SecurityTube Advanced Red Team Lab training - Worth it ?

    Quick answer: Totally !

    Hello everybody,

    I would like to talk a bit about the SecurityTube red team labs, specifically the Advanced Red Team Lab which leads to the CRTE (Certified Red Team Expert) certification. P.S: i’m not affiliated with securitytube.

    Some great reviews are already existing, so i will focus on why i chose this lab and certification. I will give you some hints about how to approach your targets. Most importantly, i would like to introduce you a tool that i developped which will help you during your journey, Invoke-Recon.

    Read more ...

    What solutions to prevent git leaks ?

    Hello,

    I will do a quick and dirty post about what’s out there to find / prevent leaks of secrets in your git repositories.
    I did not try all of these tools. For the search part, i’m mainly using a fork of Trufflehog with some added features (search in filenames, commits comments, also with custom regexes).

    Objectives :

    • Look into the commits history for sensitive information publicly accessible by an attacker ;
    • Prevent secrets leaks ;
    • Monitoring and integrating these checks in the Continous Delivery process - aka DevSecOps
    Read more ...

    Gathering some information from web exposed GIT repositories

    Hello folks,

    Last week, while i was doing recon on some websites, i noticed that we can still found some versioning repositories in production. I found some classic .git exposed, and in a lesser extent some .svn directories. I decided to gather a bunch of websites caught in the TOP Alexa in order to look for the proportion of .git exposed; with 112332 domains scanned (mixed TLDs), i found 453 .git exposed, which is only 0.4%. Not bad.

    How to scan for web exposed git directories:
    nmap --open -PN -n -p80,81,82,8000,8080,443,8443,9443 --script http-git -oA http-git -iL domains.lst

    Read more ...

    Play with permissive CORS

    Hello folks,

    While i was playing with a ‘code search engine’ tool called publicwww, i decided to gather some top Alexa domains and to look for some permissive CORS. I tried the following researches, site:fr "type=\"password\"", the same for the TLDs .org and .com, in order to spot webpages with a login form, meaning authenticated users..

    Read more ...

    A fun case of XSS and other web concepts

    Hello folks,

    I would like to share with you a practical case of reflected XSS while i was looking at my national health service account. Right now the XSS has been patched (we have an efficient dedicated national service where we can report such issues).

    Read more ...