Mental Health

My experience of stress

I recently listened to a podcast episode featuring Troy Hunt, hosted by Ushi. If you haven’t heard of Ushi’s podcast before, check it out here: InfosecWhiskey. Aside from talking about whisky, the episode focuses on stress management, especially during the current turbulent circumstances of the COVID pandemic.

By the way, whilst we’re on the topic of whisky, I can recommend a bottle (or two) of Penderyn Madeira. This is a Welsh whisky (my home country); it is very unlike your typical scotch but it’s definitely enjoyable.

Troy explains his own personal experience of stress management when dealing with the acquisition of his haveibeenpwned service, amongst other things. I strongly recommend reading his blog post covering this topic. It’s a very insightful read into his coping mechanisms.

Listening to Troy and Ushi made me consider my own relationship with stress, and how it impacts me each day. As Troy mentions in his blog, talking about emotions and stress isn’t all that common, especially amongst “blokes” – this is why I felt it important to share my experience.

When I take a step back and review how I deal with stress, I have an unhealthy ability to push through stressful situations. I find my anxieties propel me forward rather than hold me back. This happens without me realising.

I consider this to be an unhealthy habit where I’m constantly battling with different stresses of life. Somehow, completely oblivious to how stressed I am, I just keep battling through each situation, taking a cost on my physical and mental health. I only identify I’m in this situation having sustained high stress for several weeks, by which point I’m very close to (or at) the stage of burnout.


The best way I find I manage my stress is by remaining mindful. I’m not referring to meditation (personally, I can’t remain focused enough to benefit from it). What I mean by mindfulness is simply having awareness over your own emotions, and how you react to different situations. It’s only when you have this awareness you can do something about it. This leads me to my next point.


I often find putting situations into perspective is helpful. For example, how many times have you received an e-mail in work which has pissed you off, keeping you in a bad mood for the rest of the day?

In my experience, whilst these little things can be very annoying and stir a lot of emotion, they are often just that – little things. Having perspective over your situation will help you realise how much worse things could be. That’s not to say your situation, emotion or reaction isn’t valid, but it helps you react to your situation more appropriately, and remain more positive.

Is it really worth letting a small event dictate your emotions for the rest of the day?


This is an obvious one – but it’s one we always forget. Find time to focus on yourself, whether it be a hobby or something else. You need something to escape to.

Book paid time off work – and book it in advanced so you have something to look forward to. Don’t wait until you’re stressed – this is too late. I’m finding this more important during COVID as I find myself taking less leave as I can’t go on holiday, or leave the house during lock-down.

If you’re working from home, I find it helpful to try and separate my work and life environment. This was really challenging when I previously lived in a one-bed flat, but even taking a walk after work can help create that situation.


I’ve only covered a few of the things I find helpful to manage stress – what works for you may be different, but I’m hoping you can get some insight from this blog post. Don’t forget to read Troy Hunt: Sustaining Performance Under Extreme Stress.

Hacking News Opinions Security

Barking up the wrong tree

Investigating what I thought could be an SQL Injection in WHMCS

For those of you who haven’t heard of WHMCS before, you may have heard of cPanel/WHM? cPanel is a very popular control panel installed to many web servers worldwide (WHM is the administration panel that sits behind it).

WHMCS is a very popular billing system which integrates seamlessly with cPanel and WHM for automatic account creation. In my opinion, it hasn’t had a great security history. It’s probably better these days, but I recall reporting an XSS vulnerability to them a few years ago and I wasn’t particularly happy with the way they prioritised it.

Recently, I was logged onto a WHMCS instance used by one of the hosting companies I use. For reasons that aren’t relevant, I tried to disable two factor authentication on my account. When you try to do this on WHMCS, it asks you for your password. I input my password, but the system said my password was wrong? It certainly wasn’t – I put it in straight from my password manager.

I observed my password contained a quote, and wondered whether this could be triggering some sort of SQL issue.

To test this, I changed my password to the same value, but removed the single quote. This time, disabling Two Factor Authentication worked fine, without error.

Have I just discovered an SQL Injection in WHMCS? This seemed serious enough for me to investigate – it was certainly behaving in a way it shouldn’t.

I purchased a monthly license, and installed WHMCS to my local machine. Further testing needed to be done.

The source code of WHMCS is closed source and obfuscated, so it’s not as easy as looking at the source code to see what it’s doing.

I registered a new client account, ensuring to put a quote in my password, and I was able to replicate the issue locally. The version I installed was 8.0.4 – I haven’t tested other versions.

I decided to load Burpsuite to try and capture the registration request before it was passed onto the server. From here, I exported the request and loaded it into SQLMap – a useful tool for automatically testing for SQL vulnerabilities. To my surprise, SQLMap didn’t find any SQL vulnerabilities.

I wasn’t going to leave it there though – this code was misbehaving and I wanted to find out why. When quotation marks cause errors in user inputs, it is often indicative of an SQL error and potential SQL Injection risk. If SQLMap couldn’t identify any SQL injection risks, why was this code misbehaving?

After much discussion and help from atthacks, we identified the issue we were dealing with wasn’t an SQL Injection risk – disappointing, I thought I was onto something here!

As part of our analysis, we registered an account with the following password: password’

We then took the hash from the database and cracked it using John.

The output from John the Ripper

As we can see, the quote has stored in the database as '. Therefore, as far as the system is concerned, my password was actually password', not password’. The quote seems to have been represented as the ASCII code for a quote, rather than the quote itself.

The question is, why would they do this? Technically, you can limit SQL Injection risks by removing quotes, but it certainly shouldn’t be relied upon. There are potential ways around this. They should be using proper parameterised queries to fully mitigate SQL injection vulnerabilities. I can only assume they’re doing both, as I found no way to leverage this into an SQL Injection.

This is completely unnecessary – parameterised queries will eliminate the SQLi risk. Encoding the quotation marks offers no further protection and breaks functionality.

The thing that bothers me most about this though is how this bug hasn’t been picked up on a penetration test? This bug isn’t a security bug, but a penetration test would have easily identified this. Do they not pentest their software before they make the software available? Was this tested but missed? Or, was it identified during testing, but added to the pile of bugs not worth fixing? Who knows – it does highlight serious concerns though at the level of security testing they do prior to releasing their software though. I’ve used WHMCS myself in previous jobs – I can’t say I have enough trust in its security these days, especially when you consider the type of data it should be securing.