Mallory in the Mobile

Use mallory proxy to view non-https encrypted mobile traffic

October 15, 2018 · 8 min · Me

Static Analysis with Burp Suite

I’m so far behind the times, it’s sad. Burp Suite gained the ability to perform static analysis on JavaScript libraries back in 2014. Some sites and authors have already blogged about what their approach is for implementing this.I’d like to echo Lukas’s method, but with an easier setup. Simply navigate to the local directory containing the app and serve it using Python’s built-in HTTP server. python2 syntax: python -m SimpleHTTPServer <port> python3 syntax: python3 -m http....

April 10, 2018 · 1 min · Me

iOS and Android Native Code Protections

iOS Secure Boot Chain Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. This includes the bootloaders, kernel, kernel extensions, and baseband firmware. This secure boot chain helps ensure that the lowest levels of software aren’t tampered with. When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM....

June 19, 2017 · 27 min · Me

Developing an Application Security Program

Since my last post, I’ve left my position with the consultancy. I’m now working for a medium-sized corporation in a senior application security role. One of my many tasks is to contribute to the development of an Application Security program. This post will serve as my thoughts on setting up an AppSec Program. Measuring current performance The Building Security In Maturity Model (BSIMM) is a study of existing software security initiatives used by 95 companies of varying size across six verticals....

March 21, 2017 · 2 min · Me

Fix AWS SSL Certificate error in Burpsuite

This morning, while I was trying to proxy traffic to this site in Burpsuite, I ran across an SSL handshake error. Googling the issue returned this helpful article that got me started on the right path. The crux of the problem was that the JRE didn’t have the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files installed. However, since this article was published, Portswigger began bundling the JRE with Burpsuite itself....

January 11, 2017 · 2 min · Me

Configure an Upstream Proxy for Burpsuite

I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed. For more information on this, see the Burpsuite help. To configure an upstream proxy for Burpsuite, such as OWASP ZAP, follow these steps: First, configure your upstream proxy that will sit between Burpsuite and the web application to listen on a different port since they both bind TCP 8080 by default....

November 5, 2015 · 1 min · Me

PHP, MySql, and Injection

Inspired by Jack Daniel’s “Shoulders of InfoSec Project”, this post will be focused on the people and technologies behind one of the most prevalent attacks on web sites: SQL injection. According to OWASP, injection is the number one attack vector for web applications. Injection attacks can target many different contexts in a web application: HTML, PHP, ASP, Javascript, SQL, etc. Any context in which an interpreter parses input to execute instructions is potentially vulnerable to an injection attack....

November 26, 2014 · 12 min · Me

URL Encoding

URL Syntax https://admin:[email protected]:80/bio.txt;pp=1&qp=2#Three URL Part URL Data Scheme https User admin Password pass123 Subdomain www Domain Port 80 Path /bio.txt Path Parameter pp=1 Query Parameter qp=2 Fragment Three Safe Characters RFC1738 section 2.2 outlines the safe characters to use in an HTTP URL Scheme:...

October 6, 2014 · 2 min · Me

Local File Inclusion Mini-list

A mini-list reference for interesting LFI targets

September 25, 2014 · 1 min · Me