Security Testing Journal Entry | w/e Friday December 15, 2023 - "So Meta, So betta" ed.

Highlights for the week

Intentionally late post this week as I wanted to dedicate this entry to a really cool MetaCTF "Capture The Flag" event I participated in over the weekend and wanted to regale my tales of woe. I was part of a team from a group of people I met long before. I got some early wins with a few of the CTF tasks I took on. My teammate carried the team. He was phenomenal. While he took the Binary/Reverse Engineering challenges, some of the ones I took included:

1. Decoded binary with https://cryptii.com/pipes/binary-decoder
2. Find IP for given web domain - I used ping
3. Find hash used for given value - $2y identifies this as Blowfish/bcrypt
https://unix.stackexchange.com/questions/430141/how-to-find-the-hashing-algorithm-used-to-hash-passwords
4. “Captured in Transit” - find Flag in PCAP file {A fun one with wireshark, filter by HTTP}
5. “Magically Mathematical” = web exploit {I struggled with this one, but it wasn't hard}
6. “Validation = xml injection {I knew it was an XXE Vulnerability, but I couldn't get it to work. My teammate did}
7. “Racer ….” — modifying the cart to add money and buy item {I knew the solution was to modify the payload, but it didn't work for me}
8. “WAF” — trying to find the FLAG for a site that is protected
9. “Connecting to remote network (hops) {this one was fun}

Overall, this was a great CTF experience compared to last time. The challenges were less intimidating. The buzzkill was the performance issues with some of the servers, making access to the challenges involving them all but impossible. 9/10 would recommend.

What We Loved

1. CTF challenge was a highlight
2. Going on another cruise for x-mas vacation

What We Learned

1. Part of the CTF challenges meant learning some fun concepts. As always, when in doubt - google it.
2. ISC(2) - Still moving through the modules
3. Burp Suite - Finishing the modules on Access Control Vulns. Along with the Business Logic, these were super relevant.
4. PW w. JS - Finished Adding API tests for basic features + Security. Moving along quite nicely through E2E flows.
5. Cult.ure - Added notes, but fell behind on writing .. sorry!
6. Husb - continued with 'Judicio', need to wrap that up

What We Longed For

1. As always, a job and a paycheck.

What We Loathed

1. Recruiter ghosting. But then I've become indifferent to the whole thing.

Security Testing Journal Entry | w/e Friday December 8, 2023 - "Ghosts Everywhere" ed.

Highlights for the week

Some peculiar highlights this week as the prime focus was on API testing (automation, performance, security). Hacking (dare I call it that) is a beautiful art. The discipline fascinates me the more I learn. Non-sequitor: I didn't get much writing done this week. The other tasks were a bit more time consuming than I wanted.

What We Loved

1. This time last week, I had a brilliant idea for Cult.ure - wrote it down for future use.
2. Since my friend turned me on to "The Secret", I've been feeling a lot more positive about things. My dream job is coming

What We Learned

1. Coursera - Finished (mentioned last week)
2. ISC(2) - Week-4 Module on Network Security will be broken up in to two parts ... it's huge!
3. Burp Suite - Double-duty with API testing and Web App. Vulnerabilities as it pertains to Business logic flows.
4. Automation - Huge Wins this week pertaining to Playwright w. Javascript. API Testing + API Security Tests for the win!!
5. Cult.ure - Paused. Need to get back into it this weekend.
6. Pen Testing - As promised, started a cursory PT with the same site I'm conducting automation (FE/API) tests on. Work in progress!

What We Longed For

1. A Job ... as always

What We Loathed

1. Ghosting candidates ... this sh@#$% has got to go! People are dependent on others for work and when the agent that handles that can't follow up .. ugh!

Security Testing Journal Entry | w/e Friday December 2, 2023 - "Goals Set vs. Goals Met" ed.

Highlights for the week

Going to pivot away from the usual format to review my goals set vs goals met to close out the month.

1. GOAL SET: Finished Coursera - Module 1. GOAL MET: Yes. There are 8 more modules .. unsure if I plan to keep it going.
2. GOAL SET: ISC(2) - Chapter 3. GOAL MET: Yes. On deck - Chapter 4 - Network Security
3. GOAL SET: Burp Suite Cert Labs. GOAL MET: No. I am progressing through the module for "Business Logic Vulns." super relevant!!
4. GOAL SET: Practice Pytest. GOAL MET: No. Pivoted to Playwright with Javascript .. so much fun.
5. GOAL SET: Pen Test Practice GOAL MET: In Progress. Parallel Security testing along with PW/JS Automation Practice, applying the "Bus. Logic Vulns." from Burp Suite.
6. GOAL SET: Cult.ure - Chapter-29 GOAL MET: Yes. The story is evolving really nicely. Found a couple of spinoffs, trying to rein the story in to stay in scope.
7. GOAL SET: Job Follow Up. GOAL MET: Yes. Recruiter failed to respond. No new prospects. Planning to dial back the search.

Security Testing Journal Entry | w/e Friday November 24, 2023 - "Thanksgiving Ed."

Highlights for the week

Huge wins this week! A recruiter reached out and they've forwarding my resume for a another look. Hoping something happens. Been reading "The Secret" and it's eye-opening. Learning some new skills with NoSQL Vulnerabilities. Gratitude might just be my new perspective.

What I'm grateful for - Unemployment had to happen to me for the following reasons:

1. Meeting new people and making new connections
2. Writing a book
3. Reading more
4. Reassessing my career goals
5. Building some great skills I wouldn't have had before
6. Self-Improvement (finally getting the chance to work through some personal traumas)
7. Acquiring a mentor
8. Getting to be a mentor to a great number of people
9. Some tremendous vacation memories (ie. Halloween 2023 at Universal Orlando; Chichen Itzen; Galaxy's Edge

What We Learned

1. Coursera - Learned about AI & Machine Learning as it relates to Cybersecurity
2. ISC(2) - Another series of modules on Incident Response ... very high-level
3. Automation - Practicing Python; About to learn how to use it with SQL
4. Automation (Mobile) - Got iOS App / XCode working
5. Burp Suite - Learning NoSQL Vuln. (cont.)
6. Cult.ure - story is really coming along - found another spin off

What We Longed For

1. As always .. waiting for a job to manifest. The ideal is Junior Pen Tester
2. Finished Sec+ .. need to find practice exams and $$ for the certification

What We Loathed

So d-head on reddit dared to use my lapse in employment against me to support their weak argument. Honestly f** that guy! I'm running my own race.

Security Testing Journal Entry | w/e Friday November 10/17, 2023

Highlights for the week

November has begun and so have new rounds of layoffs at different companies. The job market is flooded and the scraps of job ads are super-specific on skills I don't have. The money situation is worse than bad. Getting close to 400 jobs applied to, very little respone. I made some random changes to my linked in profile and instantly recieved a couple of recruiter calls.

Security testing remains in progress. I'm waiting to find new Security+ practice exams. Meanwhile, I'm steadily into ISC(2) and Coursera course. Burp Suite remains in progress. Have not made moves regarding looking to take the Certification yet. Need to make time for practice. I need the reps.

What We Loved

1. A friend handed me a book that has become inspirational. More on that later.

What We Learned

1. ISC(2) - Chapter-1, Modules 1 - 3
2. Coursera - Week02 Module
3. BurpSuite - File upload validation
4. Automation - Attempted BDD; Started on XCode/XCui
5. Cult.ure - Chapter-27/28 in full swing.

What We Longed For

1. I really madly, truly, deeply need a job. I may have to take out another convenience check, but that's putting me in a bind.
2. Need to practice Security Testing. I've paused on pen testing for Burp Suite. It's been helpful.

What We Loathed

1. Being broke!

Security Testing Journal Entry | w/e Friday November 3, 2023 - CTF Experience, pt. 2 - "Key Losses"

Highlights for the week

Week started off cold, wet, dreary, and rainy - the perfect fall soup. It also started with me getting bumped from the team I spoke so fondly of. I have no one else to blame since I may have overallocated myself to a project I really had no time for nor did I have experience with. Simply put, I was out of my depth. I am also not fond of losing perfect weekend weather to sit in front of a computer for no money. I feel a little sad at the outcome, but I'm not sorry. I have bigger problems to solve .. namely my lack of employment.

What We Loved

1. Finaly finished with Security+

What We Learned

1. CTF Teams - never commit if you can't follow through [Update] back on the team .. need to get my envornment up to snuff!!
2. Security+ - Done with the videos. Onto taking the practice exams
3. Coursera - Started the lessons with Security in Windows
4. ISC2 - started the course
5. Automation - paused! Security was the focus
6. Burp Suite - Finished password hacking. Onto the next
7. Cult.ure - moving at a glacial pace due to shifting priorities

What We Longed For

1. As always, a job! Will I ever land one

What We Loathed

1. ..the entire recruitment process. Been getting rejected consistently or haven't gotten a reply, only to see the role I applied to get reposted. Seriously!? WTF!!

Security Testing Journal Entry | w/e Friday October 27, 2023 - CTF Experience, pt. 1 - "Small Wins"

Highlights for the week

An interesting thing happened this week that I want to share, but rather than blather on about it, I'll just leave this link here: CAPTURE THE FLAG CAPTURED MY HEART!!

What We Loved

1. Meeting new people and becoming part of a capture-the-flag event

What We Learned

1. CTF - Malware Analysis, Extracting Binary Files, Using Snyk, Using an Audio file to perform an exploit, and Discord "Snowflakes" to name a few...
2. Security+ - Continued GRC .. home stretch. Signed up for ISC2 and Coursera
3. Automation BDD - paused, but started the learning process
4. Burp Suite - lots of tests surrounding reflected XSS
5. Cult.ure - Chapter 26 is moving along at a snails pace because .. story keeps evolving!

What We Longed For

1. As always, a job! Will I ever land one

What We Loathed

1. Rejection letters w/o a chance to get an in-person interview
2. Recruiters that fail to follow through on their word

Security Testing Journal Entry | w/e Friday October 20, 2023 - "The Apocalypse Is Neigh"

Highlights for the week

On a current event tip, an Islamist terrorist group attacked an Israeli party killing thousands and wounding several more. Lot's of saber-rattling going on and there's no sign of a cease fire. It has the perfect concoction of a world war. And we're giving away $100M ... money the US could use.

On a personal tip, I'm ending the week on a high. A recruiter reached out and I'm in the throes of an interview process with NBC - Peacock. I've also had the fun privilege of joining a CTF team for Huntress.

What We Loved

1. Member of a cool CTF Team
2. Interviewing for a cool job
3. Sat through an awesome webinar for Secure Ideas .. met some great people

What We Learned

1. Security+ - I'm in the final lap of the Cert. Going through GRC .. learning a ton!
2. Participated in a Snyk CTF challenge. It was the same as the last time I did it, but met cool people.
3. Pen Testing - Managed to pull in some Burp Suite labs for the week.
4. Automation - Started BDD ... came to find out the job doesn't use Cucumber. The decision now is whether to keep going or pause. My time is finite; WebdriverIO is still paused.
5. Cult.ure - Chapter 26 is in full swing. It's a slog considering the characters I've introduced and the direction the story is going.

What We Longed For

1. Appium isn't working anymore. Not concerned but also not happy about that.
2. Hoping the job works out .. it's 13 months, no pay. The finances have me covered for another month. Not going through the holidays broke!

What We Loathed

1. The whole job search process is the literal worst.

Security Testing Journal Entry | w/e Friday October 13, 2023 - "Dank Week, Pt.2"

Highlights for the week

Not many highlights this week. Sleep quality has been trash. Haven't been in a proper headspace. Job prospects are dismal.

It's not all bad. I did finish the 4th module for Sec+, met with my mentor and discussed remediation, and learned something new with Burp Suite. I should get back into automation with WebdriverIO but my heart just isn't in it anymore.

The irony of looking for a job you no longer want to do is that it may help reinforce what you need to know. In the meantime, the pen testing grind and the job search grind continues.

Security Testing Journal Entry | w/e Friday October 6, 2023 - "Dank Week, pt. 1"

Highlights for the week

Short, late post. Not a lot to cover since the priority for the second week in a row was the job search. Once again, there seems to be a valley between recruiters who feel everything is fine, and candidates who know the recruitment process is broken. One can meet 100% of the basic qualifications and still never get a call. Candidates have resorted to games and "hacks" to circumvent the resume scanners and reach the Applicant Tracking System (ATS).

Then there's the endless streams of conflicting recruiter advice. Some say "x", others say "y". The "x" people think the "y" people are spreading misinformation, and vice-versa. Its super-confusing. The weeks are ticking away and quickly becoming months. I have 1 month left of financial reprieve before I'm in the absolute shits again and no closer to landing anything. Not even so much as a blip on the radar.

It has been a hard week. I've been unmotivated, frustrated, and anxious. Sleep has been decent, but inconsistent in terms of waking up. Workouts have been great. I have to do better in terms of time management and quality output. I'm spending good time learning a bunch of different things, but an hour or two sprinkled to on many tasks isn't working. The bulk of my time is the job search, so everything that comes after is inconsequential. That being said, I need to just realign my time and focus on 1 thing rather than a bunch of little things spread across the week.

Which brings me to my second pen testing effort. I learned to run the scan and realized it doesn't pick up much of what was proposed should have been caught. I've spent the time researching the issues found hoping to recreate them manually to no avail. I've recorded the findings and will declare that site "tested". On the next one. I've researched new certifications but it all comes back to money I don't have and time better spent "doing" rather than "learning".

A dank week to say the least. I can't say I hit all the goals I set out to hit. But I did have some small wins as it relates to rebuilding the webdriverIO test framework.

Security Testing Journal Entry | w/e Friday September 29, 2023

Highlights for the week

September has come to a close and not a lot has changed since last week. Lots of jobs applied to. Lots of rejection letters. Practicing Pen Testing some more. Also, it rained a lot. I'm enjoying my friends prospering in their professional station. My turn will come. It has to!

What We Loved

1. Finished the 4-stars for "Juice Shop" - I paused at some of the more outlandish ones, and employing the Password Reset featue.
2. Was able get a tiny infusion of money from the credit card. I need a job a.s.a.p to pay these bills down.

What We Learned

1. Sec+ - Steadily moving through Unit 4 Module concerning Incident Response. Really cool.
2. TCM/Juice Shop - Closed the book on that. Started a new site, ready to run a PT next week. Strongly considering Mobile Pen Testing.
3. Burp Suite Cert - Looked into it, it costs $99
4. Signed up for ISC(2), will see how that works.
5. Google Cybersecurity Cert - ?? - need info.
6. Automation - Got some foundational scripts for WebdriverIO, but a recent update to Google Chrome disrupted the execution. An update didn't help. Will revisit next week.
7. Cult.ure - Started "Bloodhound, Phase-5" chapter. I'm behind on my progress as job hunting was the #1 priority.

What We Longed For

1. As always, a good job, great pay, benefits, and awesome people.

What We Loathed

1. Rejection emails on Fridays are the worst!! WTF to that!

Security Testing Journal Entry | w/e Friday September 21, 2023 - YEAR IN REVIEW

Show me a person who has never failed, and I will show you a failure of a person. What we learn from failure, and what we do with that knowledge, is what matters — M. Bloomberg

THE YEAR IN REVIEW

Welp! It has been quite the year. 12 agonizing months of unemployment. After serveral weeks of waiting, and waiting ... and waiting, the job I was hoping to land fell through. I prepared for that eventuality, but that doesn't make it hurt less. The funds are gone. Retirement - gone! Savings - gone! Emergency fund - gone! I can't even take out a loan to cover for the next few months without showing proof of employment. The longer I'm out of work, the worse for me it is. One has to wonder if the presumption is I'm "damaged goods" or a "risky" hire.

This week was a complete bust! The priority was the job search, kicked up several notches. Where I was a bit picky a year ago, I'm now settling for whatever. Still need to maintain a certain salary cap, but I'm considering other options as well. I don't think I hit any of the other goals I've set. Haven't written, haven't done anything automation-wise. I haven't even done much for Security+. There's still the weekend :'(

What Went Well This Past Year

1. I'm completely debt free!!
2. Finished Network+ .. not aiming to get certified.
3. Learned how to use Metasploit and Brup Suite, as well as Kali Linux and Zap.
4. Learned a lot about Security (Sec+)
5. Have completed several learning modules with pen testing, vulnerability analysis, etc. and I feel more confident than ever that this is my career.
6. Got to interview at a new Cybersecurity company. It didn't go like I hoped, but I learned a lot.
7. Learned a few automation frameworks for QA - namely Cypress and Playwright, as well as Jest and SQL/DB testing.
8. Finished the 3 Tiers of Hack The Box, along with the important modules for Vulnerability Assessment and Windows Active Directory (to name a few)
9. Completed the TCM Web Application Pen Testing Course and have completed most of the tiers: 1-Star, 2-Star, 3-Star, and some 4-Stars
10. Acquired a few mentors that have helped somewhat. Also have a "mentee" that is doing well.
11. Got to do some great traveling and saw some wonderful sites, including the Mayan Ruins at Chichen Itza
12. There was the wonderful time in Orlando, with Galaxy's Edge, Disney's 50th Anniversary, and the amazing fun that was The Halloween Haunted Houses at Universal Orlando.
13. At home, the workouts have been producing great results. Seeing some abs as well as loss of inches.

What Didn't Go Well This Past Year

1. Had a couple of referrals present with with great job opportunities, but those failed.
2. 350 jobs applied to, with nearly a 50% rejection rate and the remainder go unresponded. Had 5 interviews to date that went to the final rounds: no offers.
3. Had to liquidate my retirement to cover the year's expenses. Not looking forward to the tax penalty next year.
4. Had a wonderful job in a new career bottom out. While the circumstances were beyond my control, it stings.
5. Had my Web App Pen Test Capstone evaluated. The results were suboptimal. BUT! That's a win unto itself. I got to learn how to get better.
6. Linked-In is the worst! Great for jobs, but shit for networking and posting content that gains little to no traction. Or perhaps it me.

What Needs To Get Better

1. Need to be a better husband/provider, father, and friend.
2. No more fuck ups!! No more doing dumb shit!! I have to be better than this. This year had to happen to teach me that lesson.
3. Need to land a job and stick it out.
4. I cannot continue to be the same person and hope good things keep happening. Right now, I'm staring at my ineptitude and it's the worst.
5. My goal was to have been certified by June. It's now end of September, and that is not feasible. But, I have gained completion in other areas that had more value. It continues.
6. I have to decide if Security is the path I want to take and really push through the failure. Right now, it stings a little.

Security Testing Journal Entry | w/e Friday September 15, 2023 - Situation: Critical

Highlights for the week

Not a lot to draw on this week that went well. I did hit a few goals for the week, task-wise, but I'm no closer to landing a job than I was last week. There is some "hope" with the job I interviewed 3 weeks ago. The choice is between myself (a Jr.) and another person (a Sr.). The company offered an opportunity to bring on someone new and show them the skills. The experienced person presents the favorable prospect of bringing in someone that requires no training and can effectively start immediately, albeit at a higher salary.
Not gonna lie .. the wait has been absolute torture. I will be insolvent in the next 2 weeks. I have nothing coming in. No idea how I'm going to pay the rent or bills.
!!SUCCESS IS MY RESPONSIBILITY!!

What We Loved

1. Not a lot to love this week. Stayed disciplined in my workout and education, but slipped in other places.

What We Learned

1. Security+ - Wrapped up the module on "Public Key Infrastructure". Up next is the Operations & Incident Response section. Super-interesting.
2. Automation - Closed the book on WebdriverIO videos. Going through a practice site now, starting with test plan write up using an updated template.
3. TCM - no feedback on the Capstone, but at least that got done. Planning another Pentest.
4. Cult.ure - Intersting turn of events so far. Need to get back into it and be more consistent. The story is shaping up nicely.

What We Longed For

1. As always, a job, paycheck, and benefits. The hope for news (good or bad) is painful! I'd rather have a "no" now, than wait for a "yes" that might not come.

What We Loathed

1. September 8th - I will commemorate this as the lowest of low-points in my personal life. NEXT TIME YOU WANT TO BE A DUMBASS AND FUCK UP AT WORK .. remember this date and the bs of no money, no job prospects, and having to get EBT to support your family Remember the empty fridge, empty bank account, cleaned out retirement and what- not

Security Testing Journal Entry | w/e Friday September 8, 2023 -- "Small Wins" Edition

Highlights for the week

Closing out the week on a mild high. While I wait for the Security role to manifest itself, I've had the chance to shoot my shots on a couple of roles. Nothing done yet, but for whatever reason, I'm not panicing .. yet! I will be insolvent by 9/15 so I need something now. That being said, a couple of small wins.

What We Loved

1. I followed up on the job that I interviewed some two weeks ago. Per my mentor, the feed back was great. His words, "you were a frontrunner along with one other candidate who is fundamentally different from you" and that the business direction would determine who wins the race. Fingers crossed! But this does sound hopeful.
2. I submitted my capstone (proof of mastery) to TTI for the Pen Test course. It was a complete labor of love as I thoroughly tested a demo site and reported on vulns.
3. Acquired the SNAP card this week. Turns out whomever processed my application failed to mail out the card. Now I have an excess of $$ for two months.

What We Learned

1. Security+ - Finished the module on "Authentication & Authorization." Working through the module on "Public Key Infrastructure" .. kinda long.
2. Automation - Paused. I should probably resume with Webdriver next week, but tbh I'm way over QA. Still, I need a job and QA is the only thing I know.
3. Cult.ure - Coming along great. A new chapter dealing with the kidnapping of a nosey journalist. Paul & Dulci get closer.

What We Longed For

1. As always, longing for paycheck & benefits
2. I need a Plan-B if the Security job doesn't pan out. But I can't accept anything less that success.

What We Loathed

1. The entire job hunting process is the absolute worst. It's been a year and I never anticipated the harrowing ordeal of landing a new role.

Security Testing Journal Entry | w/e Friday September 1, 2023 -- Rabbit Rabbit

Highlights for the week

Welp .. it's happened. I'm 20 days from hitting 1 full year since my last paycheck, my last employment. I've learned a metric ton since the last time I answered to anyone. I've faced a lot of demons, confronted my ineptitude, and healed from a lot of the psychological and emotional trauma that comes with getting laid off .. repeatedly. I've learned a lot about what I want and don't want. I've interviewed a few times to no avail, but thinking the ~300 "No's" are bringing me closer to my "YES!!" The proof was interviewing for the Junior Security Consultant role. If I don't get it, well I took my shot. The TCM course on Pen Testing prepared me for that, and I cannot begin to think that was the best $1 I ever spent on myself.
I need a job, a good paycheck, and benefits, yet for some odd reason I'm not going to lose my mind of landing a role in QA that I don't want. Life is too short to settle. It's taken me 12 months to learn I need to be living for me, doing what I want, for a company that is going to suit my needs. I'm not a lemming to be disposed of when they see fit. I want to have the dream job, and I feel I'm getting closer to that.
*** GOALS ACHIEVED ***

• Hit all my study goals this week
• Completed Most of "Juice Shop 1 Star" (Pen Test Attack Difficulty) and most of the "2 Stars"
• Fulfilled SNAP requirements. Should hear something by 9/2
• Learned more about Sec+ and PTES .. the Penetration Testing Standard
• Workouts have been consistent. Seeing the results

What We Loved

1. TCM - Pen Testing Course. Learning the process and the skills to successfully complete a penetration test are immeasurable.

What We Learned

1. Security+ - This week's module centered around Cloud Security & Account Management. Next up: Authentication & Authorization Services
2. TCM - Course Completed. Now I have to do a Capstone (Proof of Mastery) and truly earn that cert.
3. Cult.ure - Book is coming along, but I need to be more disciplined in my writing. One or two days aint cutting it.

What We Longed For

1. Job & Paycheck .. nothing more complicated than that
2. Need read more. So far, my reading has been off web pages and Flip board

What We Loathed

1. No negativity this week

Security Testing Journal Entry | w/e Friday August 25, 2023

Highlights for the week

Welp, another mixed bag of highs and lows. The high: Made it past 2nd round of the interview for a Jr. Pentester Role (remote). Got tasked with submitting a bug report which was approved by my mentor. So stoked!! The low: Got the email stating it's going to take a few weeks as they're interviewing other candidates. I feel like I may have bombed the interview somehow. Perhaps it was getting the motto wrong (I was thinking of something relevant to the example they wanted me to give and I blurted out the wrong thing .. so stupid!). There may have been a few other missteps (probably) as nerves got the better of me. Overall, the job search sucks and this is the closest I've come to an opportunity in the direction I want for a new career. QA roles are drying up.

The other low is that I'm coming up on 11.5 months w/o work. By far the longest stretch ever! I will be cleaned of money by mid-September if I don't land something a.s.a.p.

What We Loved

1. Another week came and went. Got to "shoot my shot" with a Security Company job. Hoping for the best, but anticipating the worst. Trying not to get to caught up in the excitement.

What We Learned

1. The priority was Security Jr. Pentester job intreview. Learning a lot about Pen Test Process & Reporting
2. Security+ - Finished the module on Mobile Security. Up next, Cloud Security
3. Cult.ure - Great progress on latest chapter. Not complete, but character development in progress.
4. TCM - Finshed all the modules. Going through the 2-star test scenarios on Juice Shop. I'll try to make my way through the 3s maybe 4s.

What We Longed For

1. As always ... need a job, paycheck, and benefits.

What We Loathed

1. The whole interview process. It's just too much!

Security Testing Journal Entry | w/e Friday August 18, 2023

Highlights for the week

What a crazy happy-sad week this has been. From losing a couple of job opportunities I was sure were solid, to making it to the 2nd round of a job and total career pivot in the direction of my dreams, is more than I can ask for. Been learning a lot about Pen Testing and have been fully emersed in the Security space. I have so much hope, even if I'm facing an empty bank account after September. Will follow up on the job thing in my next post.

What We Loved

1. My Mentor referring me to the job. I don't have words for how excited I am for the opportunity.

What We Learned

1. Security+ - Making my way through the Mobile Security Module
2. TCM - been learning more on my own than following the video for "Juice Shop" ... so much fun!!
3. Cult.ure - things are getting exciting. I need to hunker down and finish. Got an idea for another book.

What We Longed For

1. As always, in desperate need of a job and have been longing for a paycheck and insurance.

What We Loathed

1. Recruiters and their bias. That's all I'm going to say about that.

Security Testing Journal Entry | w/e Friday August 11, 2023

Highlights for the week

Not so much a highlight, but I can unequivocally say August 2nd is the day I've officially hit my career low. The job I manifested in wanted fell through, and there has been no new opportunities on the horizon. Monday (Aug. 7) I found myself trying to be helpful and empathetic, only to fail. The clock is ticking and the days are mounting. If I don't land something in the next two weeks, I will be in big trouble.
And then on Tuesday, a couple of wonderful things happened: scheduled an interview with a job, and my mentor sat with me through a Pen Test. Also mentioned a job opportunity :)

What We Loved

1. As always grateful for having a wonderful family.
2. Update! Had the first interview with CEO for the role of Security Consultant. Been on such a high all week!

What We Learned

1. Sec+ - still moving through Secure Network module
2. Android Autom. - paused!
3. WebdriverIO - started
4. TCM - blocked - can't seem to kick off docker/juice shop. May spectate through the walk-thru || Update (8/9) Unblocked and moving nicely through Juice Shop
5. Cult.ure - moving along. Chapter 16 is really good.

What We Longed For

1. Job, paycheck/benefits, friends

What We Loathed

1. Gatekeeping! Perhaps ITA, but man oh man! Trying to help and getting shunted put me in a rage. In my head I'm all, "How about you tell me what is helpful!" but that would come off toxic. Heaven forbid I should offend sensibilities. I took the high road and exited that channel.

Security Testing Journal Entry | w/e Friday August 4, 2023

Highlights for the week

Welp! It happened again. Got my hopes up on what I thought was going to be a sure-thing, and I got rejected. Coming up on 11 months of unemployment. I don't even know anymore. I find some influencer advice to be useless. "Reach out to your connections" - fail! "Post what you know" - no traction! "Make new connections" - fail! You link up with strangers then never hear from them again. I'm so tired of it all. I'm done with the process. Something has to give. Perhaps it's me being too low-vibrational, but how many times can you put out the energy of attraction and be met with rejection. How many times can you get kicked before you realize it's time to throw in the towel. IT PAYS TO BE A WINNER! And right now, I'm not winning.

What We Loved

1. Hit my goal of creating an Android app and building out a series of tests for it.

What We Learned

1. Android Automation - lots of great learnings
2. Security+ - Back on program. Making my way through the module for Secure Network Designs. It's a bit of a slog!
3. TCM - Need to resume "Juice Shop" Pen Test Walk-thru. Paused for Android automation learning.
4. Cult*ure - wrote up a great chapter on "The Board" and their inner workings. Should fatten that up a little more.
5. QA Book - Work in progress

What We Longed For

1. A Job and paycheck. As stated, this is quite possibly the lowest point of my career.

What We Loathed

1. Histrionics! This is in response to a thread where someone wanted to vent about something. Some of the responers (myself included) offered fix-it solutions. One such "gatekeeper" stated the OP wanted emotional support, not a solution. My reaction to that was peculiar. It made me angry to see someone getting so wrapped up in what clearly should be non-emotional situation. Furthermore, by detaching, the solution becomes self apparent. This is long way to say, "walk it off ... keep it moving!!"

Security Testing Journal Entry | w/e Friday July 28, 2023 - Ashura Ed.

Highlights for the week

What is AshuraA voluntary fast-day observed by the Mohammedans on the 10th day of the month Muharram.

As you can surmise by the subtle Android logo, this week was focused on Android, both the application development and automation process. Spent a good part of last week and this week focused on automation in Espresso with Kotlin. Even learned how to build an app with Kotilin. Next week, more of that.

Security testing with Pen Test process is making great headway. Spent a good portion of time learning how to use zap with automation. This week, so looking forward to the walk-thru.

Also, I was sick the better part of the week, so not a lot of progress made in Sec+

What We Loved

1. Interviewed at a rapid pace at my target company of choice. I have a great feeling, but the grind of looking for another job persists until I sign an offer letter.
2. TCM is phenomenal!!
3. Mentoring - I didn't think I was going to like it as much as I do.

What We Learned

1. Database Testing - Done. Not spending too much time learning to do triggers.
2. Security+ - Paused! Read about FedRamp / StateRamp
3. TCM - Learned a bit about Automating the requests for security vulns.
4. Automation - Android Espresso / Kotilin .. #1 focus for now and the months to come.

What We Longed For

1. A job, pay, and benefits!! About to hit a 11 months. If something doesn't happen by Mid-August, the money will officially be run out.

What We Loathed

1. Unemployment!

Security Testing Journal Entry | w/e Friday July 21, 2023 - Paid-In-Full Ed.

Highlights for the week

Three great big wonderful things this week: First, finally the chance to learn more about the actual Pen Testing process, working with TCM learning modules and "Juice Shop".

The second: Finally have the first round interview with a company I have been long since liasing for since January. All finger's crossed for Monday. Manifestations of positivity, prosperity, and passions is finally paying off.

The third: Student Loan is PAID IN FULL!!

What We Loved

1. Everything in so far as staying positive, focused, and disciplined is paying off!

What We Learned

1. Android Espresso - Learned how to test toasts, and write a custom view matcher. I get what is supposed to happen and how things work. What I wish I knew at Fuzz!!
2. Sec+: Module 3.2 - Host & Application Security
3. Database Testing - Learned about stored procedures and how to test. The automation portion is done using TestNG :(
4. TCM - So excited to be on the module concerning Pen Testing. Need to read more from the whitepapers regarding the process.

What We Longed For

1. Employment

What We Loathed

1. Nothing! All happy beeps this week!

Security Testing Journal Entry | w/e Friday July 14, 2023 (Sunday Ed.)

Highlights for the week

Posting this a bit late on Sunday as things have been a mixed bag of busy and lazy. Some promising news on the job hunt!

What We Loved

1. My friend / potential manager reached out to let me know the role is in the final stages of budget approval.
2. Got a good idea for the Mentor - planning to learn more about the process of pentesting while I learn techniques.

What We Learned

1. Security+ - started Module 3 .. gonna be a long slog.
2. TCM - Finished Module 4 - OWASP Top 10. Need some more practice on DWVA.
3. Automation - made great progress on Espresso (Android). Even built a rig app to test against.
4. Databse Testing / SQL - learned schema testing.
5. Cult*ure - Chapter 14 is coming along quite nicely. Some interesting character developments.

What We Longed For

1. More time. My plans for the week were hijacked on Wednesday due to personal priorities.
2. Longing for a paycheck, but I've articulated the vision a lot clearer and working towards manifesting it.

What We Loathed

1. A few jobs rejected my application this week. Yet the roles for ones I was rejected for in the past showed up again .. wth!!

Security Testing Journal Entry | w/e Friday July 7, 2023 - Independence Day Ed.

Highlights for the week

Another successful week. Hit several goals, and have acquired a new mentee (who knew!). A couple of other new connection wanted to discuss some Cybersecurity testing basics. Sadly, these meetings didn't manifest themeselves. Worth a note is unblocking myself and making great progress with the Pentesting Course.
Unemployment remains blech!! But I really truly feel my job is waiting for me.

What We Loved

1. I'm honored having been asked to mentor someone. Not my first time "coaching" someone, but I'm opting to be the mentor I haven't had.
2. Made great progress with learning Espresso for Android.
3. Making great progress with the book as well. Story is evolving beyond what I had laid out.

What We Learned

1. Network+ - Done! Need to find pop quizzes.
2. Security+ - Finished the modules regarding Architecture & Design.
3. TCM - Moving through the OWASP Top 10. Will definitely write a "Security For No0bs" post.
4. Automation (web) - Finished what I could for Playwright w. Python. Fascinating framework.
5. Automation (mobile) - Made decent headway with Espresso after being blocked with the Gradle build process. There's still a bunch to learn.

What We Longed For

1. SQL - this has to be a must do next week.
2. Espresso - continued practice.
3. WebdriverIO - this keeps popping up. I should pivot from Appium Automation to learn this.

What We Loathed

1. Unemployment. 15 jobs, no recruiter call backs. Ghosted by another recruiter. The grind is taking it's toll and money is running out.

Security Testing Journal Entry | w/e Friday June 30, 2023

Highlights for the week

Another week in the grind. Got to moving through some Security+ stuff, attended a fascinating podcast, and unblocked my TCM learning module. Unemployment now at 9.5 months .. not good at all.

What We Loved

1. Friends reached out on Linked in and text
2. Great chat with a mentor
3. Took on a mentee. She's based out of France and interested in Cybersecurity as well.

What We Learned

1. Security+ - Learned about Physical Security Controls and currently moving through Cryptographic concepts
2. TCM - Unblocked the module and am so excited to start on the OWASP Top 10
3. Cult.ure - moving along quite nicely. Will bounce back in this weekend

What We Longed For

1. A great paying job!!

What We Loathed

1. Unemployment and recruiters who ghost.

Security Testing Journal Entry | w/e Friday June 23, 2023

Highlights for the week

A couple of goals hit this week. Finished Network+ modules, but haven't take a quiz. Unblocked the PWST Lab but getting an error building some of the modules. The workaround has been to use TryHackMe lab. Hit the 9 month mark with unemployment. It's bad out there!!

What We Loved

1. Networked with a contact at iHeart Radio. Sent my resume for a possible job.
2. An old friend reached out to me regarding some AI stuff.

What We Learned

1. Network+ - Completed. I'll probably circle back soon and quiz myself. The goal was to learn the fundamentals.
2. Security+ - learned about resilience. The goal is to double my efforts. The goal to get certified has changed .. too expensive.
3. PWST - Finished Lab 3 section. Onto OWASP Top-10.
4. Cult.ure - Getting good with chapter 10. 11 is on deck.

What We Longed For

1. Learned about Google Cybersecurity Cert. Seems really nice.

What We Loathed

1. Job market is the worst. Been ghosted a couple of times this week. Got a few rejections as well.

Security Testing Journal Entry | w/e Friday June 16, 2023

Highlights for the week

BIRTHDAY TODAY .. WILL FOLLOW UP THE WEEK'S PROGRESS NEXT TIME!!!

Security Testing Journal Entry | w/e Friday June 9, 2023

Highlights for the week

Lot's of interesting things happened this week, none having to do with landing a new job.
The first thing: As I write this, there are wildfires in Canada that span the breadth of the territory which caused a massive amount of smoke to waft across the upper-half of the United States. New York had poor air quality, with Tuesday and Wednesday being the worst. It looked like something out of the apocalypse.
The second thing: Disclosure of top-secret documents relating to the existence of UFOs/UAPs. Turns out there are sections of the US Government that are in possession of alien space technology and have come in contact with beings from another planet.
The third thing: the former President of the United States was indicted on 37 counts of espionage. It doesn't look good.

What We Loved

1. In my last blog post, I mentioned the TCM Course. After moving through most of the module, I wound up filling up all 20GB of storage and got locked out. Loved that I was able to rebuild the VM (again!) and make progress. Need to re-do the lesson on Fuzzing Word Press login

What We Learned

1. Network+ - Lots of trouble shooting (Hardware / Software). I'm at the end
2. Security+ - Architecture & Design | Authentication & Authorization
3. TCM - Fuzzing Wordpress Authentication w. ZAP
4. Cult.ure - Inching my way through Chapter 9. Need to get disciplined
5. Personal - Forgot to declutter the books. Will make it a priority this week

What We Longed For

1. A good job with good people doing cool things

What We Loathed

1. UNEMPLOYMENT (creeping on 10 months)

Security Testing Journal Entry | w/e Friday June 2, 2023

Highlights for the week

New month, new ideas, same me. Job search is still unproductive, actually two rejections to date. The job I interviewed at is unresponsive. I'm not convinced I've been accepted. I also applied to a job that ghosted me. Not my finer moment, but I need money now. The coolest thing of the week is that I finally got the Kali box working and have been progressing through the tutorial. Playwright for QA Automation has been another cool framework to learn.

What We Loved

1. The Pen Testing tutorial has been fun. I'm on to a new section this week.

What We Learned

1. Network+ - Learned about the need to have a network be readily available and how to mitigate against potential disasters.
2. Security+ - Big section on Architecture, this module was about the secure app development process and the importance of having Security early.
3. TCM - Pen Testing Module 2 completed. Learned about fuzzers on a form.
4. Cult.ure - Stuck on chapter 9. Parsed out the majority to potentially be a new book. Rewrote the chapter to be more first-person (Dulci is telling the story).
5. Personal - with Reddit off my phone, I need to read more and declutter my email, books, links on Linked-In, etc.

What We Longed For

1. As always, a good job! But the right job, not just for a paycheck, but something that I actually want to do.

What We Loathed

1. Unemployment and the multiple rejections this week. Not cool!

Security Testing Journal Entry | w/e Friday May 26, 2023

Highlights for the week

Another short post. Not a lot to report on the security testing front as I seem to be blocked by my VM. I've run out of space and can't seem to find a viable solution outside of going the full nuclcear option - rebuilding the VM with Kali. Gonna re-try one last time. Did spend some time with QA Stuff and learned Playwright with python. It's crazy-fast.

What We Loved

1. Getting to wake up, workout, be healthy, and surrounded with loved ones is always a blessing.
2. Finally got the IRS money they debited from me last month. That monkey is off my back.
3. 1 glorious payment left on my student loan and I'll be debt free.

What We Learned

1. Network+ - Kept it simple and learned about organization policies. A few handful of modules left and I'll be done. Maybe I'll take a practice exam.
2. Security+ - Learned a bit about Cloud Architecture and virtualization. Once Network+ is done, I'll double-my efforts.
3. TCM Pentesting - blocked at the set up. Will potentially rebuild the VM, or create a new one. Thinking the latter is the viable option.
4. Cult*ure - Working through Chapter-9. I keep adding to it, changing some details, but not making progress yet. The muse is a demanding mistress!

What We Longed For

1. As always, more time!

What We Loathed

1. Nothing other than the job market for tech absolutely f&@#$! sucks. 9 months and no better than I was before.

Security Testing Journal Entry | w/e Friday May 19, 2023 (Late Ed.)

Highlights for the week

Another week came and went and not a lot got done. Officially at the 9 month mark of unemployment. Clearly something isn't working that it's been this long without so much as several rounds of interviews and/or an offer. It's actually making me question my entire career path. On the flip side, it's afforded me the luxury of skilling up and working on my book.

What We Loved

1. Made it to another round of interviews at JOB-A, and got a second recruiter contact me for JOB-B
2. Close to done with Network+. Not planning to take the certification exam. I should quiz myself

What We Learned

1. Network+ - Completed the module on Network Operations
2. Security+ - Completed the module on Security Architecture. Stared on TCM Pentester Course
3. Automation - Nothing this week. On deck is mobile, and strongly considering Playwright with Python
4. Cult*ure - Finally wrapped up Chapter 8. Started on Chapter 9 .. need to get more disciplined with my writing. It's too much fun.

What We Longed For

1. More time and a paycheck

What We Loathed

1. Code Challenges. Love them and hate them.

Security Testing Journal Entry | w/e Friday May 12, 2023

Highlights for the week

Not a lot happened this week. While I did sign up for an amazing Pen Testing Course w. Kali Linux, it was a busy week for personal tasks unrelated to studies. I do plan to get back to my book this weekend, as well as regroup on the priorities. In other news, had a decent interview for a job I barely want. Had an immediate disposition for a job I DID want :( such is life. Creeping in on 9 months and it doesn't feel good anymore

What We Loved

1. Got a lot more resources for Pen Testing and API testing.
2. Made a couple of connections. Have a couple of meetings next week.

Security Testing Journal Entry | w/e Friday May 5, 2023 - Coronation Edition (late)

Highlights for the week

Apologies for the lateness of my post. I was away from keyboard most of the weekend and no amount of writing got done. On Saturday, England crowned their new king - King Charles III - a historic and spectacular event. I legitimately got the chills from just how momentous the entire event was. A nice destraction from my near nine months of unemployment.

What We Loved

1. Seeing the coronation
2. Spending some quality time with the wife just walking and hanging out

What We Learned

1. Network+ - made great progress (almost done)
2. Security+ - steady progress. Once Net+ is done, we'll double our efforts
3. Burp Suite - finished a good majority of the training labs. Learned a ton
4. Automation Practice - Finished API practice in python (yatzee!); have mobile automation working for Java and JS (double yatzee!)
5. Cult-ure: Have parsed chapter 8 in half. Need to make time for this more now that Burp Suite is done
6. Came up with ideas for another book .. lots to think about
7. Its possible my resume is hurting my career .. or maybe I just suck

What We Longed For

1. A new job. While I'm not freaking about about the near-nine, I'm frustrated with the entire process

What We Loathed

1. Recruiters not calling as much
2. Unemployment

Security Testing Journal Entry | w/e Friday April 28, 2023

Highlights for the week - Glitches in the software = No $$

An eventful week to say the least. Building off of a harrowing third week in April, this last week featured another bug in a banking app that nearly sent 100% of my retirment money to the IRS as a tax payment. As a courtesy, my tax preparer gave my state tax filing a second look to ensure no glitches in the tax application. Luckily nothing found.
Thankfully, the week ended better than it started. The bank was able to resolve my transfer issue and my state taxes are good. Patiently waiting for my NYS tax re-imbursement.
Speaking of patiently waiting, it took a second email to the recruiter to determine the outcome of my application status. As expected, they gave me the "feedback was good, but we went with another candidate" bs, followed by, "if you still want to keep the lines of communication open for ..." yeah! gfys with that noise.

What We Loved

1. Another dreary week of unemployment, but there was a lot of great learnings happening. Thankfully the bank fixed its issue and I got to move my money over to pay bills.
2. Some small measure of gratitude is owed to H&R Block for ensuring the quality of my NYS Tax filing is 100%. No issues found.
3. Applied to NetSPI - Associate Security Consultant - which sounds like a really cool gig.

What We Learned

1. Network + -- network hardening
2. Security + -- vulnerabilities; Kali / Ethical Hacking; Live chat - Defending against ransomware
3. Book -- stuck on Chapter 7 .. so many good ideas; had to split to chapter 8 .. WIP!
4. Automation -- finally have VSCode working; finish tutorial; do API

What We Longed For

1. A decent job I actually love! Infosec .. I hear you calling, but I'm not ready yet. Be there soon!

What We Loathed

1. Recruiters who never follow up. Almost got ghosted!

Security Testing Journal Entry | w/e Friday April 21, 2023

Highlights for the week - Mercury in Retrograde Edition!

So this week was a bit of a setback. There was a glitch found in the tax calculation software of a service I have been using for the better part of twenty years. We had explicitly decided NOT to have a payment debited from my account, yet the software somehow sent the instruction that it was ok to do so, thus causing an epic overdraft. Several of my bills that were set on autodebit went unpaid. The services had to be unplugged while the matter is resolved. At the moment, I am utterly useless. I don't have an income that could weather the storm, and I don't have savings that would help with the hurt.

Speaking of income, another week in the bag and no contact from the company I interviewed with. Not a "yes" or a "no", just silece. I don't even know anymore! I have friends that have successfully bounced from job to job, no setbacks. Close to 8 months and the doubts are starting to creep in. I need a job, but do I really want QA? Security is still far on the horizon. THIS IS REALLY BAD!!

What We Loved

1. Friends have reached out regarding the status of the job I interviewed at. They share my strife.
2. Things at home are way better than a month ago. Small steps, but the missus still cares :)
3. Sat in on a live Study Group Session with Professor Messer for Security+ which was really cool.

What We Learned

1. Network+ - Really cool learning on common attacks like Denial-of-service, On-Path Attacks, VLAN Hopping, Password attacks, and more.
2. Security+ - Fun learning about common attack vectors and threat actors.
3. BurpSuite - the Cross-site Request Forgery (CSRF) lab required the professional edition. Nothing done.
4. Automation - a couple of key mildstones: Appium finally works on my system, using JAVA. Next lesson is actually writing a test. The other key milestone is I finished the course for API testing and working through Load Testing. Learned a new mnemonic for testing APIs which was amazing.
5. Book - Behind schedule by a little (actually a lot; my goal of 1500words daily has not been met yet .. why? not making the time). Will need to refocus to once a week, or block an hour.

What We Longed For

1. Still longing for a paycheck; waiting on closed out Roth-IRA(2) to hit my bank so I can have the rent and bills for May.
2. Need more time to write
3. Will probably start a new workout in May

What We Loathed

1. After a three-week jerk-around, no follow up regarding my application. I have no words!!

Security Testing Journal Entry | w/e Friday April 14, 2023

Highlights for the week

This post comes a little late, for good reason and part of what went well this week. The majority of time spent was in learning and studying. Definitely need to manage my time a little better. Some days were relegated to single tasks - not a bad thing - at the expense of a few others. Or perhaps, I should learn to quit scheduling so many things per day since two or three things can take up so much of my time. Work in progress.

What We Loved

1. Hanging out with the family on Friday is always a treasure. Not having a job has been a mixed blessing.
2. Had a couple of friends check in with my progress regarding the interview. It's what's been keeping me focused.
3. One of my friends presented a cool opportunity to work voluntarily at a school doing testing things. More on that as details are made known

What We Learned

1. Network+ - Common Security concepts, which dove-tailed nicely with the modules for Security+
2. Security+ - Common network attacks. Very interesting things.
3. Burp Suite - Easy to do XSS attacks. A lot more variations that what I had previously known so that was cool.
4. Automation - Found some time to clean up my python codebase .. which took longer than expected. Learned Unit test in JEST and Peformance/Load Testing. Need practice!
5. Cloud Pen Testing - need to retry CloudGoat. Last week's attempt didn't bear much fruit.
6. Cult.ure - Finished Chapter 6, but left areas for additional details. Will work on it over the weekend.

What We Longed For

1. More time, and more money. Need to read more.
2. A proper mentor. My current isn't working, and a new one I'm hunting down is loose on the structure of what to do. TBD

What We Loathed

1. It has been 3 weeks since I last touched base with the interview I completed. The impression I'm getting is, "I'm being considered, but they're not convinced." WTF to that!

Security Testing Journal Entry | w/e Friday April 7, 2023

Highlights for the week

Had something of an interesting week. More waiting to know if I am hired, but even better networking session with Rhino Security Labs learning about Cloud Pen Testing.

What We Loved

1. As mentioned above, attended a webinar with some key people from Rhino Security Labs. The topic was setting up an environment in Kali Linux and moving through some of the scenarios. After 2 days of harrasment with my environment, I got it set up and managed to move through the first scenario. I need to revist it when time allows.

What We Learned

1. Network+ - Moved through another module as it pertained to Wireless Networking and ethernet switching
2. Security+ - Great learning module as it related to common attacks like XSRF, Buffer Overflow, etc.
3. Automation - Completed the majority of python tests pertaining to the E-comm website. Need to tackle API testing in python and some negative tests in Cypress
4. Burp Suite - Finished some DOM-based vulnerabilites. They seemed overly easy
5. "Cult*ure" - In the middle of writing chapter 5, I folded in an adjunct chapter (4 "All Hands") and had to restructure the layout. New chapter tbd

What We Longed For

1. Still waiting for a few jobs I applied to 3 weeks ago to reach out. Missing $$
2. Pursuit of certification is on the horizon: Moving through Network+, but SEC+ and OSCP are the real deal

What We Loathed

1. Not good karma having to bad-mouth the hiring process at this one company, but after several rounds of interviews, and weeks of waiting, no decision has been finalized and the reply give the impression that they are not convinced even though they state otherwise. If I had other opportunities, I would have ejected long ago.

Security Testing | Security 4 No0bs - Basic Security Testing with Bug Magnet

Bug Magnet - The best tool a tester can have

What if I told you there's a super-simple tool that is easy to use and requires little to no effort to learn!

And what if I told you, no special downloads, CLI commands, or Kali Linux extensions were necessary!

Look no further .. BUG MAGNET .. is the answer!!

So What Is Bug Magnet?

Bug Magnet is a chrome extension you can use to test form submission and input sanitization. Easily the first step in any manual security testing effort. It features an expansive array of positive and negative test cases for a wide variety of options. Being that this is a security-minded blog post, with a sprinkling of QA, we'll consider a few exploits.

For the purposes of this demo, we are using the practice form here.

Exploit #1 - Buffer Overflow | Goal: Test that form inputs limit character entries to prevent data corruption, crashing the program, or cause the execution of malicious code

What is a buffer overflow? The short-version, a buffer overflow happens when copious amounts of form data is submitted that is more than the allocated memory space (buffer) can handle. For more details, visit OWASP | Buffer_Overflow Vulnerability. How to test:

1. Visit the form and pick one of any inputs shown
2. Right-Click into the input to open the context menu - look for bug magnet
3. Select Text Size and either with spaces or without
4. Once the text has been entered into the input submit the form
5. Repeat with another input, or all of them

Exploit #2 - SQL Injection | Goal: Form submissions block excution of queries

What is a SQL Injection? As the name implies, this exploit causes the site to execute a query on submission of the form. For more details, visit OWASP | SQL Injection. How to test:

1. Visit the form and pick one of any inputs shown
2. Right-Click into the input to open the context menu - look for bug magnet
3. Select Format Exploits this opens a tertiary context menu
4. Select SQL Injection - the first entry in this new context menu
5. Notice there is a script populating the form - Robert'); DROP TABLE Students;-- this can be modded to reflect a known table in your project codebase
6. Submit the form, note the outcome - in a perfect situation, nothing should be observed (ie, no harm done!)
7. Repeat with another input

Exploit #3 - Javascript Injection | Goal: Form submissions block excution of code by escaping special characters as text

What is a Javascript Injection? A javascript injection allows malicious code to execute within a form post-submission. It can be anything from an annoying pop-up alert to a remote-code executable. For more details, visit Portswigger | Javascript Injection. How to test:

1. Visit the form and pick one of any inputs shown
2. Right-Click into the input to open the context menu - look for bug magnet
3. Select Format Exploits this opens a tertiary context menu
4. Select Javascript Injection - the second entry in this new context menu
5. Notice there is a script populating the form - alert('Executing JS') --
6. Submit the form, note the outcome - in a perfect situation, nothing should be observed (ie, no harm done!)
7. Repeat with another input

Exploit #4 - XSS Injection | Goal: Form submissions block excution of code

What is a Cross-site Script Injection? Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. For more details, visit OWASP | XSS Injection. How to test:

1. Visit the form and pick one of any inputs shown
2. Right-Click into the input to open the context menu - look for bug magnet
3. Select Format Exploits this opens a tertiary context menu
4. Select JS String (XSS) Injection - Single Quote - the third entry in this new context menu
5. Notice there is a script populating the form
6. Submit the form, note the outcome -- nothing should be observed (ie, no harm done!)
7. Repeat with another input
8. Repeat this above test scenario with JS String (XSS) Injection - Double Quote

Exploit #5 - Broken HTML | Goal: Form escapes any special characters on submission

Broken html and HTML parsing are the lesser of the format exploits provided by Bug Magnet. What these options do is essentially inject simple html characters into an input that is not expected to allow such characters (ex: phone number or email input).

1. Visit the form and pick one of any inputs shown
2. Right-Click into the input to open the context menu - look for bug magnet
3. Select Format Exploits this opens a tertiary context menu
4. Select HTML Parsing - the fourth entry in this new context menu
5. Notice there some mild html entered into the form
6. Submit the form
7. Repeat with another input
8. Repeat this above test scenario with Broken HTML option

Security Testing Journal Entry | w/e Friday March 31, 2023

Highlights for the week

In my last post, I wrote about the state of the job market. A week later, and there's news about more layoffs to come. Seems like the Big Boy tech companies overextended their staffing during lockdown, and the consequence of a failed gamble on continued earnings is a reduction in staff to recoup losses. The recurring theme is profits over people. Loyalty be damned! Oh you think being committed to your job buys you immunity? Nope! You think being a lifer in the ranks keeps you safe from the layoff lotto? Try again!

And don't even get me started on performance. What a joke that is. You can be a rockstar, 10x, "ninja" employee hitting all the top marks. That won't guarantee your job is secure. A Performance Improvement Plan - that's just management's cudgel. Push back in the slightest and you're no longer their darling gold-star employee. Now you're a problem that needs to be dealt with.

But it's not all doom and gloom for this guy! With over 100 jobs applied to in the now 7.5 months of unemployment there is at least 1 job in the final rounds of the interview process.

That being said, there was a lot of other cool things that happened this week. Below are some of what went on:

What Went Well

1. Network+ - Paused on Networking to complete the Google Cloud learning module.
2. Security+ - Paused on this as well. In it's place were a live Capture The Flag event hosted by Snyk (fun!) and completion of Mitre ATT&CK suite.
3. Burp Suite - Completed modules for DOM attacks.
4. Automation - Python is working again and the work to clear out the board is in progress.
5. The Book - Completed Chapter-5, Chapter-6 is on deck (have notes, will write).
6. Personal - Finally got around to cleaning up GMail and Outlook. Now there's the bookmarks and Linked-in "saved items".

What We Learned

1. "Blue Team" tactics and what to look for regarding the 6-step Mitre process.
2. How google cloud works and what their services offer.
3. CFT Exercise taught us about JS "prototype pollution" exploit, as well as a python "pickle" exploit for base-64 deserialization.

What We Longed For

1. A paycheck. The money in my emergency fund is about to run dry in the next few weeks if a job doesn't manifest itself.

Security Testing | Security 4 No0bs - MITRE ATT&CK

Mitre ATT&CK

A brief, high-level "Blue Team" Cybersecurity defense framework. I won't be going too deep into the technicals of how it works, but I will cover some of the basics of what I'm learning. To illustrate the purpose of this framework, let's consider football - namely Offense vs Defense.

What is Mitre ATT&CK

In football, it is super-critical and advantageous for the Defense to know what the Offense is capable of, understand trends, and know how to respond. Basically, situational awareness. The Mitre Adversarial Tactics, Techniques & Common Knowledge is that "situational awareness" concept wrapped in a framework.

Imagine the scneario: 2nd quarter, game is tied, the Offense tends to throw a lot, but the situation warrants a run or run/pass option. As a Defender, it is imperative to know what to anticipate. Blue Team, aka Cybersecurity Defenders, must be able to "read & react" when a situation occurs that warrants further investigation.

The framework consists of 6 different actions to take:

1. Develop & Update Malicious Activity Model
• This is like the Defense's playbook. A model is an understanding for what the threat actor is doing, how, and why.
2. Develop Hypotheses and Abstract Analytics
• To understand what the Offense might do (or has done), a hypothesis is drafted. The hypothesis must be concise and succinct.
• Analytics serve to track the "how" of an attack.
3. Determine Data Requirements
• There's a long list of criteria that are factored in to writing up a good model, primarily with the efficacy of the data and its source.
4. Identify and Mitigate Data Collection Gaps
• Eliminate any likelihood of "escaped" data; that is, any missing or obsolete data from the model
5. Implement Test Analytics
• Use the constructed playbook to set up a Defensive posture.
6. Hunt / Detect Malicious Activity and Investigate
• Deploy the defense and have Red Teamers test it.

These 6 different actions iterate as many times as necessary. The goal of Defense is to have close to no false negatives for non-detected issues, and true positive results for detected issue (that is to say, Defense caught something truly malicious instead of confusing a benign action as a hostile one). The MITRE framework attempts to aggregate information from a wide array of resources to "read & react" to an event caught by intrusion detection or intrusion prevention system.

Blue Team spots something fishy on their scanners. The investigate and see something is up. Based on the attack pattern and area compromised, they can refer to their model to understand what the attack type is, what it is targeting and why, and how to craft a threat mitigation plan against it.

It is not a hard framework to learn, nor is it overly simplified. But this is a great thing to learn, do, and grow.

Ciao For Now!

Tune in next week, I will give a brief write-up on some cool attacks learned from Security+ and Network+