#hack100days Day24: Continued on the exercise from Chapter 9. Couldn't get postman to reproduce the results I was expecting. So, I wrote a bash script to do the enumeration. I get the point. Icing would be to rewrite in python and add some processing. #infosec #cososec

#hack100days Day23: Another chapter down in _Hacking APIs_ and tinkering with postman. Time for a cocktail and then pick it back up after dinner. #infosec #cososec

#hack100days Day22: Found some users. With the secret from "my" jwt and was able forge tokens for each user. With the forged tokens, I could reset their passwords. However, logging in yielded a blank page. Trying out kiterunner to find other API endpoints while I watch the Jan 6 hearings. #infosec #cososec

#hack100days Day21: Enumeration and attacks on crAPI. Error message on one of the screens suggested I might be able to brute force 'a thing'. Used ZAP's regex fuzzer for the first time. Didn't get a hit, so I've either mis-inferred what the message meant or it's a lie. After registering a user, attacked jwt with jwtcrack to see if I could get the secret. Success! JWT payload may be an unfortunate decision, so next step is to find other users to see if I can impersonate them. #infosec #cososec

#hack100days Day20: Published my start/stop script to github (https://github.com/stop-a/misc_scripts/blob/8d8c820922f579e6641b118235269af200f9b7f3/runlab2). Bashed at https://github.com/DevSlop/Pixi in my lab. Got a little more acquainted with Postman. #infosec #cososec

#hack100days Day19: Tested the other deliberately vulnerable apps I had issues with on the new version of docker. All good! Wrote a wrapper script to start/stop the apps as needed. (They're supposed to be cows, not pets ya?) Chapters 7 & 8 read of _Hacking APIs_. #infosec #cososec #mmmmsteak

#hack1000days Day18: Finally managed to get crAPI working. Needed to move to from docker 20.10.14 to 20.10.16, because of course. (I am not enamored of docker.) Finished the first crAPI lab. #infosec #cososec #sysadmin101

#hack100days Day 17: Lab in _Hacking APIs_ wants working version of crAPI. Getting crAPI turned out to be fail. Nuked, paved, and re-started that effort. Same result. Documented steps and results. Opened an issue. Got a quick response for additional info, so we'll see how this goes. In retrospect, I should have anticipated the question. #infosec #cososec #sysadmin101

#hack100days Day16: Continuing reading _Hacking APIs_. Installed OWASP crAPI app on lab machine. Getting some touches with docker. Need to troubleshoot an error w/one of the crAPI containers. Then, time to hack it! #infosec #cososec

#hack100days Day15: Back to _Hacking APIs_. Got Juice Shop installed and tucked behind an nginx reverse proxy, along with DVGA. Now have some #hackthebox systems to put on my list of targets. Next chapter down. #infosec #cososec

#hack100days Day14: SANS ICS Summit CTF. I'm on the board! No where near top 10, but I'm not sussed since I'm learning more about ICS this way. #infosec #cososec #ctf #ics

#hack100days Day13: The chain continues... Another chapter down in _hacking APIs_. Installing deliberately vulnerable apps for the next lab and will bang on them later this evening. In the meantime, kidlet has prepared dinner.
#infosec #cososec

#hack100days Day12: Worked on _Hacking APIs_, Lab 1. Didn't use Burpsuite, used Zap instead. Compared and contrasted with Postman. Slow going at first as I get acquainted with Postman. #infosec #cososec

#hack100days Day11: Continued working on Hacking APIs. Next up is working on the labs. Created a postman account. #infosec #cososec

#hack100days Day10: New chain, longer than the old chain! Read more of Hacking APIs, by Corey Ball. Looking forward to learning more about GraphQL—want to understand the AuthZ patterns and techniques. Also learned about Broken Object Level Authorization (BOLA). The examples look a lot like IDOR, but I think I grok the diff. You can have an IDOR that’s not a BOLA, but I reckon you could get a BOLA as a result of an IDOR. Still need to think and tinker with this one a bit. #infosec #cosocec

#hack100days Day8b: Power went out for a couple of hours today. So, went analogue and read two chapters of Hacking APIs by Corey J. Ball (https://nostarch.com/hacking-apis) #infosec #cososec

#hack100days Day6b: Hack the Box Academy. I like the UI for Burp, but I like not having to pay to get the goodness that ZAP brings. Also took a minute to break the rust off for using Metasploit. Can't remember the last time I looked at that. #infosec #cososec

#hack100days Day5b: Read about hacking today. Finished 3-part series on a Cloudflare bug bounty. (https://blog.assetnote.io/2022/05/06/cloudflare-pages-pt1/) #infosec #cososec

#hack100days Day4b: Testing #ssti payloads. Trying to figure out if I’m overthinking it. Tokens matter. #infosec #cososec

#hack100days Day 3b: More reading about #ssti, still need to find right payload. Found an article that walks through a process to find a way to the OS module. #infosec #cososec