A CSP is the seatbelt for client-side attacks like Cross-Site Scripting and Clickjacking. It is really common to find a CSP which allows loading of resources only from specific domains, in order to limit the attack surface. But why use schemes?
Read More »Scheme is CSP’s Weakest Link
Burp Suite, our favorite proxy is used for every assessment which uses HTTP communication. Sometimes though, a client-side certificate is required and Burp Suite by default, does not support PKI certificate files.
Read More »How to use PKI cer, pem and key files with Burp Suite
This is the third part of the Smart Contracts series where issues about smart contracts are broken into small chunks. All the examples were run in my local blockchain using Ethereum’s remix IDE. How does an overflow really occur?
Read More »Exploit Integer Overflow and Underflows in Smart Contracts
Smart contracts are used by Ethereum to handle processed based on transactions. Many companies, banks and crypto enthusiasts use them for selling their services or products. Those contracts are written by developers and some of those contains vulnerabilities. One of those is the Visibility issue.
Read More »Exploit and Remediate Function Visibility Vulnerabilities in Smart Contracts
Recently I wanted to test an Android application and had to use an Android Emulator. While Android Studio’s emulator works fine, I had difficulties making it run because you can either have it rooted without Google Play Services or with Google Play Services but not rooted.
Read More »Setting Up BurpSuite as a Trusted Root CA in Genymotion Emulator
Burp Suite is the most used web proxy for web application assessments. In an assessment, the configuration of the application required me to use Platform Authentication with NTLM to authenticate. When doing that I got 401 error when JS and CSS files were requested.
Everyone’s favorite Burp Suite, recently released their new API for interacting with Burp. The old API aka the “Wiener” API, was there from the release of Burp, but in 2022 the new “Montoya” API came out.
Smart Contracts, the self-executing code running on blockchain platforms, have revolutionized various industries by automating processes and providing decentralized solutions.
Read More »Exploit and Prevent Reentrancy Attacks in Smart Contracts
During a web assessment is common to find some outdated JavaScript library. I like to showcase the version of the outdated library in a console print with the URL where it loaded. Below is the list of console commands, to get their versions.
Read More »How to print the version of JavaScript libraries in console
As a network security professional or system administrator, you know the importance of regular port scans to assess your network’s security posture.
Read More »Visualize Your Nmap Scan Results with Nmap Peek for VSCode