TL;DR Go’s native fuzzing library has simplified embedding fuzzing harnesses, but strategic planning is key to effective fuzzing efforts. By using Wally, we can identify critical paths and evaluate the impact of panics, ensuring our fuzzing efforts are both targeted and efficient. Exposition While Go-fuzz was and continues to be an approachable tool for writing fuzzing harnesses, the introduction of the native fuzzing library in Go 1.18 made fuzzing increasingly easy and developer-friendly. Read more

TL;DR For the past few months, I have been working on a static analysis tool to help me quickly map HTTP and RPC calls in complex codebases. I decided to call this tool Wally. I designed Wally to aid in code reviews and threat modeling by determining how HTTP or RPC endpoints are connected in large codebases. Wally can be helpful, particularly when working with monorepos containing multiple microservices, as navigating and securing the intricate web of HTTP and gRPC communications can be a challenge. Read more

IoT security is an exciting field that opens up the doors to a lot of interesting research. When you dive into the rabbit hole of hardware security, you’ll encounter a whole array of engaging and varied challenges: Bluetooth sniffing, Software-Defined Radio, ARM exploitation, reverse engineering, and a whole lot of hardware tinkering and breaking. However, knowing where to start can be confusing and difficult, so we will help you get started by showing you how to dump firmware from IoT device. Read more

Note: I originally published this under the web page of one of my previous employers. Since then, the company was acquired and their page was taken down. I decided to re-post this here as it is one of my most referenced posts, and the content is still applicable. In our previous blog post, we discussed how Angular and AngularJS applications are generally structured from an application security point of view. This time, we will explore different ways in which we can dynamically debug Angular applications whether the code is minimized or not. Read more

Note: I originally published this under the web page of one of my previous employers. Since then, the company was acquired and their page was taken down. I decided to re-post this here as it is one of my most referenced posts, and the content is still applicable. The web is a playground of ideas (both good and bad), technologies, bugs, and well, a LOT of fancy JavaScript frameworks. One of the most popular web frameworks today is Angular, a platform that simplifies the development of front-end web applications through a set of prescriptive patterns. Read more