Containers are yet another topic that gets more and more popular among developers. It means that we, as security people, also should understand what’s going on. Containers solve a lot of problems so in my opinion - they won’t lose popularity anytime soon. If you want...
#18
Kubernetes security resources
Kubernetes is definitely a hot topic in IT. If you are a bit bored with what you have been doing for years or you are looking for new opportunities, Kubernetes can give you a strong position on the job market. If you are looking for resources to dig deep into its...
Cryptography bugs explained without complex maths
For a long time, I knew absolutely nothing about cryptography. At the beginning of my pentesting job, if I saw encrypted data, the only bug that I could think of is leaking the key. If I couldn’t then I’d just assume it’s secure. One of the reasons was whenever I...
Grafana path traversal
Lately, a path traversal bug was discovered in Grafana. There’s a really good blogpost about discovering the bug. https://j0vsec.com/post/cve-2021-43798/ You can also watch Nahamsec’s video about identifying and exploiting this bug:...
Dealing with difficulties in bug bounties
At Ekoparty Security Conference zseano had a talk “Staying sane in bug bounties” in which he gave some tips on doing bug bounties and dealing with difficulties that you will sooner or later encounter. Here are my notes from the talk. Issues you may face Some of the...
10 security pitfalls of Python
This article will be useful for hacking apps in any language! There’s a list on the Sonarsource blog with quirks and unexpected behaviours of Python that can mislead developers and result in security vulnerabilities. The article is soo good! Even if you know nothing...
Finding DOM-XSS with DOM invader
DOM invader is 2021’s addition to Burp Suite. If you are a long-time reader of the newsletter, you know how highly I rated filedescriptor’s Untrusted-Types for finding DOM-XSS. Well, DOM invader is even better. I’ll walk you through the usage of it. Enabling DOM...