Secure Coding

Secure coding is very important in software development to ensure code security is high using techniques such as static analysis, code auditing and dynamic analysis to ensure safe coding practices are followed.

Secure Coding

What Tools can be used for Secure Coding?

There are a variety of tools to ensure code safety, mostly based on source code auditing and static analysis.

The options available really depend on the language being used with some tools focusing on many languages such as Yasca – Multi-Language Static Analysis Toolset or specialist tools focusing on a single language like Brakeman – Static Analysis Rails Security Scanner.

Frida – Dynamic Code Instrumentation Toolkit

March 19, 2016

Frida is basically Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript into native apps on Windows, Mac, Linux, iOS and Android. Frida also provides you with some simple tools built on top of the Frida API. These can be used […]

Buffer

Hacking Tools, Secure Coding› Read More

YARA – Pattern Matching Tool For Malware Analysis

February 9, 2016

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which […]

Buffer

Malware, Secure Coding› Read More

american fuzzy lop – Security Oriented Fuzzing Tool

November 21, 2015

American fuzzy lop is a security-oriented fuzzing tool that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code. The compact synthesized corpora produced by the tool are also […]

Buffer

Hacking Tools, Secure Coding› Read More

Twittor – Backdoor Using Twitter For Command & Control

October 9, 2015

Twittor is a stealthy Python based backdoor using Twitter (Direct Messages) as a command and control server. This project has been inspired by Gcat which does the same but using a Gmail account. Setup For this to work you need: A Twitter account (Use a dedicated account! Do not use your personal one!) Register an […]

Buffer

Hacking Tools, Secure Coding› Read More

peinjector – MITM PE File Injector

September 22, 2015

The peinjector is a MITM PE file injector, the tool provides different ways to infect Windows platform executable files (PE COFF) with custom payloads without changing the original functionality. It creates patches, which are then applied seamlessly during file transfer. It is very performant, lightweight, modular and can be operated on embedded hardware. Features Full […]

Buffer

Hacking Tools, Secure Coding, Windows Hacking› Read More

Gcat – Python Backdoor Using Gmail For Command & Control

September 8, 2015

Gcat is a stealthy Python backdoor that uses Gmail as a command and control server. It’s fairly basic right now, but it’s an interesting proof of concept and if the community got behind it and contributed some new features it could be a pretty powerful piece of kit. Feature wise it doesn’t have that much, […]

Buffer

Hacking Tools, Secure Coding› Read More

Dharma – Generation-based Context-free Grammar Fuzzing Tool

July 21, 2015

Dharma is a tool used to create test cases for fuzzing of structured text inputs, such as markup and script. It takes a custom high-level grammar format as input, and produces random well-formed test cases as output – it can be used as a grammar fuzzing tool. API programming is complex and subtle programming mistakes […]

Buffer

Exploits/Vulnerabilities, Hacking Tools, Secure Coding› Read More

AddressSanitizer – A Fast Memory Error Detector

July 4, 2015

AddressSanitizer (aka ASan) is a very fast memory error detector for C/C++, Tthe average slowdown of the instrumented program is ~2x. The tool works on x86 Linux and Mac, and ARM Android. AddressSanitizer is based on compiler instrumentation and directly-mapped shadow memory. The tool consists of a compiler instrumentation module (currently, an LLVM pass) and […]

Buffer

Exploits/Vulnerabilities, Hacking Tools, Secure Coding› Read More

zzuf – Multi-Purpose Application Input Fuzzing Tool

May 26, 2015

zzuf is a transparent application input fuzzing tool or fuzzer. Its purpose is to find bugs in applications by corrupting their user-contributed data (which more than often comes from untrusted sources on the Internet). It works by intercepting file and network operations and changing random bits in the program’s input. zzuf’s behaviour is deterministic, making […]

Buffer

Hacking Tools, Secure Coding› Read More

# Download from GitHub Releases # https://github.com/n3rada/MSSQLand/releases # For operators compiling from source # Requires Visual Studio with .NET Framework 4.8 SDK git clone https://github.com/n3rada/MSSQLand.git cd MSSQLand # Open MSSQLand.sln in Visual Studio and build for x64 Release

MSSQLand.exe <host> [options] <action> [action-options] # Connection test only (no action executed) MSSQLand.exe localhost -c token # Execute specific action MSSQLand.exe localhost -c token info MSSQLand.exe localhost:1434@db03 -c token info # Linked server chain traversal # Format: server:port/user@database or any combination # Semicolon (;) separates servers, forward slash (/) specifies impersonation MSSQLand.exe localhost -c token -l SQL01;SQL02/admin;SQL03@clients info # Configuration Manager actions (cm- prefix) MSSQLand.exe sccm-db.corp -c token cm-devices MSSQLand.exe sccm-db.corp -c token cm-scripts # CSV output for automation MSSQLand.exe localhost -c token --format csv --silent procedures > procedures.csv

Stolen credentials are now the single most reliable entry point into enterprise networks. Compromised credentials accounted for 22% of all confirmed data breaches in the period covered by Verizon’s extended credential stuffing analysis accompanying the 2025 DBIR, making it the most common initial access vector for the third consecutive year. Credential stuffing, the automated replay of stolen username-password pairs at scale, requires minimal skill, costs almost nothing to run, and succeeds at rates that make it economically rational to run campaigns against thousands of targets simultaneously. Multi-factor authentication (MFA) remains the single most effective control against it, yet deployment gaps persist across sectors that should know better.

The Credential Supply Chain

Credential stuffing depends on a supply chain that runs from infostealer malware through dark web markets to attack tooling. Malware families, including Lumma, RedLine, StealC, and Acreed, scrape browser password vaults, saved cookies, and autofill data from compromised machines. The harvested data is identical to what tools like DumpBrowserSecrets extract during post-exploitation: saved passwords, session cookies, OAuth refresh tokens, and autofill entries pulled directly from Chrome, Edge, Firefox, and every other major browser. Attackers package that raw material into structured files known as combolists, formatted as email: password pairs, cleaned of duplicates, and categorised by service type or geography before selling them on.

Combolists trade freely across dark web forums, Telegram channels, and dedicated cracking communities. The initial access broker ecosystem documented throughout 2025 has normalised validated credentials as a commodity. Fresh lists built from recent infostealer logs command significantly higher prices than aged database dumps because they have higher validity rates. The Verizon analysis found that only 49% of a user’s passwords across different services are distinct. That figure is what makes credential stuffing economically viable: breach one service, and there is roughly a 50% chance the same password works elsewhere. Across millions of accounts, that probability becomes near-certainty.

The tooling that drives attacks is openly available. OpenBullet and its successor, SilverBullet, are credential-stuffing frameworks originally released as penetration testing utilities, now standard tools in account-takeover (ATO) operations. They automate the full attack loop: loading combolists, rotating through residential proxies to dodge rate limiting and IP blocks, sending login requests that mimic legitimate browser behaviour, and logging successful hits. Attackers also buy and sell custom configuration files, known as configs, that define the authentication flow for specific target services. Unofficial marketplaces offer configs for specific banking portals, SaaS platforms, and enterprise single sign-on (SSO) providers alongside combolists and proxy subscriptions.

Three Case Studies from 2025

In late March 2025, coordinated credential stuffing attacks hit five major Australian superannuation funds simultaneously: AustralianSuper, Rest Super, Hostplus, Australian Retirement Trust, and Insignia Financial. As BleepingComputer reported on the coordinated attacks, attackers compromised over 20,000 accounts across the five funds, with four AustralianSuper members losing a combined AUD 500,000. The attackers used combolists from prior unrelated breaches. AustralianSuper offered MFA but did not enforce it at login, a gap that regulators identified as the primary enabling factor. Retirement funds make attractive targets because account balances are high, withdrawals are slow to reverse, and many members check their accounts infrequently.

In April 2025, VF Corporation notified customers of a credential-stuffing attack against the North Face online store. BleepingComputer’s coverage of the April incident confirmed that attackers used credentials from earlier unrelated breaches to access accounts and exfiltrate names, email addresses, shipping addresses, phone numbers, purchase history, and dates of birth. Payment card data was not exposed, as a third-party provider handles payment processing. The April attack followed a March incident that exposed 15,700 accounts across The North Face and Timberland. It was the fourth credential stuffing incident against VF Corporation brands since 2020. The pattern reflects a structural problem: tens of millions of customer accounts, high password reuse rates, and authentication systems not designed to detect low-and-slow validation campaigns.

The Change Healthcare breach in February 2024 remains the most consequential recent example of credential-based initial access. The ALPHV/BlackCat ransomware group entered UnitedHealth’s Change Healthcare subsidiary through compromised Citrix credentials on a remote-access portal without MFA, as confirmed in Congressional testimony from UnitedHealth’s CEO. The attackers moved laterally through the billing network and deployed ransomware that shut down payment processing for healthcare providers across the United States for weeks. The incident produced a $22 million ransom payment and an estimated $872 million in reported disruption costs in the first quarter alone. One set of valid credentials on one unprotected endpoint caused one of the largest healthcare-sector disruptions in US history.

Detection and Evasion Techniques

Modern credential stuffing campaigns specifically target the detection mechanisms most organisations have deployed. Attackers bypass velocity-based controls that flag high volumes of failed login attempts from a single IP by rotating through residential proxies. They distribute attempts across thousands of IP addresses so each one generates only a handful of requests, staying below alert thresholds. Third-party CAPTCHA-solving services handle challenge pages, some of which are automated via machine learning and others through human labour farms. Tools that emulate legitimate browser environments, including correct JavaScript execution, realistic mouse movement patterns, and authentic request timing, defeat browser fingerprinting.

The MITRE ATT&CK framework categorises credential stuffing under T1110.004 (Brute Force: Credential Stuffing). Defenders should monitor for several specific signals: unusual geographic distributions of authentication requests, spikes in failed logins spread across a wide IP range rather than concentrated at a single source, and successful logins from IP addresses tied to residential proxy services. Account logins from devices or browsers with no prior history on the account also warrant investigation. The Verizon analysis found that credential stuffing accounted for a median of 19% of all authentication attempts across SSO providers, meaning roughly one in five login attempts was not legitimate.

One underappreciated detection gap is the window between credential exposure and organisational awareness. Dark web monitoring tools available to enterprise teams in 2025 make it operationally achievable to track stealer log markets and paste sites for corporate email domains. Many organisations still treat that monitoring as optional rather than a core detection layer. Credentials circulate in combolists for months before the affected organisation becomes aware, and attackers exploit that window systematically.

Regulatory Response

The 23andMe case produced the most visible regulatory outcome tied directly to credential stuffing. A 2023 attack using combolists accessed approximately 6.9 million customer records. The UK Information Commissioner’s Office fined the company £2.31 million for failing to implement adequate security, specifically the absence of mandatory MFA for accounts holding sensitive genetic data. In March 2025, as Wired reported in its coverage of the 23andMe bankruptcy, the company filed for Chapter 11, with the credential stuffing incident and its downstream legal consequences cited as contributing factors. Regulators in the UK and EU now reference the case as evidence that weak authentication controls constitute a material governance failure, not a technical oversight.

CISA’s 2024 guidance on phishing-resistant MFA explicitly identifies credential stuffing as a primary threat driver. It recommends hardware security keys and passkeys using the WebAuthn standard as the only controls that fully eliminate the credential reuse vector. SMS one-time passwords and Time-based One-Time Password (TOTP) codes provide partial protection but remain vulnerable to adversary-in-the-middle (AiTM) interception, a technique increasingly applied against accounts whose value justifies the extra effort.

CISO Playbook

Phishing-resistant MFA enforced across all externally facing authentication endpoints, including VPN portals, SSO providers, and remote desktop services, eliminates the primary path for exploitation. Password screening against known-breach corpora at login and account creation, using services such as the Have I Been Pwned API, removes credentials already circulating in combolists before attackers can validate them. Rate limiting and progressive account lockout on all authentication endpoints, including API login flows that teams frequently overlook, cuts the volume of attempts that reach the validation stage.

Bot detection that analyses behavioural signals, including request timing, device fingerprint consistency, and session cookie behaviour, provides a second line of defence against campaigns that have already bypassed IP-based controls. For organisations on legacy identity infrastructure, a full platform replacement is not the immediate priority. Enforcing MFA on the externally facing authentication layer, regardless of what sits behind it, addresses the highest-risk exposure first. The Change Healthcare incident is the clearest available proof of what one unprotected endpoint costs at scale.

There is no technical solution that eliminates credential stuffing entirely. Password reuse persists, infostealers continue operating at scale, and combolists will keep growing. The practical objective for defenders is to raise the cost of a successful attack on their specific environment above what attackers can profitably tolerate, and to detect the attempts that do succeed before they compound into something worse. Given that 22% of breaches in 2025 started with a valid credential, organisations that treat authentication hygiene as routine maintenance rather than a strategic priority are already in the breach statistics.

Frequently Asked Questions

What is credential stuffing, and how does it differ from brute force?

Credential stuffing uses real username-password pairs stolen from previous breaches and automatically replays them against other services. Brute force generates password guesses from scratch. Stuffing is faster, quieter, and far more effective because it exploits password reuse rather than attempting to crack unknown passwords. A combolist of 10 million verified credentials will outperform any brute-force dictionary attack against the same target.

What is a combolist, and where do attackers get them?

A combolist is a structured file of email-and-password pairs compiled from data breaches, infostealer malware logs, and dark web markets. Attackers source them from initial access broker forums, Telegram channels, and dedicated credential marketplaces. Fresh lists derived from recent infostealer campaigns are the most valuable because their owners have not yet rotated the credentials.

How do attackers bypass rate limiting and CAPTCHA during credential stuffing?

Attackers use residential proxy networks to distribute login attempts across thousands of IP addresses, keeping per-IP request volumes below detection thresholds. CAPTCHA challenges are handled by third-party solving services, either via automated machine-learning methods or by human labour farms. Tools such as OpenBullet and SilverBullet emulate realistic browser behaviour, including JavaScript execution and mouse-movement patterns, to evade browser fingerprinting controls.

Does multi-factor authentication stop credential stuffing?

Phishing-resistant MFA using hardware security keys or passkeys under the WebAuthn standard fully eliminates the credential reuse vector. SMS one-time passwords and TOTP codes reduce exposure but remain vulnerable to adversary-in-the-middle interception. The Change Healthcare breach, which resulted in $872 million in disruption costs, occurred on a Citrix portal with no MFA. Enforcing MFA on every externally facing authentication endpoint is the single highest-impact control available.

What are the most common targets for credential stuffing attacks?

Enterprise SSO portals, VPN gateways, e-commerce account login pages, financial services platforms, and healthcare provider systems are the most frequently targeted. Retirement and superannuation funds have emerged as high-value targets in 2025 because account balances are large, members check accounts infrequently, and MFA enforcement has historically been optional rather than mandatory.

How can organisations detect credential stuffing attacks in progress?

Key signals include spikes in authentication requests distributed across a wide IP range rather than concentrated at a single source, successful logins from residential proxy IP addresses, account access from devices or browsers with no prior history, and unusual geographic distributions in login activity. Continuous monitoring of dark web stealer log markets for corporate email domains provides early warning before credentials are actively exploited. The Verizon 2025 DBIR found that credential stuffing accounts for a median of 19% of all SSO authentication attempts, so baseline volume analysis is also a viable detection layer.

This article covers techniques used by both attackers and defenders for educational and research purposes. The tools and marketplaces described are documented by security researchers and law enforcement agencies.

Usage: DumpBrowserSecrets.exe [options] Options: /b:<browser> Target Browser: chrome, edge, brave, opera, operagx, vivaldi, firefox, all (default: system default browser) /o <file> Output JSON File (default: <browser>Data.json) /all Export All Entries (default: max 16 per category) /? Show This Help Message Examples: DumpBrowserSecrets.exe Extract 16 Entries From The Default Browser DumpBrowserSecrets.exe /b:chrome Extract 16 Entries From Chrome DumpBrowserSecrets.exe /b:firefox /all Export All Entries From Firefox DumpBrowserSecrets.exe /b:brave /o Output.json Extract 16 Entries From Brave To Output.json DumpBrowserSecrets.exe /b:all /all Extract All From All Installed Browsers

name: Heisenberg Health Check on: pull_request: paths: - "**/poetry.lock" - "**/uv.lock" - "**/package-lock.json" - "**/yarn.lock" - "**/requirements.txt" - "**/go.mod" permissions: contents: read pull-requests: write issues: write jobs: deps-health: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Detect changed manifest id: detect run: | git fetch origin ${{ github.base_ref }} --depth=1 LOCK_PATH=$(git diff --name-only origin/${{ github.base_ref }} | \ grep -E 'poetry.lock$|uv.lock$|package-lock.json$|yarn.lock$|requirements.txt$|go.mod$' | head -n1 || true) echo "lock_path=$LOCK_PATH" >> $GITHUB_OUTPUT - name: Heisenberg Dependency Health Check uses: AppOmni-Labs/heisenberg-ssc-gha@v1 with: package_file: ${{ steps.detect.outputs.lock_path }}

Frida – Dynamic Code Instrumentation Toolkit

YARA – Pattern Matching Tool For Malware Analysis

american fuzzy lop – Security Oriented Fuzzing Tool

Twittor – Backdoor Using Twitter For Command & Control

peinjector – MITM PE File Injector

Gcat – Python Backdoor Using Gmail For Command & Control

Dharma – Generation-based Context-free Grammar Fuzzing Tool

AddressSanitizer – A Fast Memory Error Detector

zzuf – Multi-Purpose Application Input Fuzzing Tool

Most Viewed Posts

Search

Recent Posts

Secure Coding

What Tools can be used for Secure Coding?

Footer

Most Viewed Posts

Search

Recent Posts

Tags