• Leveraging AWS signed requests for Identity Proof

    RDP I was working on an internal API that I wanted to make available for other ops team members. The security team has their own AWS account and ops have their own AWS accounts as well as the various product teams business units. I wanted to, with little effort, enable teams to use my API which was built on AWS API Gateway + AWS Lambda. There is no need for granular authorization since the API is …

  • find directory on windows

    cd \
    dir openssl /AD /s
    

  • Setup ZAP baseline for CI & tracking with JIRA Everybody loves JIRA tickets!

    Doing a baseline security scan of your web application before deployment is a simple way to improve the security of your application. Adding a scan to your CI as part of your SDLC makes it effortless to iterate and improve your application’s security. There are lots of options for scanning your web application, but in this post we’ll focus on scanning with OWASP ZAP! I’m going to walk through getting a basic scan setup and configured …

  • dig without dig

    curl -s -H 'host: dns.google.com' \
      'https://8.8.8.8/resolve?name=assets.github.com&type=NS' \
      | jq
    

  • Reverse Engineering the az-cli to use the python sdk Figuring out how to use the azure-sdk for python

    For scripting things in AWS, switching between boto and the aws cli is seamless because they use the same interfaces. The name of the python module matches the subcommand in the cli and the arguments and options all line up. This is not the case with Azure …. There seems to be inconsistent names between the az-cli, azure-sdk & the Azure portal, which makes creating scripts a bit challenging. Additionally challenging, the docs are not fleshed …

  • Setup Windows 10 in Azure Have an environment for testing apps without running a VM

    RDP The other day I needed to test a Windows application, but I’m using a Mac. If you need to audit/test a Windows application on a Mac or Linux box, Microsoft provides some developer VM images you can use for free . I went ahead and downloaded the VM image for VirtualBox and starting the VM. I allocated 3 cores and 8GB of RAM thinking that should be enough power to test reasonably (I’m using MacBook …

  • Where does IP data come from? Find the sources of IP data sets

    I’ve wondered for quite some time, how do sites like get their data? Secondly, the question I had was “Could I gather/build out the data used by these sorts of services?”. Off the bat, looking at the data, I made the assumption that the ownership data is stored publicly or “premiumly” that I could access, but where? So I did some digging around and below is some the datasets I discovered. ICANN runs IANA which allocates …

  • Getting sneaky with DNS for SSRF Understanding how fundamental technologies work goes a long way ...

    Generally when I make http requests against a domain, I wouldn’t expect it to make requests on my localhost - but sometimes, just that happens. For getting sneaky with SSRF attacks you can have a DNS record point to 127.0.0.1. When a record pointing to 127.0.0.1 is resolved, your application will end up making requests 127.0.0.1. For experimentation, I used one of Rapid7’s free datasets, & found the domain volks-seat.de pointing 127.0.0.1. It never occurred to …

  • Design resources for developers Design thinking can enable developers to be better developers

    As a developer, it is beneficial to understand basics of design and how people digest information. You may think to yourself that you will never have to create a visual interface, but the reality is even code has a visual aspect which has impact on its consumption. A deeper understanding of visual perception can positively impact your code! Design is a mature industry with centuries of application and study. There are many tried and true principles …

  • Thinking about computer science? To computer, or not to computer, that is the question!

    My initial career plans were to get degree in Mechanical Engineering. Plans didn’t go as planned, and I wasn’t quite mature enough to handle the level of rigor immediately outside of high school. My plans evolved into an art direction, since I always enjoyed art & I decided to ignore the $$$ (or there lack of) problem with art careers. From art, I realized I needed to make some money so I honed in on Graphic …

  • Naming Things! Labeling classes, methods, functions, variables, servers ....

    ** This is a work in progress, that mostly contains lots of good links ** It’s one of the hardest things you do a programmer and also one of the most important aspects of writing code. Code is read 10x more than it’s written so when you are writing you need to be very thoughtful of the future readers, which are yourself & others. You want your code to be very clear to readers, even if …

  • Inspecting Windows with cli! ... Windows isn't all that bad

    I’m pretty green when it comes to knowledge of windows commands & cli tools. From the security perspective, a large percent of businesses/corporations run windows on their platform, so some basic tools to introduce ideas is helpful! With the command line you can use wmic or powershell to utilize WMI (Windows Management Instrumentation) which can give you insight into all sorts of things about your system! - - - Get Windows Version ```shell > wmic os …

  • Getting going with Jekyll Jumping into THE static site generator

    I’ve been wanting to start blogging for quite some time and decided to finally make the jump. I’ve created countless WordPress sites for clients but wanted to go a different route for my own blog. I wanted to use a system that was simple and light and something I didn’t need a db for. I wanted something that would let me write markdown files and generate the site from there. Nowadays there are so many [static …

subscribe via RSS