I recently found this article about using the Chrome DevTools protocol to intercept and modify traffic. I found the article very enlighting given that the technique can allow pentesters to use complex logic when intercepting and modifying web requests. And yes, you can capture, intercept and modify traffic with tools like Burp, but you often have to rely on a heavy GUI and complex regex rules (and while I find regex very useful for my work, I don’t find it fun to work with it! Read more

One of the least appreciated tools that are available to pentesters is the browser console. Every browser has it, allowing you to not only read comments that developers forgot to remove (as often features get pushed to production faster that they can be tested), but also manipulate the behavior of the application at runtime by making use of functions and variables written by the frontend programmers of the application. This is one of my favorite tools to use when testing AngularJS applications. Read more

Some time ago I decided to create a dotnet core webshell. The idea came from a co-worker, who while participating in security hackathon, mentioned how difficult it is to find .NET webshells for LFI and RFI attacks. This is true, as most webshells that you can find online are for PHP, as web penetration testing is usually taught with vulnerable PHP web applications. I decided to try to solve this problem and share the code with whoever stumbles upon this post. Read more

I recently started working on an API client with command line tools for Tenable.io called tenago. Tenable.io is a cloud based vulnerability assessment solution based on Nessus. The application consists of two main components: A client API Command line utilities to perform tasks such as querying all your assets, target groups, etc. Everything was going fine until I wrote a feature that queries all configured scans. Read more

The suggested method for creating filtering rules in USM Anywhere is to start by creating suppression rules. Events that get suppressed by any given rule are still stored in USM Anywhere but get hidden from event views. The advantage with suppression rules is that you can first make sure that your rules work as expected before creating filtering rules, as filtered events do not get stored or processed. If you want to see if your suppression rules are working as expected, you would simply go to an events view and add a new filter called “Suppress Rule Name”: Read more