Variable naming at its best...
Took only 2 hours to notice the difference between leftToRight and lefttoRight

Dubai International runs on intel...

I'm currently pentesting a web app on a Mac Mini with 8 Gigs of RAM and a i5-4620 using OWASP ZAP. Third time the fuzzer got stuck, the RAM's full an the CPU's permanently at 100 %.

Before starting this job, I always said that pentesting on this POS is like bringing a knife to a gunfight.

When I kicked off two fuzzers at once, I started feeling like bringing a cocktail sword to a thermonuclear war.

It's not even 10 here and I already wish for some booze. Damn, I gotta start making moonshine or something.

More a call for discussion...

How can it be that devs constantly whine about technical debt, how everything is "ancient" bla bla bla...

Yet don't want to update libraries / stuff unless one explicitly rams an klingon pain stick up their arse because one is very very very very tired of lame excuses.

Even better example - and reason for the rant - new microservice.

They honestly started with JDK 8.

Looking at the dependencies is like walking in a museum...

OWasp Dependency check?

Lot's of 7.5s and greater (NVD score).

How brain fucked ignorant can one team be?!!!

Let alone that that thing - despite being just a skeleton project - has already 178 dependencies.

I don't want to look at the build files, I'll guess I'd turn to Freddy Krueger otherwise...

But really - why whining all the time like you have a clit / arsehole full of sand and then starting a new project with an obviously copy pasted graveyard skeleton?!

I've deployed an instance of OWASP Juice Shop on Heroku, if anyone wants to practice and/or learn pen testing or just web based vulnerabilities in general it's an amazing application to learn from and practice on.

Your progress is dependant on the cookie, so it won't affect one another.

owaspshop.herokuapp.com

It's free, so if you want to deploy your own instance you can.

Seeing our products for the last two years being ripped out and replaced with basic php-server using the owasp-top-10-list as a checklist of things to implement. Reasoning: GraphQL is too hard on the client-side.

For credential errors on login forms..

Do you guys follow the “OWASP standard” and won’t let the user know which field (email or password) was incorrect, just a general message or the more UX-way and let them know that it is for example the password that doesn’t match with given email (if it exists)? 🤔

Had a minor “discussion” about this with our sales-guy this afternoon why that I’m (as the full-stack, and only, developer there) not that of a fan about the UX-way.. (even thou ‘security’ is a “myth”). 😁

One time, i would put a random stacktrace / error log containing fake server credentials/ card info etc on a page/ action letting those "hackers" waste their time digging into it.. only to found out that the server is just a repo of (i would like to say porn butthats still a win situation) useless things

When I made a PoC xss thingy.

So this webapp (which I was locally hosting) had a message functionality that allowed iframes to be sent through, but they could only originate from a specific domain. They used a bad regex tho, as the workaround was on an OWASP wiki page, which was the third search result for 'XSS'. I then used this iframe to load in a different page on this app where I could inject js in the title field. Then I discovered this field has a length limit, but I could just fit in a script that would base64 decode the hash part of the URL and eval it. I then updated the iframe to include a script that would automatically change the message signature of anyone who loaded it to include the iframe again in their message signature. Because these two pages were from the same domain, I had gained full control of the messaging app too, allowing me to do this and circumvent the csrf system.

I felt like I had achieved something.

Disclaimer: I love open source and I adore the owasp for what they do.

BUT owasp zap has to be the most overly complicated, badly documented tool in existence. As long as one stays within its most basic functions everything is fine, setting it up as a proxy and even issuing a root cert for our test devices worked wonderfully simple.

Then I made the mistake to try to actually do anything with the data we pulled and had to dive into the scripting console.

The documentation basically consists only of "This thing exists", it provides a msg object with no information what it contains or how it's structured, has no code completion and, here comes the kicker, if the script is run and has an error it gets flagged and can't be reenabled after the error is fixed. So I'm currently at forwarder48.groovy trying to simply store the request on a database for possible diagnostics.

So right now I already know that I'll spend most of my vacation next week trying to decipher the source, document it, fix that damn "flagged as error" bullshit and jump through a billion hoops trying to get a pull request through.