Verifying Insecure SSL/TLS protocols are enabled

If a vulnerability scanner tells you that a website supports an insecure SSL/TLS protocol it is still on you to verify that this is true. While it is becoming rarer, there are HTTPS services which allow a connection over an insecure protocol. However, if you issue an HTTP request it will respond to the user… Continue reading Verifying Insecure SSL/TLS protocols are enabled

API testing with Swurg for Burp Suite

Swurg is a Burp Extender designed to make it easy to parse swagger documentation and create baseline requests. This is a function that penetration testers need if they are being asked to test an API. Our ideal pre-requisites would be: A Postman collection with environments configured and ready to go valid baseline requests. Ideally setup… Continue reading API testing with Swurg for Burp Suite

Captain’s Log: October 2020

The Good 10k a day steps challenge - Completed for another month. There were some tricky days. Some extremely tricky days where I was just stressed beyond belief and somehow managed to fight fatigue to stay on target. Probably the hardest month to be fair. The idea of hitting 22 active minutes a day was… Continue reading Captain’s Log: October 2020

Basic code review tools for Ruby

This blog post is to document how to get started analysing a Ruby code base for trivial security vulnerabilities. Particularly in the case, like me, when you have absolutely no ability in Ruby. If you are being asked to do an actual code review then I feel sorry for you dear reader. This will help… Continue reading Basic code review tools for Ruby