One of the most interesting go gotchas is the nil-not-nil bug. This happens when a function declares an interface as its return type, but a concrete type is returned. As a result, the returned value can never be nil, leading to unexpected behavior and, yes, panics with an anarchistic flare. A lot of the documentation on this type of bug leaves a lot to the imagination, often making some generalizations that are not necessarily true. Read more

One of the most common bugs that you may encounter in go are race conditions. This is often the case when working with goroutines and non-atomic data types. Plenty of articles have covered goroutine race conditions, but why don’t we take another look and, this time, debug a couple race conditions to death by looking at what happens under the hood? Let’s take a look at a typical example. We will examine what happens when we dereference a method receiver and assign it an object that we later modify. Read more

The developer’s console is perhaps one of the most underutilized tools by application security professionals. Yet, there is a great deal of information that can be learned about a web application by dynamically exploring its client-side code from the console. Depending on how front-end code is loaded in the browser, you may manipulate the application’s behavior by calling functions built-in by their developers. This can be extremely useful when testing authentication and authorization issues in a web application. Read more

I would like to introduce Gorp, A modular bug hunting, pentesting, and web application reverse engineering framework written in Go that I have been working on for the past few months. The idea of gorp came up as I started exploring the Chrome Dev Tools protocol and how to use it in my pentesting and bug hunting work. If you want to learn more about how that came about you can read this blog post. Read more

Creating your email may be seen as equivalent to making your own cheese, or crafting your own beer: it is kinda of hipster thing. There are so many email services out there so why would you spend the time to do that? What I like about it is that it allows me to learn to work with OpenBSD through a fun, useful project, and it’s kinda of radical thing to do. Read more