Parsia's Den

Because no one wants to be the other guy from Wham!

Jun 1, 2016 - 1 minute read - Comments - Go Not Security

Learning Go

I have decided to learn Go (or Golang). I went through the Tour of Go and made some notes. Some of the items/code are directly copy pasted from there. The notes are just a cheatsheet to help me look things up quickly while learning. I will update that page as I learn more.

You can see the notes at https://parsiya.net/go/.

May 15, 2016 - 20 minute read - Comments - Burp Thick Client Proxying

Thick Client Proxying - Part 5: FileHippo App Manager or the Bloated Hippo

I have talked a lot about this and that but have done nothing in action. Now I will talk about proxying actual applications. I will start with something easy, the FileHippo App Manager. This app was chosen because it can be proxied with Burp, it does not use TLS and it has its own proxy settings (also works with Internet Explorer proxy settings). The requests are pretty simple to understand. I like the FileHippo website because it archives old versions of software. For example I loved the non-bloated Yahoo! Messenger 8.0 when I used it (it’s pretty popular in some places) and used FileHippo to download the old versions.

FileHippo App Manager turned out to be more interesting than I thought and this post turned into some .NET reverse engineering using dnSpy. Here’s what I talk about in this post:

  • The app contains the AWS SDK and a fortunately invalid set of AWS Access/Secret keys. Both the SDK and the keys are in dead code.
  • Requests have an AccessToken header which is generated client-side. We will discuss how it is generated.
  • The application has a “hidden” DEBUG mode which unfortunately does nothing special. We will discover how to enable it.

May 9, 2016 - 1 minute read - Comments - Update Not-Security

Looking for Apps to Proxy

It’s been a while since Burp part four and I want to continue writing these. It’s time to actually proxy applications. However I have three problems:

  1. I was too busy at work.
  2. I could not find a lot of interesting applications that are interesting to proxy and can showcase different Burp functionalities that we talked about.
  3. I found some interesting applications but there were security vulns so I am going through disclosure (unfortunately I may never be able to release them publicly).

The last point was a surprise, these are decently popular apps and I could not believe that no one has looked at them before.

Nevertheless, I will continue soon.

In the meanwhile, Burp version 1.7 has been released. Now we have Burp projects. Instead of saving the state everyday, we can use one project file that contains all the items. Pretty cool. Some of the items have changed, especially options. Now it has User Options and Project Options but the options by themselves are still there.

Apr 14, 2016 - 1 minute read - Comments - Not Security Migration to Hugo

Cloudfront and TLS

I finally decided to cave in and take advantage of the Amazon Cloudfront free TLS certificate. I know I will end up paying more than what I already do but I pay few bucks each month. Each month I pay one dollar for two hosted zones and another dollar or so for the bandwidth. Even if I was still in my home country, I would have been able to pay this as it is less than a large pizza even where I lived.

If you are interested in free hosting alternatives, you can use Github-pages, Bitbucket or just go with the excellent Gitlab-Pages (which supports Hugo and whole lot of other static website generators natively).

It took me a lot of tries and probably burning a good amount of money on Cloudfront invalidation requests (otherwise I had to wait for a day or so to see the changes) but it finally worked. The trick was to setup the origin policy during creation of the distribution as it cannot be modified through the web portal after that.

Burp part five is still on hold for now because I am doing something else.

Apr 7, 2016 - 9 minute read - Comments - Burp Thick Client Proxying

Thick Client Proxying - Part 4: Burp in Proxy Chains

In this post I will talk about using Burp as part of a proxy chain. The number of applications that can be proxied by Burp and used with Burp in proxy chains is infinite for documentation purposes. Instead I am going to demonstrate how to use some of more used tools with Burp in proxy chain. All of this is going to happen on a Windows 7 Virtual Machine (VM).

These applications/utilities are:

  • Cygwin: I will use cURL commands for demonstration purposes.
  • IBM Appscan Standard: I will use the evaluation version.
  • Charles Proxy: For when you have to use multiple proxies.
  • Fiddler: Same as above.
  • SoapUI

You don’t need Burp Pro to play along and apart from Appscan, all application are free to use. For Appscan we will use the evaluation version which is free for its demo test.

Apr 3, 2016 - 2 minute read - Comments - Not Security Migration to Hugo

Hugo Octopress Update

I have made a good number of changes to the Hugo-Octopress theme. As I have been using the theme more and more, I have realized there were a bunch of bugs (some were pointed out on Github).

Apart from Bugs, I had hardcoded too many settings in the theme. For example, modifying the text in the sidebar could only be accomplished by changing the sidebar template. Ideally user should not need to modify anything in the theme and it should be customizable by just using the config file.

In the end I created a bunch of issues on Github and then closed them myself. I am not quite sure if this is correct git but eh :D