This GitHub repo contains a mass of links and resources from the security world. Everything in one place. For us, the most interesting chapter is of course Hacking/Penetration Testing and specifically: Pentesters arsenal tools - you will definitely find here some...
Cheat sheets
Salesforce Lightning Components Security
In my previous job, we had quite a lot of Salesforce applications for testing. A big part of them used Lightning Components and I will tell you that the bodies of those requests were a complete mess! There were tons of parameters but only a few were actually relevant....
All you need to know about reverse proxies
Almost all applications these days use some kind of reverse proxy. The more components, the more vulnerabilities and reverse proxies are not an exception. Whereas there are many benefits of using them, vulnerabilities like request smuggling, cache poisoning or...
CI/CD Pipeline threat matrix
As we see from Dependency Confusion or “CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter, CI/CD security is at least as important as the security of the application itself. At my last job, I was learning about these...
Session tokens resources
I have a few good resources about different kinds of session cookies/tokens/api keys or whatever you want to call it. There are many types of bugs you can find there and very often they have a big impact. Let's start with what types of tokens are even there....
Learning path for mastering containers
Containers are yet another topic that gets more and more popular among developers. It means that we, as security people, also should understand what’s going on. Containers solve a lot of problems so in my opinion - they won’t lose popularity anytime soon. If you want...
Kubernetes security resources
Kubernetes is definitely a hot topic in IT. If you are a bit bored with what you have been doing for years or you are looking for new opportunities, Kubernetes can give you a strong position on the job market. If you are looking for resources to dig deep into its...
Cloud Security Breaches and Vulnerabilities: 2021 in Review
Cloud is a constantly evolving topic and demand for security grows along with it. If you want to know what was happening in this field in 2021, check out this article by christophetd . You can read about last year’s trends, biggest fuckups and importantly, preventing...
Attacks on CI/CD pipelines
I think that as the web applications become more and more secure, we will start focusing more and more on the security of the whole development lifecycle. That includes attacks on CI/CD pipelines. I covered one of such attacks recently in my video Injecting code into...
Common ENV variables with sensitive information
Every once in a while we encounter a bug that allows us to exfiltrate environment variables. It sounds cool and is easy to prove but what’s the real impact? It depends on what environment variables are defined. Maciej Pulikowski created a list of commonly used...