Entropy is not what it used to be.
-
Security Unit Tests
One of the reasons why security creates a challenge in software companies, is that, as a security engineer, we fail to meet the developers where they live. Security tools and processes (pentests) typically result in a human report , or even a particular standardized file format (SARIF, etc). During technical security reviews, teams often file…
-
CertGraph: visualizing the distribution of trusted CA’s
Much of the Internet’s security posture relies on the correct implementation of certificates or certs. We’ve all been taught to look for the “green lock” on websites, and things such as mixed mode and HSTS are a good push for that. Certs 101: Websites, say michaelhendrickx.com, have a leaf certificate. This certificate holds some metadata,…
-
Cross domain cookie contamination
TLDR: XSS attacks can be used to set cookies for sub domains that share the same top level domain. This increases the scope of XSS attacks. In a cloud world; several applications are hosted under the same top level domain. An organization can have hostnames such as: company.com: corporate landing page mail.company.com: webmail intranet.company.com: internal…
-
The revival of (cross site) script kiddies.
First off, a Happy 2019! Being in charge of adjudicating Microsoft’s Cloud Bug Bounty; we see many “low hanging fruit” XSS bugs coming through. While we have tools that catch these bugs, sometimes they slip through the cracks. Also, since machines won’t find every.single.bug.ever; we pay out for interesting bugs, and bump up payouts for…
-
Create random passwords with PowerShell
A task I see myself do occasionally, is to generate a password or other symmetric secret. Of course, to avoid things like “Azure123!” and even going against battery horse stable mechanisms, I like to generate random strings; and store these in a password vault. Either online, or local. At work, I (have to) use PowerShell…
-
CSS keyloggers, hype and/or impact
A few days ago, I stumbled across one of the videos of LiveOverflow, where he discusses a so called “CSS keylogger” (github), its impact and novelty. While there’s nothing new about the attack (it was reported several years ago, yet it popped up again on YCombinator’s HackerNews), I guess it trigger LiveOverflow to make the…
-
Washington State
So, while since I last updated this blog – bad habit of mine. So, I moved a while ago to Washington State, to be closer to work. Still setting everything up, all the usual issues that happen when moving countries, but yay! New places to visit, new people to meet, new things to do!
-
Nullcon 2017
A few months ago, I was asked to speak at Nullcon 2017, which concluded a few weeks ago. It was very well setup conference, and it attracts a lot of the security community in the Indian subcontinent. A pleasure to speak at, and I’d be happy to do it again in Goa 2018. I presented…
-
The lost art of penetration testing
Just a little rant. Often, if a security consultant is asked to perform asked to perform a VA/PT (the difference is a whole topic for another day) for a customer in a number of man-days. Obviously, as with most service based deliverables, one quantifies work in the time spent on it. Hours, or -more often-…
-
Post exploitation tools: Lazagne
Often, after a compromise of a machine, red teams / adversaries search for certificates or credentials to hop to other machines, often referred to as “lateral movement”. When doing so, many use Mimikatz, a tool that extracts credentials, PIN codes and kerberos tickets from memory. There are countless blog articles about how to detect it,…
Got any book recommendations?