Security Testing Journal Entry | w/e Friday April 28, 2023

Highlights for the week - Glitches in the software = No $$

An eventful week to say the least. Building off of a harrowing third week in April, this last week featured another bug in a banking app that nearly sent 100% of my retirment money to the IRS as a tax payment. As a courtesy, my tax preparer gave my state tax filing a second look to ensure no glitches in the tax application. Luckily nothing found.
Thankfully, the week ended better than it started. The bank was able to resolve my transfer issue and my state taxes are good. Patiently waiting for my NYS tax re-imbursement.
Speaking of patiently waiting, it took a second email to the recruiter to determine the outcome of my application status. As expected, they gave me the "feedback was good, but we went with another candidate" bs, followed by, "if you still want to keep the lines of communication open for ..." yeah! gfys with that noise.

What We Loved

1. Another dreary week of unemployment, but there was a lot of great learnings happening. Thankfully the bank fixed its issue and I got to move my money over to pay bills.
2. Some small measure of gratitude is owed to H&R Block for ensuring the quality of my NYS Tax filing is 100%. No issues found.
3. Applied to NetSPI - Associate Security Consultant - which sounds like a really cool gig.

What We Learned

1. Network + -- network hardening
2. Security + -- vulnerabilities; Kali / Ethical Hacking; Live chat - Defending against ransomware
3. Book -- stuck on Chapter 7 .. so many good ideas; had to split to chapter 8 .. WIP!
4. Automation -- finally have VSCode working; finish tutorial; do API

What We Longed For

1. A decent job I actually love! Infosec .. I hear you calling, but I'm not ready yet. Be there soon!

What We Loathed

1. Recruiters who never follow up. Almost got ghosted!

Security Testing Journal Entry | w/e Friday April 21, 2023

Highlights for the week - Mercury in Retrograde Edition!

So this week was a bit of a setback. There was a glitch found in the tax calculation software of a service I have been using for the better part of twenty years. We had explicitly decided NOT to have a payment debited from my account, yet the software somehow sent the instruction that it was ok to do so, thus causing an epic overdraft. Several of my bills that were set on autodebit went unpaid. The services had to be unplugged while the matter is resolved. At the moment, I am utterly useless. I don't have an income that could weather the storm, and I don't have savings that would help with the hurt.

Speaking of income, another week in the bag and no contact from the company I interviewed with. Not a "yes" or a "no", just silece. I don't even know anymore! I have friends that have successfully bounced from job to job, no setbacks. Close to 8 months and the doubts are starting to creep in. I need a job, but do I really want QA? Security is still far on the horizon. THIS IS REALLY BAD!!

What We Loved

1. Friends have reached out regarding the status of the job I interviewed at. They share my strife.
2. Things at home are way better than a month ago. Small steps, but the missus still cares :)
3. Sat in on a live Study Group Session with Professor Messer for Security+ which was really cool.

What We Learned

1. Network+ - Really cool learning on common attacks like Denial-of-service, On-Path Attacks, VLAN Hopping, Password attacks, and more.
2. Security+ - Fun learning about common attack vectors and threat actors.
3. BurpSuite - the Cross-site Request Forgery (CSRF) lab required the professional edition. Nothing done.
4. Automation - a couple of key mildstones: Appium finally works on my system, using JAVA. Next lesson is actually writing a test. The other key milestone is I finished the course for API testing and working through Load Testing. Learned a new mnemonic for testing APIs which was amazing.
5. Book - Behind schedule by a little (actually a lot; my goal of 1500words daily has not been met yet .. why? not making the time). Will need to refocus to once a week, or block an hour.

What We Longed For

1. Still longing for a paycheck; waiting on closed out Roth-IRA(2) to hit my bank so I can have the rent and bills for May.
2. Need more time to write
3. Will probably start a new workout in May

What We Loathed

1. After a three-week jerk-around, no follow up regarding my application. I have no words!!

Security Testing Journal Entry | w/e Friday April 14, 2023

Highlights for the week

This post comes a little late, for good reason and part of what went well this week. The majority of time spent was in learning and studying. Definitely need to manage my time a little better. Some days were relegated to single tasks - not a bad thing - at the expense of a few others. Or perhaps, I should learn to quit scheduling so many things per day since two or three things can take up so much of my time. Work in progress.

What We Loved

1. Hanging out with the family on Friday is always a treasure. Not having a job has been a mixed blessing.
2. Had a couple of friends check in with my progress regarding the interview. It's what's been keeping me focused.
3. One of my friends presented a cool opportunity to work voluntarily at a school doing testing things. More on that as details are made known

What We Learned

1. Network+ - Common Security concepts, which dove-tailed nicely with the modules for Security+
2. Security+ - Common network attacks. Very interesting things.
3. Burp Suite - Easy to do XSS attacks. A lot more variations that what I had previously known so that was cool.
4. Automation - Found some time to clean up my python codebase .. which took longer than expected. Learned Unit test in JEST and Peformance/Load Testing. Need practice!
5. Cloud Pen Testing - need to retry CloudGoat. Last week's attempt didn't bear much fruit.
6. Cult.ure - Finished Chapter 6, but left areas for additional details. Will work on it over the weekend.

What We Longed For

1. More time, and more money. Need to read more.
2. A proper mentor. My current isn't working, and a new one I'm hunting down is loose on the structure of what to do. TBD

What We Loathed

1. It has been 3 weeks since I last touched base with the interview I completed. The impression I'm getting is, "I'm being considered, but they're not convinced." WTF to that!

Security Testing Journal Entry | w/e Friday April 7, 2023

Highlights for the week

Had something of an interesting week. More waiting to know if I am hired, but even better networking session with Rhino Security Labs learning about Cloud Pen Testing.

What We Loved

1. As mentioned above, attended a webinar with some key people from Rhino Security Labs. The topic was setting up an environment in Kali Linux and moving through some of the scenarios. After 2 days of harrasment with my environment, I got it set up and managed to move through the first scenario. I need to revist it when time allows.

What We Learned

1. Network+ - Moved through another module as it pertained to Wireless Networking and ethernet switching
2. Security+ - Great learning module as it related to common attacks like XSRF, Buffer Overflow, etc.
3. Automation - Completed the majority of python tests pertaining to the E-comm website. Need to tackle API testing in python and some negative tests in Cypress
4. Burp Suite - Finished some DOM-based vulnerabilites. They seemed overly easy
5. "Cult*ure" - In the middle of writing chapter 5, I folded in an adjunct chapter (4 "All Hands") and had to restructure the layout. New chapter tbd

What We Longed For

1. Still waiting for a few jobs I applied to 3 weeks ago to reach out. Missing $$
2. Pursuit of certification is on the horizon: Moving through Network+, but SEC+ and OSCP are the real deal

What We Loathed

1. Not good karma having to bad-mouth the hiring process at this one company, but after several rounds of interviews, and weeks of waiting, no decision has been finalized and the reply give the impression that they are not convinced even though they state otherwise. If I had other opportunities, I would have ejected long ago.

Security Testing | Security 4 No0bs - Basic Security Testing with Bug Magnet

Bug Magnet - The best tool a tester can have

What if I told you there's a super-simple tool that is easy to use and requires little to no effort to learn!

And what if I told you, no special downloads, CLI commands, or Kali Linux extensions were necessary!

Look no further .. BUG MAGNET .. is the answer!!

So What Is Bug Magnet?

Bug Magnet is a chrome extension you can use to test form submission and input sanitization. Easily the first step in any manual security testing effort. It features an expansive array of positive and negative test cases for a wide variety of options. Being that this is a security-minded blog post, with a sprinkling of QA, we'll consider a few exploits.

For the purposes of this demo, we are using the practice form here.

Exploit #1 - Buffer Overflow | Goal: Test that form inputs limit character entries to prevent data corruption, crashing the program, or cause the execution of malicious code

What is a buffer overflow? The short-version, a buffer overflow happens when copious amounts of form data is submitted that is more than the allocated memory space (buffer) can handle. For more details, visit OWASP | Buffer_Overflow Vulnerability. How to test:

1. Visit the form and pick one of any inputs shown
2. Right-Click into the input to open the context menu - look for bug magnet
3. Select Text Size and either with spaces or without
4. Once the text has been entered into the input submit the form
5. Repeat with another input, or all of them

Exploit #2 - SQL Injection | Goal: Form submissions block excution of queries

What is a SQL Injection? As the name implies, this exploit causes the site to execute a query on submission of the form. For more details, visit OWASP | SQL Injection. How to test:

1. Visit the form and pick one of any inputs shown
2. Right-Click into the input to open the context menu - look for bug magnet
3. Select Format Exploits this opens a tertiary context menu
4. Select SQL Injection - the first entry in this new context menu
5. Notice there is a script populating the form - Robert'); DROP TABLE Students;-- this can be modded to reflect a known table in your project codebase
6. Submit the form, note the outcome - in a perfect situation, nothing should be observed (ie, no harm done!)
7. Repeat with another input

Exploit #3 - Javascript Injection | Goal: Form submissions block excution of code by escaping special characters as text

What is a Javascript Injection? A javascript injection allows malicious code to execute within a form post-submission. It can be anything from an annoying pop-up alert to a remote-code executable. For more details, visit Portswigger | Javascript Injection. How to test:

1. Visit the form and pick one of any inputs shown
2. Right-Click into the input to open the context menu - look for bug magnet
3. Select Format Exploits this opens a tertiary context menu
4. Select Javascript Injection - the second entry in this new context menu
5. Notice there is a script populating the form - alert('Executing JS') --
6. Submit the form, note the outcome - in a perfect situation, nothing should be observed (ie, no harm done!)
7. Repeat with another input

Exploit #4 - XSS Injection | Goal: Form submissions block excution of code

What is a Cross-site Script Injection? Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. For more details, visit OWASP | XSS Injection. How to test:

1. Visit the form and pick one of any inputs shown
2. Right-Click into the input to open the context menu - look for bug magnet
3. Select Format Exploits this opens a tertiary context menu
4. Select JS String (XSS) Injection - Single Quote - the third entry in this new context menu
5. Notice there is a script populating the form
6. Submit the form, note the outcome -- nothing should be observed (ie, no harm done!)
7. Repeat with another input
8. Repeat this above test scenario with JS String (XSS) Injection - Double Quote

Exploit #5 - Broken HTML | Goal: Form escapes any special characters on submission

Broken html and HTML parsing are the lesser of the format exploits provided by Bug Magnet. What these options do is essentially inject simple html characters into an input that is not expected to allow such characters (ex: phone number or email input).

1. Visit the form and pick one of any inputs shown
2. Right-Click into the input to open the context menu - look for bug magnet
3. Select Format Exploits this opens a tertiary context menu
4. Select HTML Parsing - the fourth entry in this new context menu
5. Notice there some mild html entered into the form
6. Submit the form
7. Repeat with another input
8. Repeat this above test scenario with Broken HTML option

Security Testing Journal Entry | w/e Friday March 31, 2023

Highlights for the week

In my last post, I wrote about the state of the job market. A week later, and there's news about more layoffs to come. Seems like the Big Boy tech companies overextended their staffing during lockdown, and the consequence of a failed gamble on continued earnings is a reduction in staff to recoup losses. The recurring theme is profits over people. Loyalty be damned! Oh you think being committed to your job buys you immunity? Nope! You think being a lifer in the ranks keeps you safe from the layoff lotto? Try again!

And don't even get me started on performance. What a joke that is. You can be a rockstar, 10x, "ninja" employee hitting all the top marks. That won't guarantee your job is secure. A Performance Improvement Plan - that's just management's cudgel. Push back in the slightest and you're no longer their darling gold-star employee. Now you're a problem that needs to be dealt with.

But it's not all doom and gloom for this guy! With over 100 jobs applied to in the now 7.5 months of unemployment there is at least 1 job in the final rounds of the interview process.

That being said, there was a lot of other cool things that happened this week. Below are some of what went on:

What Went Well

1. Network+ - Paused on Networking to complete the Google Cloud learning module.
2. Security+ - Paused on this as well. In it's place were a live Capture The Flag event hosted by Snyk (fun!) and completion of Mitre ATT&CK suite.
3. Burp Suite - Completed modules for DOM attacks.
4. Automation - Python is working again and the work to clear out the board is in progress.
5. The Book - Completed Chapter-5, Chapter-6 is on deck (have notes, will write).
6. Personal - Finally got around to cleaning up GMail and Outlook. Now there's the bookmarks and Linked-in "saved items".

What We Learned

1. "Blue Team" tactics and what to look for regarding the 6-step Mitre process.
2. How google cloud works and what their services offer.
3. CFT Exercise taught us about JS "prototype pollution" exploit, as well as a python "pickle" exploit for base-64 deserialization.

What We Longed For

1. A paycheck. The money in my emergency fund is about to run dry in the next few weeks if a job doesn't manifest itself.