#hack100days Day27: Tried out the exercise at the end of chapter 10. Read chapter 11 of _Hacking APIs_. #infosec #cososec

#hack100days Day26: Continued reviewing results of running script for 3 scenarios--got a couple of more I could try, but I want to tweak the output. Read chapter 10 of _Hacking APIs_, in the past I've failed to consider the the real signal in an HTTP 405. Do better! #infosec #cososec

#hack100days Day25: Continued tinkering with script and postman to refine enumeration process on crAPI. Still bash über alles! I *think* I'm finding different version of APIs, so need to work through how to confirm and then, once confirmed, how to exploit. #infosec #cososec

#hack100days Day24: Continued on the exercise from Chapter 9. Couldn't get postman to reproduce the results I was expecting. So, I wrote a bash script to do the enumeration. I get the point. Icing would be to rewrite in python and add some processing. #infosec #cososec

#hack100days Day23: Another chapter down in _Hacking APIs_ and tinkering with postman. Time for a cocktail and then pick it back up after dinner. #infosec #cososec

#hack100days Day22: Found some users. With the secret from "my" jwt and was able forge tokens for each user. With the forged tokens, I could reset their passwords. However, logging in yielded a blank page. Trying out kiterunner to find other API endpoints while I watch the Jan 6 hearings. #infosec #cososec

#hack100days Day21: Enumeration and attacks on crAPI. Error message on one of the screens suggested I might be able to brute force 'a thing'. Used ZAP's regex fuzzer for the first time. Didn't get a hit, so I've either mis-inferred what the message meant or it's a lie. After registering a user, attacked jwt with jwtcrack to see if I could get the secret. Success! JWT payload may be an unfortunate decision, so next step is to find other users to see if I can impersonate them. #infosec #cososec

#hack100days Day20: Published my start/stop script to github (https://github.com/stop-a/misc_scripts/blob/8d8c820922f579e6641b118235269af200f9b7f3/runlab2). Bashed at https://github.com/DevSlop/Pixi in my lab. Got a little more acquainted with Postman. #infosec #cososec

#hack100days Day19: Tested the other deliberately vulnerable apps I had issues with on the new version of docker. All good! Wrote a wrapper script to start/stop the apps as needed. (They're supposed to be cows, not pets ya?) Chapters 7 & 8 read of _Hacking APIs_. #infosec #cososec #mmmmsteak

Congress critters are pretending to do stuff re: gun violence in schools. Exhibit A: https://www.congress.gov/117/bills/hr1567/BILLS-117hr1567ih.pdf and Exhibit B: https://www.congress.gov/117/bills/hr750/BILLS-117hr750ih.pdf The first bill seems unnecessary, if someone has a permit to carry a concealed weapon then they can carry the weapon. The second is redundant: https://www.schoolsafety.gov/

Call your congress critter now: https://5calls.org/issue/gun-safety-reform/

#hack1000days Day18: Finally managed to get crAPI working. Needed to move to from docker 20.10.14 to 20.10.16, because of course. (I am not enamored of docker.) Finished the first crAPI lab. #infosec #cososec #sysadmin101

Vamos Rafa!
(Holy Moses he *owns* Roland Garros)

#hack100days Day 17: Lab in _Hacking APIs_ wants working version of crAPI. Getting crAPI turned out to be fail. Nuked, paved, and re-started that effort. Same result. Documented steps and results. Opened an issue. Got a quick response for additional info, so we'll see how this goes. In retrospect, I should have anticipated the question. #infosec #cososec #sysadmin101

#hack100days Day16: Continuing reading _Hacking APIs_. Installed OWASP crAPI app on lab machine. Getting some touches with docker. Need to troubleshoot an error w/one of the crAPI containers. Then, time to hack it! #infosec #cososec

#hack100days Day15: Back to _Hacking APIs_. Got Juice Shop installed and tucked behind an nginx reverse proxy, along with DVGA. Now have some #hackthebox systems to put on my list of targets. Next chapter down. #infosec #cososec

#hack100days Day14: SANS ICS Summit CTF. I'm on the board! No where near top 10, but I'm not sussed since I'm learning more about ICS this way. #infosec #cososec #ctf #ics

#hack100days Day13: The chain continues... Another chapter down in _hacking APIs_. Installing deliberately vulnerable apps for the next lab and will bang on them later this evening. In the meantime, kidlet has prepared dinner.
#infosec #cososec

Vamos, Rafa! He's made it past Djokovic!
#tennis #rolandgarros

I called my congress critters again this week. The topic: https://5calls.org/issue/gun-safety-reform/

In particular, I asked the to close the loopholes around background checks when buying at a gunshow or in a private transaction. I also picked on high-capacity magazines. I don't have an issue with hunting, but 30 round magazines are for hunting people not deer, etc.

Yes, it's polical.

#politics #endnra #guncontrol #wellregulatedmilitia

#hack100days Day12: Worked on _Hacking APIs_, Lab 1. Didn't use Burpsuite, used Zap instead. Compared and contrasted with Postman. Slow going at first as I get acquainted with Postman. #infosec #cososec