#39

HACKING GOOGLE

HACKING GOOGLE is a video series on YouTube from Google about Google’s security - what teams they have, what are they doing, and what are their responsibilities. It’s really nicely filmed and edited - without a question, by a professional filmmaker. Don’t, however,...

Preparing a resume

Shawn Thomas, Director of Forensics and IR at Yahoo!, created a thread about preparing a resume. Among other tips, he recommends you to put things like labs, side projects, CTFs, and similar if you have no practical experience relevant to the job. I believe that’s one...

A tool for Nginx bugs and misconfigs

Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities. I’m happy to see it because I’m quite bad with all the bugs having to do with reverse proxies and Nginx is one of most popular ones. https://github.com/stark0de/nginxpwner

Hiding parameters from ModSecurity WAF

There are more interesting WAF bypasses that were discovered during the 1337up0522 live hacking event. This time, by terjanq, who came back from a CTF retirement for a few hours and smashed the hardest web challenges on SEKAI CTF that I’ve played with JustCatTheFish....

RFC-induced SSRF

Sometimes, we see an absolute URI in the first request line. I saw this trick being used a few times. For example, when exploiting request smuggling. It then sends the request to your server and not the one from the Host header. I never thought about why it works and...

The hardest CTF task I’ve ever done

Last week, I published a video about a crazy task from a CTF that we’ve solved. We being me and JustCatTheFish team with which I play as a guest. Tasks on a real, ranked CTF were really hard but that just makes solving one more satisfying. This challenge involved two...

Setup for testing authorization bugs

Authorization testing is one of the security classes I rather dislike because it involves doing the same thing many times, hoping that one time it will work. Often, it’s very time-consuming. However, over the years, I became more effective with it. Today, I will share...