appsec

Mallory in the Mobile

Use mallory proxy to view non-https encrypted mobile traffic

Static Analysis with Burp Suite

I’m so far behind the times, it’s sad. Burp Suite gained the ability to perform static analysis on JavaScript libraries back in 2014. Some sites and authors have already blogged about what their approach is for implementing this.

iOS and Android Native Code Protections

iOS Secure Boot Chain Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust.

Developing an Application Security Program

Since my last post, I’ve left my position with the consultancy. I’m now working for a medium-sized corporation in a senior application security role. One of my many tasks is to contribute to the development of an Application Security program.

Fix AWS SSL Certificate error in Burpsuite

This morning, while I was trying to proxy traffic to this site in Burpsuite, I ran across an SSL handshake error. Googling the issue returned this helpful article that got me started on the right path.

Configure an Upstream Proxy for Burpsuite

I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed.

PHP, MySql, and Injection

Inspired by Jack Daniel’s “Shoulders of InfoSec Project”, this post will be focused on the people and technologies behind one of the most prevalent attacks on web sites: SQL injection.

URL Encoding

URL Syntax https://admin:[email protected]:80/bio.txt;pp=1&qp=2#Three URL Part URL Data Scheme https User admin Password pass123 Subdomain www Domain example.

Local File Inclusion Mini-list

A mini-list reference for interesting LFI targets