Insights

Aggregating Semgrep Results: Top Rules, Files, and Clusters (MVP Demo)

Introduction

Why Most Security Findings Are Misunderstood

In the previous post, we saw how many security tools can “lie”: they don’t tell the full story, generate noise, and often leave teams with a false sense of security. But what happens after a vulnerability is reported? The story doesn’t get any better: most findings are misunderstood.

Why most security tools are lying to you

We live in a world where developers and security teams are drowning in alerts. Every scanner, every automated tool, every “security dashboard” promises to tell you what matters—but in reality, most of it is noise.

A tale of a restricted charset shellcode generation

During my OSCE exam preparation I had to deal with shellcode writing experience where very few allower characters were available.

Create your own telemetry system

In order to monitor dawnscanner security scaner usage, I introduced in upcoming version 2.0.0, a telemetry system.

How an excercise eventually becomes my first public exploit

A couple of days ago, I was working on my exploit-writing routine as preparation for my upcoming OSCE examination.

Backflip into the stack

During my OSCE journey I came across an interesting technique to jump backwards into the very beginning of the buffer injected on the vulnerable process.

A closer look to msf-egghunter

The egghunting is a technique used in exploit writing to deal with evil shellcode to be placed in a memory location different from the one we are redirected via EIP overwrite or SEH hijack or other.

Digging into Vulnserver: fuzzing it

Vulnserver is a Win32 application built to simulate a TCP/IP server listening on port 9999 and accepting commands from unauthenticated clients.

Getting root: Matrix

It was last year when I received the email saying I passed the Penetration testing with Kali Linux course and eventually I became an OSCP guy.

How to calculate your network address in CIDR notation

Sometime I need to quick nmap the network just right cable plug. Since I’m lazy I created a simple bash script to calculate the network address in CIDR notation, starting from ifconfig output.

The shellerate project: yet another framework for shellcode generation

Last summer, as I told on Codice Insicuro, my Italian blog about cybersecurity and related, I took the x86 Assembly Language and Shellcoding on Linux course and related certification.

A Cracking the Perimeter journey: 1 - My Own lab

During those days I’m spending in the mountains with my family, I’m studying module 3 and 4 about backdooring executable with custom payloads and avoiding anti-viruses based on signature detection.

A Cracking the Perimeter journey: 0 - the beginning

In 2018 I refreshed my offensive security skills, attending the “Penetration test with Kali” course with the OSCP certification.

Hello world... again

It was 2014 when I wrote the latest post on armoredcode.com. It was about Ruby patching Wednesday and tons of stuff changed in my life.

Rails patching Wednesday

Past weeks were busy for Ruby on Rails core team and appsec people looking at the framework’s security. Yesterday, core rails member Aaron Patterson announced three Ruby on Rails security issues affecting latest versions and obviously all the web applications out there built on affected issues.

How to wrap a long text to fit your terminal width in ruby

Today I was working over a new tabular output for Codesake::Dawn and I faced a problem. Vulnerabilities have a very long description that breaks all formatting resulting in something unreadable.

Every bug has a sad, sad song

It was a busy month. Web sites out there are still attacked by villains and the first Codesake::Dawn major release was out this week. That’s because I didn’t post anything since last December.

Updates from the Ruby security world: 6 new vulnerabilities as X'mas gift

Wow, last week it was very busy in the ruby security annonuncement discussion group. A bunch of six new vulnerabilities were announced and, most of them, are cross site scripting issues. This is bad for a problem floating around those places since more than a decade.

Ruby and omniauth-facebook gem security issues this week

A couple of days ago, on Italian Ruby mailing list, Paolo Montrasio reported two security issues occured in the ruby world.

Let the sake for code to flow

UPDATE For a mistake this post appeared today on armoredcode.com without the text. Reason is that I created a placeholder to remember me to work on this.

How to generate bruteforce friendly strings

It finally happened. You discovered that your favourite online store website has a REST API to suggest usernames. It’s a common pattern to allow the user registration form to suggest alternatives username when the choosen one is already taken. This feature is so user-friendly, so userful that almost every project manager or sales representative will fight to have it online.

We need a standard that eventually we won't follow

Tomorrow I’ll deliver a talk @SMAU, an Italian ICT… I don’t know how to describe it… may be expo can be good. It’s not a technical conference, well in Italy we don’t have a proper culture of having fun and interesting technical conference. A decade ago it was a broaden event open to customers and the main goal for visitors was to collect gadgets.

Create random keys in Ruby using SecureRandom

Yesterday a friend of mine asked about truly random number generation in Java and which are my thoughts about Random and SecureRandom classes. Of course I told him to use ESAPI calls since they are supposed to be robusts and well designed.

Fingerprint phpbb forum platform

phpbb is a popular forum platform written in php. In the past it suffered from tons of tons of security issues.

Solid as diamond talk in Fiera della tecnolgia ICT fair

Today I delivered the “Solid as Diamond: use ruby in a web application penetration test” talk in the Fiera della tecnologia ICT fair in Milan, Italy.

Now I'm on blogloving

Even security and technical blogs needs some advertise in order to get more traction. That’s why now you can follow my blog with Bloglovin

Howto crawl web.xml with ruby to discover servlet urls for a pentest

Something very boring happening in a web application penetration test is to reach out URLs that are not referenced in other pages.

Tales from a login page: exploit the form

Last time we introduced the login form as seen on the attacker perspective.

Tales from a login page: intro

During 2013 a lot of websites were defaced. Attackers mostly use SQL injection vulnerable pages to steal data, execute arbitrary commands or make some nasty things common people can’t understand

Create a quick and dirty web crawler with ruby

A couple of days ago, I was starting a new security activity over a website I never saw before. If you remember a last year post, the first task is to crawl the website looking for intersting pages.

How to quote a code review

A premise: I don’t trust gantt and fancy IT project managers’ document where every project step fits in a perfect order without dealing with the unpredictable.

When the vulnerability is not the vulnerability itself

In an ideal world, all projects has good management. Projects needs strong decisions and a clear plan that make people able to build something; this is true for a bridge, an house and even for software.

Create a bot engine in Ruby: the botolo project

There are a lot of tutorials for creating bots on several programming languages and for a lot of web applications.

The Owasp European Tour 2013 hits Italy: 27-28 June 2013

Owasp started an awareness tour this Summer in the most important cities across Europe.

Do you trust you vulnerability assessment?

Web applications rely on server to bring users services. You read this blog and you take care of your web application security very seriously. Maybe you have also web application firewalls in front of it to face-off first time attackers.

Codesake Dawn: the new security source code scanner for ruby

Prologue

It was a dark and stormy night back in 2006 when I started the Owasp Orizon project which I dedicated an ad hoc story on this blog back in november 2012

Railsberry chronicles: day 2 - The English penetration test (eventually the day I talk to 450+ oustanding developers)

Finally the day I gave the talk is arrived and it’s gone. Going on stage in front a more than 450 talented developers was an astonishing experience. It drove me crazy. My spoken English has limits on its own, but it in front of such crowd I seemed to be a scared 4 years old child.

Railsberry chronicles: day 1 - The unerdware experiment

Today it was the first day for railsberry event. Initial keynote by Chad Fowler was truly inspiring.

Railsberry chronicles: day 0 - the trip

I’m too tired, even for rest.

I don't care if app is unsecure, it's friday I'm in love

A month ago I opened a “one question only” survey on surveytmonkey.

Being nervous and anxious before a talk

It happens all the time I have to deliver a talk. Some days before my anxiety-meter level goes out of scale.

Untold: nobody will make a cinema story over this blog and I'm fine

Julie Powell is an American writer who creates a blog back in 2002. She wrote about an American woman lived in Paris in 1949-or-something that innovates American cooking scenario writing a book (in English) talking about novelle cousine.

Happy birthday armoredcode and 4 rails advisories

It was a year ago when I started the armoredcode.com project.

Creating awereness on an hostile environment

With a colleague we were wondering about how much difficult is to create an application security awareness climate in big corporate development team. Please bear in mind that since I’m working in Italy my experience is very narrowed to my country. If you have different stories to tell, please drop them in this post comments area and share them.

Ruby on Rails cheatsheet: the review

Jim Manico is a friend and a rinomated security professional. He announced in Owasp mailing list that a Ruby on Rails cheatsheet is available.

Exploiting SSH weak passwords the ruby way

Even before starting writing complex input filters to manage your users’ input, you must care about the password you use on your servers. If they are poor, no application security on Earth would save you against a break-in.

Is Vulnerability Management a buzz word?

Some days ago, on a Facebook.com group about Italian startups, a smart guy said he had a breakthrough product he is going to develop: a cloud based solution to store people sensitive health-related information.

Defending yourself is not a crime

When I wrote last week post incipt, I wasn’t aware I was going to make a prophecy about 2013 and application security.

CVE-2012-5664: Sql Injection on Rails... again

2013 is well promising for application security. Two days ago Aaron Patterson, a rails core member announced a SQL Injection vulnerability for ActiveRecord ORM included in Rails framework.

codesake engine and two weeks of BDD development

Two weeks ago, I posted an article about a real world source code security review. Using regular expressions I was able to spot interesting things over JSP files I was reviewing. Client was happy. My workflow was smooth.

Bypassing HTTP Basic Authentication in PHP application nominated as hacking technique for 2012

Authentication is a cool topic in application security research nowadays. Last April I posted about a real world security assessment activities over a friend of mine PHP powered portal.

Driven by real world task: code reviewing JSP using regular expressions

Nothing but solving a real world problem can help boosting a piece of software to evolve.

Use the Nexpose API to automate report generation and download

In a previous post I talked about Rapid7 Nexpose) vulnerability assessment tool and how you can write some ruby code to search a server by IP address.

Crafting an authentication subsystem that rocks for your Padrino application with Omniauth

Next time you point your browser to a /login url wait a minute before submitting your credentials. There is a complex system you’re going to use when you submit that form and it must be honored in some way.

Untold: Owasp Orizon is died and I'm sad of it

In 2006 I started an ambitious project, an opensource SAST engine built in Java I called Owasp Orizon.

The fragile Internet

It was a yesterday’s news that anonymous and other cracker’s crews attacked and defaced large number of corporate websites.

Border line between marketing and security features

Make a web application penetration test is becoming tricky due modern browsers native anti-xss filtering facilities (they only work for reflected cross site scripting).

The hidden pitfalls in automatic source code review

Disclaimer: this is an in depth post about pitfalls in security code reviews. A codesake.com focused post is available on codesake.com blog

Adding basic authentication support to wpscan

wpscan is an opensource tool designed to make assessment over wordpress installations.

Are web agencies the new security threats in 2013?

An economical crisis time has been started 4 years ago and this eventually changed how people engage contractors to develop code.

Parsing CVSS vector and publishing as API

Latest July I wrote a post about having fun with grape framework to build powerful APIs.

Pony and the empty emails bug

There were an annoying bug affecting the internal application security self service platform I deployed on my company. When a user makes a request the notification email is sent with an empty body.

CFP open for next Owasp Italy Day 2012

Next 23^rdNovember in the beautiful location of Università la Sapienza in Rome it will be held the 6^thOwasp Day.

The first and last post about codesake.com

Today I launched a first minimal website for codesake.com. The website is very minimal and just a subcribe to beta program web form it is present on the homepage.

When you realize you're doing threat modeling

Yesterday I was in a meeting for an appsec activity about a legacy PHP web application. In front of my a couple of experienced developers with an in-deep knowledge of their code and their architecture (and sometimes this is the good news of the day).

Between pentesting and entrepreneurship

Yesterday I was driving back home on my scooter. It’s a 40 minutes long trip and while surfing back and forth across crazy cars not respecting speed limits I have got a lot of time to think.

They are tracking at you - pt.1

Cookies are often used from companies to store informations client side to track people on their web sites.

Enabling related post on octopress and Mac OS X

Octopress is a powerful framework built over Jekyll to create static websites. I used Octopress too for armoredcode.com. All posts are written with vim using markdown with some javascript to integrate with disqus for comments, github or twitter.

Create an highlight octopress plugin

Suppose you’re writing highlight something very important, and something less important that it won’t to you to win the Turing award. And after awhile, you write highlight another piece of text that you really want to highlight.

Lovely tips: string starting with a pattern and timeframe duration like gents

Life is too short to change framework or to learn a new programming language only because there is no a shortcut to print out if a string starts with a given pattern.

Use the Nexpose API to add a search by IP functionality in your tools

It’s one of my recurrent thoughts. Tools must expose an API allowing people to customize the tool behaviour to fit their needs. Nexpose it is a commercial tool for vulnerability assessment exposing an API and I’m happy about it.

armorize your rack stacktrace for debug purposes

Bugs? They happen. No one on Earth is smart enough to write a 100% bug free piece of code. No matter how good are you, you’re users still will try use your forms in an unpredictable ways making your app to miserably fail.

Anti aliasing in ruby attribute assignment and a TDD session

Since a week far away I’m on vacation at Guardavalle Marina, in the very Southern of Italy. Here I’m relaxing trying to fixing up some tool I use as application security specialist at work.

5 excuses you won't tell your self for not practicing TDD

IT world do is a complex world. There are a lot of different people having their own vision of the world, each of them with their own respectable opinion about hot to write great software.

Build an API for fun with Grape

I always dreamt about an API powered website for armoredcode community. I do think that every website should publish some sort of API to use services.

Penetration testing with ruby: fingerprinting your target

My wife for my birthday last June she bought to me a Kindle touch.

Fingerprinting CMSes under the moonlight

Yesterday I was surfing the web for inspiration for redesign armoredcode.com layout and I was digging in some webdesign template websites.

Which is the most secure programming language ever?

Sometimes I was asked about which is the most secure programming language to use in real web applications.

Testing your cookie's attributes for insecurities using ruby

Session cookies are a swiss army knife for every developer to maintain user session requests tracking. They need however to be designed with security in mind since they can be used to claim an authenticated session by an attacker.

Some security tips for ruby hackers: leveraging the attack surface: part 2

In the first part of this overview about web application perimeter recognizance we stopped using ciphersurfer to check for SSL certificate weakness.

What I learnt from Italian RubyDay

Today I attended the Italian RubyDay with a talk about application security. More in details the talk was about how to use ruby to automate some security tests as described in the Owasp Testing Guide.

Some security tips for ruby hackers: leveraging the attack surface. Part 1.

In the first episode I introduced the security checks I’d like to talk about at the talk I have to give next Friday.

Some security tips for ruby hackers: prelude

Next Friday I’ll give a talk about using ruby and gems to quick test a webapp for security issues.

LeakedIN and the salt and pepper sauce

Two days ago, the Internet was squashed by a very large sensitive data breach. More than 6.4M of password hashes coming from LinkedIN were published by an unknown attacker crew exposing a large number of users to a credentials disclosure.

CVE-2012-2661: SqlInjection on Rails

A SQL Injection was discovered in ActiveRecord Rails' default ORM framework. Let's talk about the vulnerability, the patch and other mitigation stuff.

Am I the sandman?

The work as application security specialit is to tell people how to improve their app o their overall system configuration from the security point of view.

Ghost in the shell: an exploiting attempt examinated

Yesterday I traced on my VPS running this blog an attack attempt against a wordpress plugin.

H@W #2 - Matteo Parmi: ruby hacker and opensource enthusiast

Hi guys, the second Hackers @ Work interview is with Matteo Parmi.

Using design by contract and TDD to enforce security: the coat project

A small recap

Is Design by contract the solution for safe coding?

A long time ago, in a University far away…

H@W #1 - Simon Bennetts: Owasp Zap Project leader

The perfect mixin: a developer becoming an appsec specialist

Open the code or review it: Oracle CVE-2012-1675

I’m fine with Oracle, but…

New monothematic posts serie: Hackers @ Work

Intro

Bypassing HTTP Basic Authentication in PHP applications

Basic authentication doesn’t work

H4F - invisible proxy... casper gem

Ruby is a great language for hackers and security researchers too. Of course you can build amazing web applications using Rails or Sinatra or even Padrino frameworks. You can also build great tools using sophisticated APIs that make very easy to craft HTTP requests, to intercept traffic, to run regular expression or even to build a transparent proxy in very few lines of code.

Understand your risk: disclosing information

Few things are dangerous like giving attacker detailed information about how your application works and how it can be subverted.

Papa don't breach

Latest days, while recovering from Eastern’s BBQ galores, I was hanging around my tweeter feeds and the most occurrent topic was… security breaches.

H4F - use robots.txt as a weapon with links rubygem

Did you ever think about how much information did you disclose when you publish a website? In order to control how the site will appear in search results, webmasters create a robots.txt file telling crawlers what they have to consider in their indexing quest and which urls they must ignore so search engines won’t show in search results.

H4F - palco: your Sinatra skeleton builder

Sinatra is a powerful and easy to use ruby based DSL to create web applications and powerful APIs.

Understanding your attack exposure

You see an HTML form, I see your database

Even before your secure coding... patch your server

Monday security report

Hello world

The first time I started blogging on armoredcode.com domain, it was 16^th July 2010. They were strange days, without energy and with lack of motivational spin.