Why you should not trust the cloud WAF? Introduction & Objective A web application firewall (WAF) or WAF appliance provides security by operating through an application or service thus blocking malicious calls, inputs, and outputs that do not meet the policy of a firewall. Today due to increasing cloud architecture, multiple cloud providers…

Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. How does Amazon SNS work? It is very easy to get started with Amazon SNS. Developers must first create a “topic” which is an “access point” — identifying a specific…

This guide talks about setting up the Clair scanner and performs scans on vulnerable DVWA container. Also now it is possible to perform a hands-on demo on katacoda. You can run the demo on Katacoda. For running the demo visit https://www.katacoda.com/justmorpheus Setting up Clair server or using locally. CoreOs Clair https://github.com/coreos/clair Clair-scanner https://github.com/arminc/clair-scanner

Manual security scanning is very time consuming and we can leverage headless Burp Suite to perform the scanning and get the results uploaded in the Google Drive directly via Pydrive Module in Python. This automation uses Burp Suite Pro along with Robot Framework and REST API using Python3. …

Installation of GCP Inspector and basics about enumerating publicly exposed GCP buckets. While playing Thunder CTF I created a simple python tool that can audit publicly accessible GCP storage buckets. Thunder CTF allows players to practice attacking vulnerable cloud projects on the Google Cloud Platform (GCP) environment. …

Corellium provided virtual iOS-based devices for individual accounts on our groundbreaking security research platform, CORSEC. Corellium’s iOS devices may be jailbroken or non-jailbroken and can be used for security research. Corellium is a premium iOS emulator on which one can run and test iOS applications. Although there is no support…

This is an unofficial Nessus blog which deals with advance scans for better results and compliance. There will be section for authentication in the Nessus as well. Here, we will create a more in-depth scan, where we will try to perform an advance Nessus Scan. This will provide us with…

This is 3rd part of Automating Burp Suite, where we will try to replace the CSRF token generated from the response body to request the body user_token parameter in DVWA. Check out the next part where we have automated custom header replacement via burp suite extension. This part is pretty…

This is the 4th tutorial where I have developed a Burp Extension using jython and implemented addition on custom header in the request headers derived from response body/response header using Burp Suite Macro. This custom header extension can be directly invoked and it can be used for automating CSRF tokens…