At SANS Pen Test Hackfest 2017
I presented "WAF-aiki: Pentest Techniques against a Web Application Firewall." One aspect of that presentation dealt with wafiron, a bespoke tool that I wrote to deal with a particularly troublesome pentest where the WAF was effectively thwarting all my attacks.
If you'd like to peek or play with it, the current version is here
Continue reading "WAF-aiki tool: wafiron"
Sometimes you want to grab a copy of a server's TLS certificate - usually in order to perform Certificate Pinning
. This is an additional security step used to provide additional assurance that the server you're talking to is the correct server (and is not, for example, an imposter using a bogus but legitimately issued certificate
There are a number of different methods to do so, both from browsers and from the command line. This post documents a couple command line methods; a followup post will go into browser methods.
It should be noted - while we're on the topic - that Certificate Pinning is a controversial step to take, because it breaks things
. In the ordinary course of events, when a certificate is replaced with a newer certificate, this change is invisible to the client, because both the old and the new certificate "check out" (in that they're issued by a valid CA, they're within valid dates, they're not on a CRL, etc. etc.). When you start pinning, you lose the ability to adapt when a certificate is replaced in the normal cause of business (expiration, compromise, addition of SAN names to the cert, etc. etc.). So if you're depending on access to a service, but trying to improve security by pinning, be aware that you may be shooting your availability/uptime in the foot, because when the certificate gets replaced by the server's owner your pinning will break the connectivity.
Continue reading "Grabbing a copy of a server's TLS certificate"
Spam, like the tide, ebbs and flows. Whatever spam filtering tool one is using, there will come a time when new spam messages start sneaking past it. Usually these are temporary setbacks, as the filtering tools are taught to recover from their errors. Sometimes, though, the spam is irritating enough to rate a closer look.
In this post, I'll describe my investigation of a recent surge in spam messages, the common header traits that I found which helped indicate this particular family of spam, culminating in a one-off filter I wrote to mark them as spam until my main filters catch up.
Continue reading "Analysis and blocking of structured spam headers"