Recent Posts

Categories

Archives

Cloud Services Enumeration – AWS, Azure and GCP

October 28, 2019

TL;DR: We have built cloud enumeration scripts now available @ https://github.com/NotSoSecure/cloud-service-enum/. This script allows pentesters to validate which cloud tokens (API keys, OAuth tokens and more) can access which cloud service. As cloud environments are becoming increasingly popular, we are seeing a rise in cloud environment usage in production. From… Read More

Identifying & Exploiting Leaked Azure Storage Keys

October 3, 2019

In this blog, Sunil Yadav, our lead trainer for “Advanced Web Hacking” training class, will discuss a case study of Remote code execution via Azure Storage when the Azure Function deployment is configured to run from Storage Account using WEBSITE_CONTENTSHARE app setting. TL;DR Access Leaked Storage Account’s Access Key Connect… Read More

Achieving DevSecOps using AWS Cloud Native Services

July 3, 2019

In our previous article Achieving DevSecOps using Open-Source Tools we explored what “DevSecOps” really meant and how that can be achieved using simple Open-Source tools integrated into an existing DevOps pipeline orchestrated with Jenkins and deployed on docker in an ad hoc on-premises architecture. In this article Rohit Salecha and… Read More

Exploiting ViewState Deserialization using Blacklist3r and YSoSerial.Net

June 13, 2019

In this blog post, Sanjay talks of various test cases to exploit ASP.NET ViewState deserialization using Blacklist3r and YSoSerial.Net. Blacklist3r is used to identify the use of pre-shared (pre-published) keys in the application for encryption and decryption of forms authentication cookie, ViewState, etc. We discussed an interesting case of pre-published… Read More

Achieving DevSecOps with Open-Source Tools

April 23, 2019

Today, DevOps is enabling organisations to deploy changes to production environments at blazing speeds. A typical DevOps process flow through the following stages. A developer writes code using any development environment of their choice and pushes it to a central source code repository. The code is merged into a central… Read More