by Bill Sempf
29. November 2020 14:47
Three tools this week. Pretty cool.
Check your S3 Buckets permission:
https://github.com/nccgroup/s3_objects_check
Information Disclosure research requires OSInt. Take a look at IntelOwl:
https://github.com/intelowlproject/IntelOwl
I might have reported on this before - it isn't new. It is a purposefully vulnerable Android app, for practice purposes:
https://github.com/satishpatnayak/AndroGoat
Hope everyone had a good and safe thanksgiving.
dc29832b-2199-4443-b6af-84c16719d785|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
22. November 2020 14:06
Troy Hunt has another one of his awesome data breach breakdowns. Lots to be learned here.
Troy Hunt: Inside the Cit0Day Breach Collection
Awesome paper on unwanted app distribution on Android.
2010.10088.pdf (arxiv.org)
In the department of information disclosure department, we have a Go project that will look for URLs exposed by shortner services like bit.ly
utkusen/urlhunter: a recon tool that allows searching on URLs that are exposed via shortener services (github.com)
Have a great thanksgiving!
2e1f07a9-2777-4eef-87d4-b15507d5c0ec|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
15. November 2020 13:12
caaef3d4-7d71-4ed5-a559-06dca59523e1|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
8. November 2020 14:59
Compass Security built a really nice Burp plugin that helps with the reporting of findings by copying the request and response pair from various tools.
https://blog.compass-security.com/2020/10/burp-extension-copy-request-response/
Container Security is all the rage. Here is a good primer.
https://cloudberry.engineering/article/practical-introduction-container-security/
Random vulnerability names ... so hawt right now.
https://www.theregister.com/2020/11/03/cert_bug_names/
One of the Big 4 consulting/audit firms helpfully built a "test your Hacker IQ" quiz that exposes the DB username and password.
https://www.theregister.com/2020/11/05/deloitte_hacker_test/
I have written in this humble publication many times about my disdain over cryptic TLS vulnerabilities (pun intended) and now Let's Encrypt is going to cut off 30% of Android devices.
https://letsencrypt.org/2020/11/06/own-two-feet.html
That's the news, folks.
71137c37-4377-4ef1-a385-fdc9a18bde5c|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
1. November 2020 11:51
Not a lot going on this week. Almost as if everyone has something else to think about.
Get your debugger on. Good two parter on getting your feet wet with a little close-to-the-metal code.
https://www.moritz.systems/blog/how-debuggers-work-getting-and-setting-x86-registers-part-1/
For the bounty hunters - Harvard publicked a guide to the legal risk involved in bug hunting.
https://clinic.cyber.harvard.edu/2020/10/30/cyberlaw-clinic-and-eff-publish-guide-to-legal-risks-of-security-research/
Writing Go code? Here's a new fuzzer for your Go apps.
https://adalogics.com/blog/getting-started-with-go-fuzz
That's the news folks. Have a great week!
85a3e67f-0691-4913-9634-13fb948a4775|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags: