TL;DR For the past few months, I have been working on a static analysis tool to help me quickly map HTTP and RPC calls in complex codebases. I decided to call this tool Wally. I designed Wally to aid in code reviews and threat modeling by determining how HTTP or RPC endpoints are connected in large codebases. Wally can be helpful, particularly when working with monorepos containing multiple microservices, as navigating and securing the intricate web of HTTP and gRPC communications can be a challenge. Read more

IoT security is an exciting field that opens up the doors to a lot of interesting research. When you dive into the rabbit hole of hardware security, you’ll encounter a whole array of engaging and varied challenges: Bluetooth sniffing, Software-Defined Radio, ARM exploitation, reverse engineering, and a whole lot of hardware tinkering and breaking. However, knowing where to start can be confusing and difficult, so we will help you get started by showing you how to dump firmware from IoT device. Read more

Note: I originally published this under the web page of one of my previous employers. Since then, the company was acquired and their page was taken down. I decided to re-post this here as it is one of my most referenced posts, and the content is still applicable. In our previous blog post, we discussed how Angular and AngularJS applications are generally structured from an application security point of view. This time, we will explore different ways in which we can dynamically debug Angular applications whether the code is minimized or not. Read more

Note: I originally published this under the web page of one of my previous employers. Since then, the company was acquired and their page was taken down. I decided to re-post this here as it is one of my most referenced posts, and the content is still applicable. The web is a playground of ideas (both good and bad), technologies, bugs, and well, a LOT of fancy JavaScript frameworks. One of the most popular web frameworks today is Angular, a platform that simplifies the development of front-end web applications through a set of prescriptive patterns. Read more

One of the most interesting go gotchas is the nil-not-nil bug. This happens when a function declares an interface as its return type, but a concrete type is returned. As a result, the returned value can never be nil, leading to unexpected behavior and, yes, panics with an anarchistic flare. A lot of the documentation on this type of bug leaves a lot to the imagination, often making some generalizations that are not necessarily true. Read more