Sign in

In the old world there was often a divide between developers, security and operations working in their own silos. This is not an effective approach that can result in a wall of confusion.

Credit: Pixabay

By embracing DevSecOps we can break down barriers between engineering, security and privacy teams; GoCardless is leveraging the Centre for Internet Security(CIS) benchmarks to build a shared understanding and approach with the teams.

Why did we adopt CIS benchmarks? 📚

The CIS benchmarks are guides on best practices for the secure configuration of a target system that are not reliant upon 3rd party commercial solutions. AWS, Google, Microsoft and IBM as cloud providers assess…


Continuing on in my series of write ups of the RingZer0Team challenges it is time for my next instalment on SQL injection. I have previously written about Using CTF’s to learn and keep sharp , Javascript RingZer0Team CTF challenges and RingZer0Team SQLi Part 1.

SQLi

In this post I outline more of the SQL challenges I have completed and the rabbit holes it took me into along the way as the challenges get increasingly difficult.

For those that have found this as my first story I have set myself the challenge of writing up the details of each challenge that I…


After a frustrating evening trying to setup a Ubuntu 20.04 VM and being unable to upgrade any packages I had to dig into the detail of what the issue was.

TL;DR The issue turned out to be a conflict with Windows Subsystem for Linux (WSL) that uses Hyper-V behind the scenes. The solution being to either remove Windows virtualisation platform or configure VM’s to user Hyper-V in Virtualbox.

The issue being that running apt update failed with hashsum mismatches. …


This year’s 44Con was based on a Blade Runner theme and was built by Cody from HackerOne education. He did a great job building it and was certainly one of the highlights of the conference for me.

44Con CTF

It all starts with the registration portal on IP 34.89.17.97. The first step is to enumerate the service so that you can register and access the challenges.

A quick nmap first off brought up an error as ping responses were disabled so a quick scan reveals the open services:

nmap -sT -Pn 34.89.17.97

Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-12 12:54 BST
Nmap…


For those of you that enjoy CTF’s here are a few tips on how you can go about testing non HTTP network services.

There are plenty of different services out there to test with, and this is by no means an exhaustive tutorial, but gives you a few tips to get started testing non HTTP based services.

So how could we approach attacking these services?

In CTF challenges where you are given the binary it can make like alot easier as you can decompile the software to understand its structure and how the binary operates.

Initially you may start with:

  • running strings to identify readable text within the…


Fortunately I have a ticket for BSidesLDN already, but wanted to have a play with the CTF. I haven’t used the immersive labs platform before and thought it a good opportunity to try it out too.

https://www.immersivelabs.com is designed to be a cyber range to learn and practice skills in a controlled environment. The challenge for BSides was based around a wordpress installation on a Ubuntu LTS machine. A fairly typical configuration.

The immersive labs platform is intuitive to use, however I found that the labs wouldn’t launch if viewing from Kali, this is my only minor gripe. …


During testing of the Cisco Nexus 7000 series switch I identified a high impact (CVSS8.8) vulnerability within the OS which also formed the basis of my talk at Bsides Manchester.

Note that the views are my own and don’t represent my employer.

TL:DR

I identified a vulnerability in the Cisco NX-OS data centre switch range that as executed is a CVSS 8.8 against the Cisco NX-OS data centre switches.

I have worked with Cisco between Feb and Oct 2017 to get the vulnerabilities resolved and followed a coordinated disclosure approach. However Cisco have decided that the vulnerabilities identified are not…


Continuing on in my series of write ups of the RingZer0Team challenges it is time for my next instalment on SQL injection. I have previously written about Using CTF’s to learn and keep sharp , Javascript RingZer0Team CTF challenges and RingZer0Team SQLi Part 1.

SQLi

In this post I outline more of the SQL challenges I have completed and the rabbit holes it took me into along the way as the challenges get increasingly difficult.

For those that have found this as my first story I have set myself the challenge of writing up the details of each challenge that I…


I have been Using CTF’s to learn and keep sharp for a while and I am continuing on in my series of write ups of the RingZer0Team challenges it is time for an installment on SQL injection. I have previously written about the Javascript RingZer0Team CTF challenges.

SQLi

I have set myself the challenge of writing up the details of each challenge that I solve as a reminder to myself, as a reference and as a resource to help others on their CTF journeys. …


https://www.flickr.com/photos/christiaancolen/34247407196

This is the second in my gradual series of write ups on CTF’s as I complete them. I previously wrote about using CTF’s to stay sharp and this is the next installment in my progress and focuses on some of the JavaScript challenges I have completed.

1. Client side validation is bad!

On this challenge a JS validation is used to check the password is correct before submission. Everyone should know that client side validation is a poor approach.

The password is stored as a set of char codes. It is simply a case of converting this char code to extract the password and since the…

Greg

Security addict, 17+ years in industry making systems more secure and finding those that aren’t

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store