Cookie". This challenge is another example using role-based access control (RBAC) where the role is stored in a plaintext cookie. Manipulating this cookie allows an attacker to defeat the access control.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Power Cookie”
Modify cookie-based authorization flags and learn why access control decisions must happen server-side
medium.com
January 26, 2026 at 3:50 PM
Today's writeup is on the picoCTF security challenge called "Power Cookie". This challenge is another example using role-based access control (RBAC) where the role is stored in a plaintext cookie. Manipulating this cookie allows an attacker to defeat the access control.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
The first in a triplet of security challenges where cookies are mistakenly treated as immutable data. A simple edit of cookie data is all that's needed to discover the flag.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “logon”
Modify cookie-based authorization flags and learn why access control decisions must happen server-side
medium.com
January 22, 2026 at 5:33 PM
The first in a triplet of security challenges where cookies are mistakenly treated as immutable data. A simple edit of cookie data is all that's needed to discover the flag.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Somebody needs to tell this lone flower that although it's a little early, it sure is appreciated.
January 20, 2026 at 11:18 PM
Somebody needs to tell this lone flower that although it's a little early, it sure is appreciated.
Today's common weakness article is about CWE-472: the problem of sending information to the browser and expecting it to come back unaltered. Two classic examples are an "admin=false" cookie or a "price=100" hidden form field.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-472: External Control of Assumed-Immutable Web Parameter
Web applications rely on various mechanisms to maintain state and transfer data between the client and server. Hidden form fields, URL…
medium.com
January 19, 2026 at 3:04 PM
Today's common weakness article is about CWE-472: the problem of sending information to the browser and expecting it to come back unaltered. Two classic examples are an "admin=false" cookie or a "price=100" hidden form field.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Thanks for the hot tip, but how about I just carry on with not picking up any iguanas at all? (although it does have me curious about the possibility of BEC iguanas)
January 17, 2026 at 8:49 PM
Thanks for the hot tip, but how about I just carry on with not picking up any iguanas at all? (although it does have me curious about the possibility of BEC iguanas)
Using HTTP cookies to store information is an important part of the web, but it can also be a huge security weakness. The user is able to view and edit these cookies, so great care must be taken to use them securely.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-565: Reliance on Cookies without Validation and Integrity Checking
HTTP cookies allow web applications to store data on the client side and retrieve it with subsequent requests. Applications use cookies for…
medium.com
January 15, 2026 at 1:00 PM
Using HTTP cookies to store information is an important part of the web, but it can also be a huge security weakness. The user is able to view and edit these cookies, so great care must be taken to use them securely.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
HTTP cookies - those little bits of website data that get stored in the browser - are a key component of the interactive web, but they're also prone to some hefty security issues. Today's lesson is that sensitive information should never be stored in cookies.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Cookie Monster Secret Recipe”
Explore the world of HTTP cookies and learn why encoding data is not a strong security mechanism
medium.com
January 12, 2026 at 2:35 PM
HTTP cookies - those little bits of website data that get stored in the browser - are a key component of the interactive web, but they're also prone to some hefty security issues. Today's lesson is that sensitive information should never be stored in cookies.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's backgrounder article goes into detail about HTTP cookies. The web wouldn't be the same without this technology, but its misuse causes no end of security vulnerabilities, particularly related to web site authorization.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
CTF Basics: Understanding HTTP Cookies
This article covers the basics of HTTP cookies, and how they’re used in web applications. Understanding cookies is essential for solving…
medium.com
January 5, 2026 at 1:36 PM
Today's backgrounder article goes into detail about HTTP cookies. The web wouldn't be the same without this technology, but its misuse causes no end of security vulnerabilities, particularly related to web site authorization.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Kicking off 2026 with a Capture The Flag writeup that involves spoofing an HTTP header to subvert lax "authorization".
medium.com/@waltermoar/...
medium.com/@waltermoar/...
[TK] Writeup for picoCTF challenge “picobrowser”
Spoof User-Agent headers and learn why client-controlled data can’t be trusted for security
medium.com
January 1, 2026 at 4:53 PM
Kicking off 2026 with a Capture The Flag writeup that involves spoofing an HTTP header to subvert lax "authorization".
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's security backgrounder article is all about weak authentication that is bypassed by spoofing HTTP headers. This type of weak authentication does occasionally happen in the real world, but it's also very common in Capture The Flag (CTF) security challenges.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-290: Authentication Bypass by Spoofing
Authentication systems verify the identity of users before granting access to protected resources. These systems rely on various…
medium.com
December 29, 2025 at 1:41 PM
Today's security backgrounder article is all about weak authentication that is bypassed by spoofing HTTP headers. This type of weak authentication does occasionally happen in the real world, but it's also very common in Capture The Flag (CTF) security challenges.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Base64 encoding: what it is, how it works, and most importantly: why it is an encoding, and not encryption. Base64 encoding turns binary into somewhat readable text, and is easily decoded too. It often finds its way into Capture The Flag (CTF) security challenges.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
CTF Basics: Understanding Base64 Encoding
This article covers the basics of Base64 encoding, a common encoding scheme that appears frequently in Capture The Flag (CTF) challenges…
medium.com
December 22, 2025 at 12:40 PM
Base64 encoding: what it is, how it works, and most importantly: why it is an encoding, and not encryption. Base64 encoding turns binary into somewhat readable text, and is easily decoded too. It often finds its way into Capture The Flag (CTF) security challenges.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
December 21, and the winter solstice is upon us. "Got to kick at the darkness 'til it bleeds daylight."
www.youtube.com/watch?v=7IX4...
www.youtube.com/watch?v=7IX4...
Bruce Cockburn - Lovers In A Dangerous Time
YouTube video by BruceCockburnVEVO
www.youtube.com
December 21, 2025 at 3:50 PM
December 21, and the winter solstice is upon us. "Got to kick at the darkness 'til it bleeds daylight."
www.youtube.com/watch?v=7IX4...
www.youtube.com/watch?v=7IX4...
Today's article is on the "Unminify" challenge, which demonstrates that minifying web page source code offers no security protection for sensitive information.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Unminify”
Explore minified web page source code and discover why sensitive data doesn’t belong in HTML
medium.com
December 18, 2025 at 12:45 PM
Today's article is on the "Unminify" challenge, which demonstrates that minifying web page source code offers no security protection for sensitive information.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Posting a new background article today on CWE-540: sensitive information in source code. CWE-540 is the parent of CWE-615, which more specifically is about source code comments.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-540: Inclusion of Sensitive Information in Source Code
Source code is the foundation of every application, containing the logic and algorithms that make software work. When developers embed…
medium.com
December 15, 2025 at 2:28 PM
Posting a new background article today on CWE-540: sensitive information in source code. CWE-540 is the parent of CWE-615, which more specifically is about source code comments.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's writeup is another example of "security through obscurity": using a strangely named file to hide sensitive information. Not a great idea to start with, and revealing the filename in the robots.txt file is the bigger downfall of this scheme.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “where are the robots”
Discover how robots.txt files reveal hidden resources and learn about forced browsing vulnerabilities
medium.com
December 11, 2025 at 1:14 PM
Today's writeup is another example of "security through obscurity": using a strangely named file to hide sensitive information. Not a great idea to start with, and revealing the filename in the robots.txt file is the bigger downfall of this scheme.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's write-up of picoCTF's "Scavenger Hunt" uses CWE-425 (Direct Request / Forced Browsing) to find sensitive information in predictable files. Follow the clues to find the flag segments.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Scavenger Hunt”
Hunt through robots.txt, .htaccess, and .DS_Store files to understand forced browsing attacks
medium.com
December 8, 2025 at 12:19 PM
Today's write-up of picoCTF's "Scavenger Hunt" uses CWE-425 (Direct Request / Forced Browsing) to find sensitive information in predictable files. Follow the clues to find the flag segments.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
New article on CWE-656 / Security Through Obscurity. Learn why "hidden" doesn't mean secure, and what actually works.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-656: Reliance on Security Through Obscurity
Security measures work best when they actively prevent unauthorized access through authentication, encryption, and access controls…
medium.com
December 4, 2025 at 2:20 PM
New article on CWE-656 / Security Through Obscurity. Learn why "hidden" doesn't mean secure, and what actually works.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
The Common Weakness in today's CWE article covers the case when unlinked files and directories under the web root are directly requested by the user. It's as simple as typing something into the URL bar, or using a common file/directory fuzzer to check predictable names.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-425: Direct Request (‘Forced Browsing’)
Web applications typically guide users through intended navigation paths using links and menus. However, if users know or guess the right…
medium.com
December 1, 2025 at 2:33 PM
The Common Weakness in today's CWE article covers the case when unlinked files and directories under the web root are directly requested by the user. It's as simple as typing something into the URL bar, or using a common file/directory fuzzer to check predictable names.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
"MatchTheRegex" is a picoCTF security challenge that introduces regular expressions. Find some input to match the regular expression, and the flag is retrieved.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “MatchTheRegex”
This writeup gives a step-by-step explanation of the picoCTF challenge “MatchTheRegex”. The best learning experience comes from working…
medium.com
November 27, 2025 at 12:13 PM
"MatchTheRegex" is a picoCTF security challenge that introduces regular expressions. Find some input to match the regular expression, and the flag is retrieved.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Reposted by Walter Moar
Petition: https://twp.ai/SADCDV
Policy: https://twp.ai/NTXx1R (guideline version)
#appsec #cybersecurity
2/2
Policy: https://twp.ai/NTXx1R (guideline version)
#appsec #cybersecurity
2/2
www.ipetitions.com
Petition Secure Canada’s Future: Adopt a Federal Secure Coding Policy for All Government Software
twp.ai
November 24, 2025 at 4:21 PM
Petition: https://twp.ai/SADCDV
Policy: https://twp.ai/NTXx1R (guideline version)
#appsec #cybersecurity
2/2
Policy: https://twp.ai/NTXx1R (guideline version)
#appsec #cybersecurity
2/2
Reposted by Walter Moar
We, as an industry, need to start giving very specific and clear advice, if we want to have better outcomes. No more high level, vague, and ambiguous advice please. #SpecificSecurity #BeSpecific
https://twp.ai/ImshpN
1/2
https://twp.ai/ImshpN
1/2
November 24, 2025 at 4:21 PM
We, as an industry, need to start giving very specific and clear advice, if we want to have better outcomes. No more high level, vague, and ambiguous advice please. #SpecificSecurity #BeSpecific
https://twp.ai/ImshpN
1/2
https://twp.ai/ImshpN
1/2
Happy Monday! Today's article is on the Common Weakness Enumeration (CWE) 552: when sensitive files or directories are left accessible. This is a big one for any kind of server, but is all too common with web servers.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-552: Files or Directories Accessible to External Parties
Applications and web servers organize files in directory structures with specific access permissions. Some files and directories are meant…
medium.com
November 24, 2025 at 12:24 PM
Happy Monday! Today's article is on the Common Weakness Enumeration (CWE) 552: when sensitive files or directories are left accessible. This is a big one for any kind of server, but is all too common with web servers.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Today's writeup is for the recent CTF challenge "Crack the Gate 1", which involves an authorization bypass and an encoded hint.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Writeup for picoCTF challenge “Crack the Gate 1”
This writeup gives a step-by-step explanation of the picoCTF challenge “Crack the Gate 1”. The best learning experience comes from working…
medium.com
November 20, 2025 at 1:12 PM
Today's writeup is for the recent CTF challenge "Crack the Gate 1", which involves an authorization bypass and an encoded hint.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
A little late on posting this backgrounder: why debug code is awesome when debugging, and why it is awesomely bad when forgotten and it goes to production.
medium.com/@waltermoar/...
medium.com/@waltermoar/...
Understanding CWE-489: Active Debug Code
Software developers frequently add debugging features during development to test functionality, troubleshoot issues, or modify application…
medium.com
November 19, 2025 at 3:43 PM
A little late on posting this backgrounder: why debug code is awesome when debugging, and why it is awesomely bad when forgotten and it goes to production.
medium.com/@waltermoar/...
medium.com/@waltermoar/...