Monday, December 18, 2023

Security Testing Journal Entry | w/e Friday December 15, 2023 - "So Meta, So betta" ed.

Highlights for the week

Intentionally late post this week as I wanted to dedicate this entry to a really cool MetaCTF "Capture The Flag" event I participated in over the weekend and wanted to regale my tales of woe. I was part of a team from a group of people I met long before. I got some early wins with a few of the CTF tasks I took on. My teammate carried the team. He was phenomenal. While he took the Binary/Reverse Engineering challenges, some of the ones I took included:

  1. Decoded binary with https://cryptii.com/pipes/binary-decoder
  2. Find IP for given web domain - I used ping
  3. Find hash used for given value - $2y identifies this as Blowfish/bcrypt
https://unix.stackexchange.com/questions/430141/how-to-find-the-hashing-algorithm-used-to-hash-passwords
  4. “Captured in Transit” - find Flag in PCAP file {A fun one with wireshark, filter by HTTP}
  5. “Magically Mathematical” = web exploit {I struggled with this one, but it wasn't hard}
  6. “Validation = xml injection {I knew it was an XXE Vulnerability, but I couldn't get it to work. My teammate did}
  7. “Racer ….” — modifying the cart to add money and buy item {I knew the solution was to modify the payload, but it didn't work for me}
  8. “WAF” — trying to find the FLAG for a site that is protected
  9. “Connecting to remote network (hops) {this one was fun}

Overall, this was a great CTF experience compared to last time. The challenges were less intimidating. The buzzkill was the performance issues with some of the servers, making access to the challenges involving them all but impossible. 9/10 would recommend.

What We Loved

  1. CTF challenge was a highlight
  2. Going on another cruise for x-mas vacation

What We Learned

  1. Part of the CTF challenges meant learning some fun concepts. As always, when in doubt - google it.
  2. ISC(2) - Still moving through the modules
  3. Burp Suite - Finishing the modules on Access Control Vulns. Along with the Business Logic, these were super relevant.
  4. PW w. JS - Finished Adding API tests for basic features + Security. Moving along quite nicely through E2E flows.
  5. Cult.ure - Added notes, but fell behind on writing .. sorry!
  6. Husb - continued with 'Judicio', need to wrap that up

What We Longed For

  1. As always, a job and a paycheck.

What We Loathed

  1. Recruiter ghosting. But then I've become indifferent to the whole thing.
Posted by at No comments:

Friday, December 8, 2023

Security Testing Journal Entry | w/e Friday December 8, 2023 - "Ghosts Everywhere" ed.


Highlights for the week

Some peculiar highlights this week as the prime focus was on API testing (automation, performance, security). Hacking (dare I call it that) is a beautiful art. The discipline fascinates me the more I learn. Non-sequitor: I didn't get much writing done this week. The other tasks were a bit more time consuming than I wanted.

What We Loved

  1. This time last week, I had a brilliant idea for Cult.ure - wrote it down for future use.
  2. Since my friend turned me on to "The Secret", I've been feeling a lot more positive about things. My dream job is coming

What We Learned

  1. Coursera - Finished (mentioned last week)
  2. ISC(2) - Week-4 Module on Network Security will be broken up in to two parts ... it's huge!
  3. Burp Suite - Double-duty with API testing and Web App. Vulnerabilities as it pertains to Business logic flows.
  4. Automation - Huge Wins this week pertaining to Playwright w. Javascript. API Testing + API Security Tests for the win!!
  5. Cult.ure - Paused. Need to get back into it this weekend.
  6. Pen Testing - As promised, started a cursory PT with the same site I'm conducting automation (FE/API) tests on. Work in progress!

What We Longed For

  1. A Job ... as always

What We Loathed

  1. Ghosting candidates ... this sh@#$% has got to go! People are dependent on others for work and when the agent that handles that can't follow up .. ugh!
Posted by at No comments:

Sunday, December 3, 2023

Security Testing Journal Entry | w/e Friday December 2, 2023 - "Goals Set vs. Goals Met" ed.


Highlights for the week

Going to pivot away from the usual format to review my goals set vs goals met to close out the month.

  1. GOAL SET: Finished Coursera - Module 1. GOAL MET: Yes. There are 8 more modules .. unsure if I plan to keep it going.
  2. GOAL SET: ISC(2) - Chapter 3. GOAL MET: Yes. On deck - Chapter 4 - Network Security
  3. GOAL SET: Burp Suite Cert Labs. GOAL MET: No. I am progressing through the module for "Business Logic Vulns." super relevant!!
  4. GOAL SET: Practice Pytest. GOAL MET: No. Pivoted to Playwright with Javascript .. so much fun.
  5. GOAL SET: Pen Test Practice GOAL MET: In Progress. Parallel Security testing along with PW/JS Automation Practice, applying the "Bus. Logic Vulns." from Burp Suite.
  6. GOAL SET: Cult.ure - Chapter-29 GOAL MET: Yes. The story is evolving really nicely. Found a couple of spinoffs, trying to rein the story in to stay in scope.
  7. GOAL SET: Job Follow Up. GOAL MET: Yes. Recruiter failed to respond. No new prospects. Planning to dial back the search.
Posted by at No comments:
Subscribe to: Posts (Atom)