Finding critical vulnerabilities in your web application on Friday at 5PM.

Hey, I’m Phil Thomas, but I go by fz42 on the internet.

I used to build software, now I break it. I am currently working with Stratum Security as an Application/Cloud Security Consultant Lead.

I am a hacker, technologist, gamer, and aspiring farmsteader. I am passionate about security, privacy, and technology. I am a father and husband. I am a human.

Everything here is written by me, see my /ai page for more information on “AI” usage.

You can also find me at the links below:

Automating My GitHub Profile with Actions

Two years ago I bookmarked Building a self-updating GitHub README. Finally crossed it off my todo list this week. The Journey Four months ago, my employer got acquired. Anyone who’s been through an acquisition knows the drill - uncertainty about the future naturally leads to resume polishing. I got tired of installing TeX distributions just to build my resume. I created a GitHub Action that built the PDF as an artifact. Good enough… I was manually downloading it in case I had to start sending it around. ...

Detecting Azure Front Door WAF with BChecks

TrustedSec discovered that Azure Front Door WAF’s IP restrictions can be bypassed when using the default RemoteAddr setting. When the bypass works, ALL WAF rules get disabled - not just IP filtering. Front Door WAF has a specific fingerprint: 403 responses include both x-azure-ref and x-cache headers. Application Gateway WAF doesn’t include these. I’ll definitely forget these details in six months. That’s why I wrote this BCheck: metadata: language: v2-beta name: "Azure Front Door WAF Detection" description: "Detects Azure Front Door WAF based on 403 response headers" author: "fz42" tags: "azure", "waf", "bypass" given response then if {latest.response.status_code} is "403" and {latest.response.headers} matches "(?i)x-azure-ref" and {latest.response.headers} matches "(?i)x-cache" then report issue: severity: info confidence: firm detail: `Azure Front Door WAF detected. If using RemoteAddr (default) for IP restrictions, try X-Forwarded-For bypass: - 127.0.0.1 - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - ... If bypass works, ALL WAF protections are disabled. References: https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass` remediation: "Use SocketAddr instead of RemoteAddr or make a compound condition including both SocketAddr and RemoteAddr in WAF configuration." end if Now, I’ll have a nice reminder in Burp Suite ensuring I don’t miss this in the future. ...

Justifying Claude Max with ccusage

I pay $200/month for Claude Max 10x and wanted to verify it’s actually saving me money. ccusage shows what I would have spent on API tokens: Even in June (lighter usage), API tokens would have cost more than the subscription. July shows why I’ll keep paying - I’m already at 6x the subscription cost. The numbers Claude Max 5x: $100/month Claude Max 20x: $200/month My June API usage: $246 My July API usage: $1,362 (and counting) Check your own usage npx ccusage@latest monthly Context I run a side business and bill clients for development work, which makes a $200/month tool easier to justify. With a fixed monthly cost, I never think “is this prompt worth it?” or “should I try a different approach?” I just build. No mental math on whether refactoring this feature will cost $0.50 or $5.00 in tokens. ...

People aren't using IDEs anymore by end of year

I just watched Mastering Claude Code in 30 minutes by Boris Cherny from Anthropic, which is an excellent overview if you haven’t tried it yet. He demonstrates the capabilities clearly and shows some useful examples. But this prediction caught my attention: “I think there’s a good chance that by the end of the year, people aren’t using IDEs anymore” That’s a bold timeline. When I’m not doing security consulting, I’m building software and Claude Code has transformed my workflow. Whether it’s Python, Swift, TypeScript, C#, or Go, I can prototype ideas faster than I could ever code them manually. The ability to rapidly prototype and discard has fundamentally changed how I develop. ...

Hello fz42

Why I'm changing from fatzombi to fz42: zombie avatars don't fit in client Slacks. Technical details on the domain setup and what's staying the same.

Migrating from IAM Secret and Access Keys to OIDC for Secure AWS Deployments

Changing our GitHub Action to leverage OIDC instead of hard-coded AWS Secret and Access Keys.

Protect your S3-hosted static website with Origin Access Control

I previously wrote about Deploying a Jekyll website to AWS S3 with GitHub Actions and AWS CloudFormation. However, as I continue to learn more about AWS, the more tweaks I realize we can make. What I want to walk through today is removing the public access to our S3 bucket which hosts our static site. We will configure an Origin Access Control to allow only CloudFront to access the S3 bucket. There’s one caveat to our use case, but we can resolve that using CloudFront Functions. ...

Configuring a Private Burp Collaborator on AWS EC2 with Route 53 and Let's Encrypt

Tutorial demonstrating how to configure a private Burp Collaborator instance on AWS EC2 behind AWS Route 53 and Let's Encrypt for TLS certificates.

Automating Your Homelab with Proxmox, Cloud-init, Terraform, and Ansible — Part 3- Automating with Ansible

Picking back up where we left off in Part 2 of our homelab automation series, we now have Terraform creating our minimally configured VMs. However, installing and configuring software and settings on VMs can still be a tedious and time-consuming task, especially if you have many VMs and services to manage. This is where Ansible comes in. Overview of Ansible Ansible is an open source infrastructure as code tool that allows you to provision software, perform configuration management, and handle application deployments. Similar to Terraform, it uses a declarative language that is simple to write. Additionally, there are thousands of modules, most can be found at https://docs.ansible.com/ansible/latest/collections/index_module.html. In this article, we will explore how to use Ansible to automate the configuration of our VMs. ...

Automating Your Homelab with Proxmox, Cloud-init, Terraform, and Ansible — Part 2- Deploying your VMs with Terraform

Picking back up where we left off in Part 1 of our homelab automation series, we now have a cloud-init image that we can use to quickly and easily configure new virtual machines in Proxmox. However, manually creating and configuring each VM can still be a tedious and time-consuming task, especially if you have a lot of them to manage. This is where Terraform comes in. Overview of Terraform Terraform is an open-source infrastructure as code tool that allows you to define and manage your infrastructure as code. This code is a declarative language that is simple to write. In this article, we will explore how to use Terraform to automate the creation of VMs in Proxmox, using the previously generated cloud-init image. But before we can do that, we need to set up Proxmox to allow Terraform to authenticate and interact with the API. ...