This bi-weekly dispatch is brought to you by the team at Black Harbor. Every other week we share three things. One offensive technique, one defensive technique and some random snippet of something that piqued our interest. It may be a motivational quote, some piece of news or a slice of a product review.

Offense – New Web Application Enumeration Tool

One of our good friends Epi released a new tool – Ferric Oxide. Ferroic Oxide enumerates web applications that are not directly accessible through a method called Forced Browsing. Similar to dirbuster or ffuf but with some key differences as noted by Epi- “…differences are SOCKS support, works in a command pipeline (targets in, discovered files/folders out), has recursion and auto-filtered wildcards turned on by default, and is incredibly configurable (global, per-user, per-target).” We’ve been playing with this one for bug bounties over the past few weeks (and had a few sneak peeks). This tool is FAST, simple to use, the output is easily readable and also delimitated in a way that helps manipulate outputs.

Defense – Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities

A National Security Agency Cybersecurity Advisory publicly released common Chinese threat actor CVEs used in active campaigns. While it’s not an entire release of the kill chain used to track these actors, understanding which CVE’s are actively being exploited can help prioritize and advocate for patching and detection engineering. Unsurprising we see quite a few remote initial execution type exploits on perimeter devices such as Pulse Secure VPN and F5 proxies.

Snippet – Containerized Facebook

Run Facebook in a container using Firefox Container extension making it harder for Facebook to track you outside of Facebook. Privacy is good. mmmkay?

If you find value in this newsletter please consider sharing it to your friends and colleagues. Signup at

View our past dispatches at