The new face of the security team DoS

Nearly a year ago, I wrote about an emerging trend I observed with some of the bounty researchers I was interacting with. This screed can be considered an extension of that article. There an emerging trend I’m noticing - I’ve been receiving more messages like the following: Hey , I found Security Vulnerability in your web application ,which can damage site as well as users too.For security purpose can we report vulnerability here,then will i get bounty bounty reward in PayPal or Bitcoin for Security bug ?...

September 14, 2018 · 2 min · Me

My Security 101 - 2018 update

In a post from 2015,, I write about some of the “Security 101” issues I considered to be fundamental. Since 2015, I’ve been exposed to several environments where I have seen the same basic security fails. In addition to my previous Security 101 items (2FA, avoiding password reuse, using a password manager, being mindful of what gets posted on social media, and inspecting email links) I would like to add the following new items to my “Security 101”:...

August 2, 2018 · 2 min · Me

Static Analysis with Burp Suite

I’m so far behind the times, it’s sad. Burp Suite gained the ability to perform static analysis on JavaScript libraries back in 2014. Some sites and authors have already blogged about what their approach is for implementing this.I’d like to echo Lukas’s method, but with an easier setup. Simply navigate to the local directory containing the app and serve it using Python’s built-in HTTP server. python2 syntax: python -m SimpleHTTPServer <port> python3 syntax: python3 -m http....

April 10, 2018 · 1 min · Me

Cross-Account file access on AWS S3

The Problem Secure file sharing using AWS S3: I upload a file to an S3 bucket with restricted permissions The client downloads the file and processes it The client uploads the results to the S3 bucket I download the processed file and the transaction is complete I thought setting the permissions on the bucket would be enough. I was wrong. The Setup I use a federated login to AWS and assume a role under a corporate account....

March 30, 2018 · 3 min · Me

A Lesson for Bug Bounty Researchers

I’m managing a bug bounty program that has shown tremendous benefit so far. Several findings have been extremely clever, and I’ve been fortunate enough to have good interactions with the vulnerability researchers. However, I’ve also had a few unsatisfactory interactions with researchers. This post is directed at Bug Bounty researchers that do not have much experience in corporate environments. I think a list of do’s and don’ts is appropriate for this breakdown....

October 20, 2017 · 4 min · Me

iOS and Android Native Code Protections

iOS Secure Boot Chain Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. This includes the bootloaders, kernel, kernel extensions, and baseband firmware. This secure boot chain helps ensure that the lowest levels of software aren’t tampered with. When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM....

June 19, 2017 · 27 min · Me

Password Manager Advice

A developer at work asked a general question to the group: “I’m thinking about using either LastPass or 1Password, anything I should know?” As the team’s newest “Security Guy”, I answered with this brief response: LastPass is easier to get started with as someone who’s never used a password manager before. Their product is seamlessly >integrated into browsers and mobile devices, although it’s not the prettiest. LastPass stores your encrypted password vault on their servers....

April 17, 2017 · 3 min · Me

Developing an Application Security Program

Since my last post, I’ve left my position with the consultancy. I’m now working for a medium-sized corporation in a senior application security role. One of my many tasks is to contribute to the development of an Application Security program. This post will serve as my thoughts on setting up an AppSec Program. Measuring current performance The Building Security In Maturity Model (BSIMM) is a study of existing software security initiatives used by 95 companies of varying size across six verticals....

March 21, 2017 · 2 min · Me

Fix AWS SSL Certificate error in Burpsuite

This morning, while I was trying to proxy traffic to this site in Burpsuite, I ran across an SSL handshake error. Googling the issue returned this helpful article that got me started on the right path. The crux of the problem was that the JRE didn’t have the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files installed. However, since this article was published, Portswigger began bundling the JRE with Burpsuite itself....

January 11, 2017 · 2 min · Me

Configure an Upstream Proxy for Burpsuite

I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed. For more information on this, see the Burpsuite help. To configure an upstream proxy for Burpsuite, such as OWASP ZAP, follow these steps: First, configure your upstream proxy that will sit between Burpsuite and the web application to listen on a different port since they both bind TCP 8080 by default....

November 5, 2015 · 1 min · Me

My Security 101

What I hope are some reasonable basic security practice recommendations

January 20, 2015 · 1 min · Me

RubberDucky Powershell Payload

On a recent engagement I supported the lead by developing a PowerShell payload for a RubberDucky. The gist is that it will run a handful of standard Windows commands and then e-mail the results to a specified address. It proved to be very helpful and I’ve included it below with comments: # Set execution policy to allow unrestricted script scope Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false #Create results file in current user's temp directory $results = $env:temp + '\results....

December 22, 2014 · 1 min · Me

PHP, MySql, and Injection

Inspired by Jack Daniel’s “Shoulders of InfoSec Project”, this post will be focused on the people and technologies behind one of the most prevalent attacks on web sites: SQL injection. According to OWASP, injection is the number one attack vector for web applications. Injection attacks can target many different contexts in a web application: HTML, PHP, ASP, Javascript, SQL, etc. Any context in which an interpreter parses input to execute instructions is potentially vulnerable to an injection attack....

November 26, 2014 · 12 min · Me

DerbyCon 4.0

Unfortunately, I didn’t arrive at the ballroom early enough to get seats, or even standing room, to see this talk in-person: Ed Skoudis: How To Give The Best Pen Test Of Your Life If you’re a Pen Tester, this talk is a must-see. Once you’ve finished that talk, check out John Strand’s excellent follow-up talk! After competing for Friday night, most of Saturday, and Sunday morning, I emerged as the 30th position (solo) out of the 120 teams competing in the CTF....

October 1, 2014 · 1 min · Me

Local File Inclusion Mini-list

A mini-list reference for interesting LFI targets

September 25, 2014 · 1 min · Me