Hacking APIs and Web Services with DevSlop (S02E13) – Application Security PodCast
Play episode

On this weeks episode, Chris and Robert are joined by Tanya and Nicole. They talk about what APIs are, how they are used, and some of the threats involved with them. They also look at what DevSlop and ZAP are in combination with APIs. As always, thanks for listening, and enjoy!

The post Hacking APIs and Web Services with DevSlop (S02E13) – Application Security PodCast appeared first on Security Journey Podcasts.

Defense in Depth
Defense in Depth
Allan Alford and David Spark
Leaked Secrets in Code Repositories
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-leaked-secrets-in-code-repositories/) Secrets, such as passwords and credentials, are out in the open just sitting there in code repositories. Why do these secrets even exist in public? What's their danger? And how can they be found and removed? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Jérémy Thomas, CEO, GitGuardian. Thanks to this week's podcast sponsor GitGuardian. GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline. On this episode of Defense in Depth, you’ll learn: * Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out. * Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub. * Exposed credentials can appear in SIEMS as it's being exported from the developers' code. * There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility. * Scanning public code repositories should be your first step. You don't want to be adding code that has known issues. * Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills. * Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn't eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.
29 min
Cyber Work
Cyber Work
Infosec
Protecting sensitive information: Growing data, regulations and risks
The amount of data organizations hold has exploded — along with the risk it poses. Today’s guest is Very Good Security CEO and co-founder Mahmoud Abdelkader, who wants to solve the problem of sensitive data by removing it from the equation (by replacing it with decoy data). It’s an intriguing idea as having less worry about data security frees resources up to focus on other areas of cybersecurity. Mahmoud talks about the future of data security, how these new solutions do and don’t help with privacy regulations, and what cybersecurity professionals can do to prepare for a future where the amount of data continues to grow every year. – Get your free security awareness toolkit: http://infosecinstitute.com/ncsam2020  – Enter code “cyberwork” to get 30 days of free training with Infosec Skills: https://www.infosecinstitute.com/skills/ – View transcripts and additional episodes: https://www.infosecinstitute.com/podcast Mahmoud Abdelkader is the CEO and co-founder of Very Good Security. He was previously CTO and co-founder of Balanced Payments (exited to Stripe). Prior to that, Mahmoud designed automated product matching systems at Milo.com (acquired by eBay) and built high-frequency trading systems for Wachovia Securities, now a part of Wells Fargo. With experience ranging from Wall Street to early-stage startups, Mahmoud is passionate about democratizing data security. He started Very Good Security to make best-in-class security and compliance attainable for businesses of all sizes. *About Infosec* At Infosec, we believe knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with certifications and skills training. We also empower all employees with security awareness training to stay cybersafe at work and home. Driven by smart people wanting to do good, Infosec educates entire organizations to defend themselves from cybercrime. It’s what we do every day — equipping everyone with the latest security skills and confidence to be safe online. Learn more at infosecinstitute.com.
35 min
David Bombal
David Bombal
David Bombal
#204: David Bombal: Never Use TFTP Or FTP!
Both TFTP and FTP are insecure protocols. Everything is sent in clear text - including all usernames and passwords. Don't use them. Get the full Wireshark course for $9: bit.ly/wireshark9 Need help? Join my Discord: discord.com/invite/usKSyzb Free Wireshark and Ethical Hacking Course: Video #7. Watch the entire series here: bit.ly/wiresharkhacking Menu Overview: 0:00 Start Capture: 0:48 Ping test: 1:00 Copy files using TFTP: 1:40 Filter for TFTP: 2:27 Follow UDP stream: 2:45 FTP intro: 3:53 Upload a file using FTP: 4:16 Filter for FTP: 4:35 Follow TCP stream: 4:47 Download TFTP pcapng file here: bit.ly/311IjXc Download FTP pcapng file here: bit.ly/3iUlz1A Don't use TFTP or FTP! It sends everything in clear text. That means that someone can capture everything you send on the network - including usernames and passwords. In this course I'm going to show you how to capture packets from a network, how to capture passwords, replay voice conversations, view routing protocol updates and many more options. Do you know network protocols? Do you know how to hack? Want to learn wireshark and have some fun with Ethical hacking? This is the course for you: Learn Wireshark practically. Wireshark pcapng files provided so you can practice while you learn! There is so much to learn in this course: - Capture Telnet, FTP, TFTP, HTTP passwords. - Replay VoIP conversations. - Capture routing protocol (OSPF) authentication passwords. - Troubleshoot network issues. - Free software. - Free downloadable pcapng files. - Answer quiz questions. The course is very practical. You can practice while you learn! Learn how to analyze and interpret network protocols and leverage Wireshark for what it was originally intended: Deep Packet Inspection and network analysis. Protocols we capture and discuss in this course include: - Telnet - FTP - TFTP - HTTP - VoIP - OSPF - EIGRP - DNS - ICMP
7 min
The Social-Engineer Podcast
The Social-Engineer Podcast
Social-Engineer, LLC
Ep. 134 – Altered Memories and Alternate Realities with Dr. Elizabeth Loftus
In this episode, Chris Hadnagy and Ryan MacDougall are joined by distinguished professor: Elizabeth Loftus. Listen in to understand the vulnerabilities in human memories and how they are sometimes exploited. Learn to defend against attacks on your memory and how this info can be applied in the information security industry. 00:01 – Introduction to Elizabeth Loftus and her research on the malleability of human memory. 01:41 – Elizabeth's reasoning for researching human memory. 03:12 – What our faulty memory means for eyewitness testimonies. 04:20 – How the phrasing of a question can distort someone's memory. 06:27 – Is it possible to verify the accuracy of a memory? 10:34 – Trying hard to remember something can sometimes lead to the creation of a false memory. 11:22 – Elizabeth's experience with the trial of George Franklin. 14:13 – How can we protect ourselves from having our memories modified? 14:21 – The similarities between preventing false memories and preventing scams. 20:40 – “What the heck is going on in the world of Social-Engineer: COVID Style.” Practical Open Source Intelligence For Everyday Social Engineers * 11-12 November 2020 - VIRTUAL Advanced Practical Social Engineering Training * 17-20 November, 2020 - VIRTUAL The Human Hacking Conference - Orlando, FL March 11-13, 2021 2021 Training Schedule Book: Human Hacking: Win Friends, Influence People, and Leave Them Better Off for Having Met You Website: social-engineer.com Website: social-engineer.org 25:43 – How hypnosis therapy often generates false memories. 30:21 – How to protect yourself from having your memories altered. 32:58 – The prevalence and impact of misinformation on social media. 38:30 – Elizabeth’s website, Ted Talk and books. Elizabeth F. Loftus’ UCI School of Social Ecology Website Ted Talk at TedGlobal 2013 Books by Elizabeth 39:44 – Elizabeth’s book recommendations. Mistakes Were Made (but Not by Me) 41:50 – Outro Social-Engineer.org Newsletter Framework Blog Social-Engineer.com The Innocent Lives Foundation The Innocent Lives Foundation on Twitter The Human Hacking Conference The Human Hacking Conference on Twitter Human Hacking Book Chris on Twitter Social-Engineer on Twitter Social-Engineer on Facebook Social-Engineer on LinkedIn Social-Engineer on Instagram Social-Engineer on Slack
46 min
Python Bytes
Python Bytes
Michael Kennedy and Brian Okken
#203 Scripting a masterpiece for Python web automation
Sponsored by DataDog: pythonbytes.fm/datadog Michael #1: Introducing DigitalOcean App Platform * Reimagining PaaS to make it simpler for you to build, deploy, and scale apps. * Many of our customers have come to DigitalOcean after their PaaS became too expensive, or after hitting various limitations. * You can build, deploy, and scale apps and static sites by simply pointing to your GitHub repository. * Built on DigitalOcean Kubernetes, the App Platform brings the power, scale, and flexibility of Kubernetes without exposing you to any of its complexity. * App Platform is built on open standards providing more visibility into the underlying infrastructure than in a typical closed PaaS environment. * You can also enable ‘Autodeploy on Push,’ which automatically re-deploys the app each time you push to the branch containing the source code. * To efficiently handle traffic spikes (planned or unplanned), the App Platform lets you scale apps horizontally (i.e., add more instances that serve your app) and vertically (beef up the instances with more CPU and memory resources). (with zero downtime) * What can you build with the App Platform? Web apps, Static sites, APIs, Background workers Brian #2: Announcing Playwright for Python * playwright-python * playwrignt-pytest * it’s a Microsoft thing * the pitch: “With the Playwright API, you can author end-to-end tests that run on all modern web browsers. Playwright delivers automation that is faster, more reliable and more capable than existing testing tools.” * timeout-free automation * automatically waits for the UI to be ready * Intended to stay modern * emulation of mobile viewports * geolocation * web permissions * can automate scenarios across multiple pages * cross browser * Chromium (Chrome and Edge), WebKit (Safari), and Firefox * Safari rendering even works on Windows and Linux * pytest compatible * Django compatible * Can work within CI/CD, even GH actions. Michael #3: Asynchronously Opening and Closing Files in asyncio * Article by Chris Wellons * asyncio has support for asynchronous networking, subprocesses, and interprocess communication. However, it has nothing for asynchronous file operations — opening, reading, writing, or closing. * If a file operation takes a long time, perhaps because the file is on a network mount, then the entire Python process will hang. * Let’s build it! * The usual way to work around the lack of operating system support for a particular asynchronous operation is to dedicate threads to waiting on those operations. By using a thread pool, we can even avoid the overhead of spawning threads when we need them. Plus asyncio is designed to play nicely with thread pools anyway. * open() uses with so build an aopen() to have async with. Here’s the tasty bit: def __aenter__(self): def thread_open(): return open(*self._args, **self._kwargs) loop = asyncio.get_event_loop() self._future = loop.run_in_executor(None, thread_open) return self._future * aiofile package Brian #4: Excel: Why using Microsoft's tool caused Covid-19 results to be lost * this article was on bbc.com, but it was in several places * Nearly 16,000 coronavirus cases went unreported in England. * Logs pulled together from data from commercial testing firms (filed as csv files) was combined in a Excel xls template so that it could then be uploaded to a central system and made available to the NHS Test and Trace team, as well as other government computer dashboards. * XLS was one problem. Limit is about 65k rows. * XLSX increases that limit by about 16 times. * But still, …. Excel for this? * Comment from Prof Jon Crowcroft from the University of Cambridge: * "Excel was always meant for people mucking around with a bunch of data for their small company to see what it looked like.” * “And then when you need to do something more serious, you build something bespoke that works - there's dozens of other things you could do.” * "But you wouldn't use XLS. Nobody would start with that." * In short: Best practices in computing don’t always make it into the rest of the world. Much of the world still runs on Excel. * What does this have to do with Python? Well.. Big datasets should use databases and Python. * Check out the Talk Python free webcast on moving from Excel to Python: talkpython.fm/excel-webcast Michael #5: locust.io * via Prayson Daniel * locust.io is awesome tool to simulate users hammering your endpoint. Quite handy. * An open source load testing tool: Define user behavior with Python code, and swarm your system with millions of simultaneous users. * Usage: after installing it via pip, you can map your local endpoint locust --host=http://localhost:5000 and open http://localhost:8089 to access the locust web ui to simulate usage * Features: * Define user behavior in code: No need for clunky UIs or bloated XML. Just plain code. * Distributed & scalable: Locust supports running load tests distributed over multiple machines, and can therefore be used to simulate millions of simultaneous users * Proven & battle tested: Locust has been used to simulate millions of simultaneous users. Battlelog, the web app for the Battlefield games, is load tested using Locust, so one can really say Locust is Battletested ;). * Example: from locust import HttpUser, between, task class WebsiteUser(HttpUser): wait_time = between(5, 15) def on_start(self): self.client.post("/login", { "username": "test_user", "password": "" }) @task def index(self): self.client.get("/") self.client.get("/static/assets.js") @task def about(self): self.client.get("/about/") Brian #6: Fixing Hacktoberfest * various sources * Hacktoberfest is an interesting idea sponsored by Digital Ocean, and other sponsors. * Overall, it’s a good idea. Encourage people to contribute by bribing them with a t-shirt and other swag. * Problem and some solutions outlined well by Anthony Sottile in what’s (wrong with) hacktoberfest? * There’s always been some spam associated with hacktoberfest. * Tiny bizarre PRs, PRs to unmaintained repos, etc. * This year has been worse * A fairly popular YouTuber posted a video showing people how to get a free t-shirt by doing things like adding “- an awesome project” or expanding “It’s” to “It is” to the readme, then submitting it as “improved docs”. * Changes: * On 10/3, rules changed: An update on efforts to reduce spam with Hacktoberfest: introducing maintainer opt-in and more * maintainers can opt-in by adding hacktoberfest topic to their repo. * No longer have to opt out * Should discourage spamming of inactive repos * Summary: PRs count if: > Submitted during the month of October AND ( > The PR is labelled as hacktoberfest-accepted by a maintainer OR > Submitted in a repo with the hacktoberfest topic AND ( > The PR is merged OR > The PR has been approved > ) > ) - The deadline for completions, merging, labeling, and approving is November 1. - I applaud DO and whoever else is working on hacktoberfest for reacting quickly to this. Extras: Michael: * PyCascades 2021 will take place on Saturday, February 20th from many locations across the Pacific Northwest and beyond. * Call for Proposals 📣 PyCascades has been lucky to give our stage to incredible speakers with wonderful talks over the last three years. We are really looking forward to showcasing our community again next year. Our Call for Proposals (CFP) opens today and closes at the end of the day on Tuesday, November 10th, 2020 Anywhere on Earth. * Patricio Reyes, a researcher at Barcelona Supercomputing Center (virtual tour): * You could also consider talking about nb_black: a simple black formatter for Jupyter and JupyterLab too. * There is another project (only for JupyterLab): JupyterLab Code Formatter: jupyterlab-code-formatter.readthedocs.io Joke: Mor…
41 min
More episodes
Search
Clear search
Close search
Google apps
Main menu