Apps and websites often need to allow users to upload files for various reasons. Sometimes users need to upload arbitrary files, such as on file bin services like S3, but most of the time, a service is expecting a specific type of file. Your bank might want a photo of your passport for KYC purposes, TikTok expects a video and so on. Unrestricted file uploads create risks for web applications, including complete system takeover, forwarding attacks to back-end systems or client-side attacks. Uploaded files can cause serious problems.

In cases where a service is expecting a specific kind of file…

So you’ve been given a web app to pentest. Maybe it’s a banking app or a document workflow system. Either way, you need to make sure it’s done safely. Modern web applications have a large attack surface, and testing everything by hand is inefficient. That’s where fuzzers come in handy. Fuzzers allow you to generate new inputs based on a seed and pass them to a program. Fuzzing can quickly show areas that are worth further examination.

I’m going to walk you through finding bugs in the Damn Vulnerable Web App (DVWA) with HTTPfuzz, but you can apply this steps…

If you’ve been reading my blog since the start, you’ll remember Judas, the pluggable open-source phishing proxy. I wrote Judas to prove a point on an engagement once, and unfortunately neglected it afterwards. (Side note: Go’s comprehensive standard library makes it easy to toss together a proof of concept on an engagement). I’ve had a lot more time to write code in lockdown so I decided to show Judas some love.

What is Judas?

Judas is a reverse proxy for red team phishing engagements based on Go’s httputil.ReverseProxy. …

We’ve all heard about algorithmic trading in the news. It sounds great! You think of a program making money for you while you sip Mai Tais and smoke the finest ganja on the beach in Jamaica. I’m going to show you how you can do it yourself with TD Ameritrade and a laptop.

Before we start, you need to know that great reward comes with great risk. Don’t do this with money you’re not willing to lose.

Sunrise in St. Elizabeth, Jamaica. One of the best places in the world to spend your trading profits.

Getting API Keys

The first thing you’ll need is a TD Ameritrade account. You don’t need to be a US citizen to get an account, and…

Smartphones have become an extension of our bodies. We use mobile apps for everything from sending money to shooting movies, but for the most part, apps are black boxes. On Android, apps can request information about installed apps and their components from the PackageManager. You can see what an Android app is made of using APK Explorer.

Discover Hidden Apps

Every Android version comes with Easter Eggs, hidden apps that are interesting to some enthusiasts. APK Explorer makes finding Easter Eggs easy, by displaying them in the list of apps instead of having to search through random tap combinations in the Android UI.

Opening the hidden Android Easter Egg app that came with my Galaxy S8.

Learn How Apps Work

I’ve been experimenting with Wireguard as a VPN to protect my internet traffic from local snoopers and communicate between all my devices as if they were on the same network.

SSHing into an Ubuntu 20.04 Thinkpad on my home network via the VPN.

Wireguard was designed with mobile devices in mind. It uses battery-friendly cryptography and the protocol can handle endpoints that change IP address seamlessly. It is ideal for exposing local development servers on my laptop to my iPhone, but deploying configuration to a device is a manual and time-consuming process.

WireguardHTTPS is a Wireguard access server written in Go that allows users to log in with Azure AD and manage access…

The cloak and dagger attack exploits a combination of drawing over other apps and the high level of access to other apps given to accessibility services on Android. It is a simple yet effective technique being exploited in the wild today by cybercriminals.

No, not like that

How it works

The cloak and dagger attack takes advantage of two Android permissions:


The Cloak

SYSTEM_ALERT_WINDOW is used to draw over other Android apps. If an app installed from the Play Store requests this permission in its AndroidManifest.xml file, it will automatically be granted by the system. This forms the first building block of the…

Your target has an Android application and you want to walk through their API to check for server-side vulnerabilities. You configure the emulator to use Burp Suite as a proxy and begin using the app.

Using the Android emulator with a proxy.

Suddenly, the app stops working. Nothing shows in Burp and no HTTPS requests work. The developers have implemented SSL pinning and your phony certificate has been detected. Fortunately, SSL pinning can be disabled if you’re willing to get your hands dirty.

Decompiling the App

First, you need to decompile the app. Apktool works great for this, and it’s available on all…

Postman is an excellent API testing tool for developers, QA testers and penetration testers. Its UI allows you to easily send HTTP requests and see responses, but it’s also a great automation tool.

Getting stock prices from Alpha Vantage with Postman

Postman allows you to write chai.js tests in Javascript that will run after each response and let you make assertions about the response body. These tests can also be run headlessly with Newman and added to your build pipeline, but I’ll talk more about that later.

The Postman test Sandbox contains several useful libraries, functions and objects for testing. …

In the last post, Judas got SOCKS proxy and SSL support to make the proxy sneakier, but all the proxy can do is dump the requests and responses to the console. What if the red teamer wants to send the requests to a logging REST API? Luckily, Go can help with its plugin standard library package.

Designing the plugin architecture and lifecycle

To make plugins work, we first need to define a contract for plugins to implement. Plugins may need to do some kind of setup, like reading configuration from command line flags, and they will need to process each HTTP request-response transaction.

Plugins simply…

Jonathan Cooper

I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store