Archive

NoSql Injection Cheatsheet

I was recently discussing how to exploit NoSQL vulnerabilities with a bug bounty tester who had successfully used my NoSQLi [https://github.com/Charlie-belmer/nosqli] program to find a vulnerability on a major site (and received a $3k bounty!). Using the scan tool is a great way to find some

Azure Security Architecture

In this article, I will walk through configuring and setting up all the Azure services needed to secure your account. There are many services available, but it can be difficult to understand what needs to be done to actually get protected and ensure that all assets are covered. This is

NoSQLi 0.5.1 Released

The next Alpha release for NoSQLi is ready for use! This version brings a few minor bug fixes and performance enhancements to existing scans. The primary new feature is the addition of certain PHP GET parameter injections. This means that nosqli now has all the planned injection type detection completed

Security Bug Hunting with Proxies

When hunting security issues or checking applications for potential privacy violations, the first tool I reach for is a web proxy. I frequently get asked about the tools I screenshot in these posts, and asked about my process, so I decided to share the basic steps I take to test

NoSQLi - A Fast NoSQL Injection Scanner

Last year, I started working on a NoSQL injection framework, because I just didn't find a tool that suited my purposes. Other tools are too hard to automate in my workflow, or missed a lot of the simple test cases I tried. So I developed nosqli [https://github.

Kindle Collects a Surprisingly Large Amount of Data

As an avid reader, I've owned several generations of Kindle devices, from the original to the Paperwhite, and loved each of them. However, I have also kept a watchful eye on the abuse potential of the new format. Because Amazon technically owns the content you view, they may

DEFCON 2020 Live Notes

I'm taking some time to attend DEFCON [https://defcon.org/] virtually this year. I'll be posting notes from talks, Q&A, and maybe even take aways from "hallway" conversations I have here throughout the weekend. I tend to focus mostly on webappsec, cloud

Secrets Management for Developers

One thing that comes up frequently in security is how to deal with application secrets. There are many methods for managing secrets, from hard coding into source code to using a credential manager to environment variables. In this post, I'll go through some Do's and Don&

Government Surveillance of Protestors

Governments around the world continue to ramp up surveillance of protests and civil unrest. Here, I have tried to collect the governmental use of technologies to monitor and disrupt movements in repressive and democratic countries alike. Modern anti-protester tactics include many things: cell phone monitoring, communications disruptions, social media blocking,

Why is This Website Port Scanning me?

Recently, I was tipped off about certain sites performing localhost port scans against visitors, presumably as part of a user fingerprinting and tracking or bot detection. This didn't sit well with me, so I went about investigating the practice, and it seems many sites are port scanning visitors

My Favorite InfoSec Learning Resources

I am always learning new things about security, and sometimes mentor junior team members on where they can learn new skills. I find that a successful practitioner is one who not only spends time understanding the security concerns, tools, and skill sets, but also the underlying technologies to be protected

Centralized Security Logging in AWS

When securing an AWS environment, one of the first tasks is configuring CloudTrail [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html] and ensuring that logs from various accounts within an organization are shipped to a centralized AWS security account. Frequently, however, there are other log sources that I

A Better Way to SSH in AWS (With RDS tunneling and security automation)

When I first started using AWS environments, the Bastion architecture was prevalent as the way to setup SSH connections. A dedicated "bastion" server is provisioned with SSH ports exposed to an internal network, or in some cases the internet, so that other servers do not have to expose

Advanced AWS Security Architecture

Most articles on AWS security rightfully spend a lot of time talking about the basics, such as setting up minimized IAM roles, encrypting data, and basic monitoring. It is more difficult to find guidance and specific implementation recommendations on advanced, automated security configurations. In this series of articles, I will

Subdomain_recon.py: A SubDomain Reconnaissance Tool

Recently I participated in a hackathon building tools to help the blue team inventory our external attack surface. We are a large business with many global locations, datacenters, and devices, built up over time and via acquisition, so there is a lot to search for, and our internal inventories don&

Deploying Docker Securely

Docker is a fantastic piece of technology for teams. Some time ago, I published a series of articles on building a docker security program [https://nullsweep.com/building-a-docker-security-program/], which covers doing a threat assessment, image static and runtime analysis, and overall container patching and maintenance. I was asked recently about

A Pivot Cheatsheet for Pentesters

I don't often come get a chance to use pivot techniques, so I sometimes find myself searching for reminders about various methods and their trade offs. I put together this list of common pivot techniques I have used, along with a quick to setup docker-compose environment to get

A NoSQL Injection Primer (with Mongo)

If you're looking for a quick way to scan for NoSQL Injection, check out my tool nosqli [https://nullsweep.com/nosqli-a-fast-nosql-injection-framework/] for fast MongoDB noSQL injection scanning.Last year, I interviewed a number of coding bootcamp graduates who were taught the MEAN stack exclusively. When looking at their

HTTP Security Headers - A Complete Guide

Companies selling "security scorecards" are on the rise, and have started to become a factor in enterprise sales. I have heard from customers who were concerned about purchasing from suppliers who had been given poor ratings, and in at least one case changed a purchasing decision based initially

Empathizing With Threat Actors

Empathy is a powerful tool in human relationships, but often it seems to be disregarded when talking about more technical realms such as security. Sometimes even talking about empathizing with a threat actor causes discord: throughout history, empathizing with an enemy has often been seen by the masses at best