security
-
Setup ZAP baseline for CI & tracking with JIRA Everybody loves JIRA tickets!
Doing a baseline security scan of your web application before deployment is a simple way to improve the security of your application. Adding a scan to your CI as part of your SDLC makes it effortless to iterate and improve your application’s security. There are lots of options for scanning your web application, but in this post we’ll focus on scanning with OWASP ZAP! I’m going to walk through getting a basic scan setup and configured …
-
Getting sneaky with DNS for SSRF Understanding how fundamental technologies work goes a long way ...
Generally when I make http requests against a domain, I wouldn’t expect it to make requests on my localhost - but sometimes, just that happens. For getting sneaky with SSRF attacks you can have a DNS record point to
127.0.0.1. When a record pointing to127.0.0.1is resolved, your application will end up making requests127.0.0.1. For experimentation, I used one of Rapid7’s free datasets, & found the domainvolks-seat.depointing127.0.0.1. It never occurred to …