#hack100days Day30: Finished _Hacking APIs_ last night. Will review and finish labs tomorrow. Spent a couple of hours looking at a VDP/Bug Bounty program with a really big scope. Started nailing down and documenting some of the detailed scope—DNS domains, net blocks, websites, etc. #infosec #cososec #bugbounty

@omnipotus Spontaneous Gallows, is that the Antifa Ska band that plays mashups of Black Flag and The Mighty Mighty Bosstones?

#hack100days Day29: Time to read chapter 14 of _Hacking APIs_. Tomorrow, labs for 12, 13, & 14. #infosec #cososec

@grannyclear Ya reckon they were smart enough to know that? (It's a fair argument...)

How does a gallows get built without premeditation?

@Anthony_Barat Here's a good resource: https://decentsecurity.com If her data is backed up, I'd consider rebuilding her computer and restoring the data--not the apps. If she's on Windows, Defender is pretty good. I also like Malware Bytes as a second pair of eyes. I wouldn't bother with McAfee, Symantec, or Kaspersky.

#hack100days Day28: Time to read chapters 12 and 13 of _Hacking APIs_. Busy day. #infosec #cososec

@sheseala "Shields Up!"

#hack100days Day27: Tried out the exercise at the end of chapter 10. Read chapter 11 of _Hacking APIs_. #infosec #cososec

#hack100days Day26: Continued reviewing results of running script for 3 scenarios--got a couple of more I could try, but I want to tweak the output. Read chapter 10 of _Hacking APIs_, in the past I've failed to consider the the real signal in an HTTP 405. Do better! #infosec #cososec

@kenc313 That's ... ...not good.

I like to slice strawberries and then sprinkle them with a little salt and chipotle chili powder.

I wouldn't rule out bacon.

Hotdogs. Nay.

@sfcannon Have you looked at hackthebox.eu? They have a discord and a training platform, as well.

#hack100days Day25: Continued tinkering with script and postman to refine enumeration process on crAPI. Still bash über alles! I *think* I'm finding different version of APIs, so need to work through how to confirm and then, once confirmed, how to exploit. #infosec #cososec

#hack100days Day24: Continued on the exercise from Chapter 9. Couldn't get postman to reproduce the results I was expecting. So, I wrote a bash script to do the enumeration. I get the point. Icing would be to rewrite in python and add some processing. #infosec #cososec

#hack100days Day23: Another chapter down in _Hacking APIs_ and tinkering with postman. Time for a cocktail and then pick it back up after dinner. #infosec #cososec

#hack100days Day22: Found some users. With the secret from "my" jwt and was able forge tokens for each user. With the forged tokens, I could reset their passwords. However, logging in yielded a blank page. Trying out kiterunner to find other API endpoints while I watch the Jan 6 hearings. #infosec #cososec

@SteppinRazor b'wah? A cocktail or a flavored whisky?

#hack100days Day21: Enumeration and attacks on crAPI. Error message on one of the screens suggested I might be able to brute force 'a thing'. Used ZAP's regex fuzzer for the first time. Didn't get a hit, so I've either mis-inferred what the message meant or it's a lie. After registering a user, attacked jwt with jwtcrack to see if I could get the secret. Success! JWT payload may be an unfortunate decision, so next step is to find other users to see if I can impersonate them. #infosec #cososec

@YouInMyEye Bird food? (I'm not a fan of them either.)

#hack100days Day20: Published my start/stop script to github (https://github.com/stop-a/misc_scripts/blob/8d8c820922f579e6641b118235269af200f9b7f3/runlab2). Bashed at https://github.com/DevSlop/Pixi in my lab. Got a little more acquainted with Postman. #infosec #cososec