December 16, 2018

Introducing Gorp, a Web App Pentesting and Reversing Framework

I would like to introduce Gorp, A modular bug hunting, pentesting, and web application reverse engineering framework written in Go that I have been working on for the past few months. The idea of gorp came up as I started exploring the Chrome Dev Tools protocol and how to use it in my pentesting and bug hunting work. If you want to learn more about how that came about you can read this blog post. Read more

December 4, 2018

Setting Up Your Own Email Server With OpenBSD

Creating your email may be seen as equivalent to making your own cheese, or crafting your own beer: it is kinda of hipster thing. There are so many email services out there so why would you spend the time to do that? What I like about it is that it allows me to learn to work with OpenBSD through a fun, useful project, and it’s kinda of radical thing to do. Read more

October 9, 2018

Chrome Devtools Fun With Golang

I recently found this article about using the Chrome DevTools protocol to intercept and modify traffic. I found the article very enlighting given that the technique can allow pentesters to use complex logic when intercepting and modifying web requests. And yes, you can capture, intercept and modify traffic with tools like Burp, but you often have to rely on a heavy GUI and complex regex rules (and while I find regex very useful for my work, I don’t find it fun to work with it! Read more

September 8, 2018

Hunting for Angular Based Bugs With the Browser Console

One of the least appreciated tools that are available to pentesters is the browser console. Every browser has it, allowing you to not only read comments that developers forgot to remove (as often features get pushed to production faster that they can be tested), but also manipulate the behavior of the application at runtime by making use of functions and variables written by the frontend programmers of the application. This is one of my favorite tools to use when testing AngularJS applications. Read more

September 8, 2018

Building a .NET Core MVC Webshell

Some time ago I decided to create a dotnet core webshell. The idea came from a co-worker, who while participating in security hackathon, mentioned how difficult it is to find .NET webshells for LFI and RFI attacks. This is true, as most webshells that you can find online are for PHP, as web penetration testing is usually taught with vulnerable PHP web applications. I decided to try to solve this problem and share the code with whoever stumbles upon this post. Read more

© Dharma of Code 2018