Parsia's Den

Because no one wants to be the other guy from Wham!

Jun 25, 2014 - 2 minute read - Comments - Burp

Piping SSL/TLS Traffic from SoapUI to Burp

Recently I was trying to test a web service. The traffic was over SSL/TLS and everything was fine. As I am better with Burp than SoapUI, I wanted to use Burp as a proxy for SoapUI. This should be an easy matter. Burp will create a custom certificate (signed by its root CA) for each site and effectively Man-in-the-Middle the connection. But this time it was different, I was getting the dreaded Peer not Authenticated error.

May 25, 2014 - 2 minute read - Comments - Python

Pasting Shellcode in GDB using Python

A few days ago I was trying to write an exploit for a buffer overflow with GDB. This was a console application and pasting shellcode would mess with it. There are a few options: Writing shellcode to a file and then using it as input for GDB. # you can also include GDB commands like setting up breakpoints (e.g. b * 0xDEADBEEF) # remember to include a new line after each command $ python -c 'print "b * 0xDEADBEEF" + "\n" + "\x41"*1000 + "\n"' > input # $ perl -e for perl # start debugging with GDB # -q (quiet mode): no text at startup $ gdb executable1 -q (gdb) run < input After this you can manually debug in GDB.

Apr 22, 2014 - 1 minute read - Comments - Amazon S3 Not Security

Amazon S3 and CSS

After I deployed my blog to Amazon S3, I realized that there was no CSS applied to the pages. In Octopress, the look and feel of website is managed by stylesheets/screen.css. It was fine in rake preview but not on the S3 bucket. I looked around for a few hours to no avail. There was one other person who had the same issue on stackoverflow but no answers. Relevant xkcd:

Apr 20, 2014 - 1 minute read - Comments - Amazon S3 Not Security

Now hosted on Amazon S3

I moved my blog from Bluehost to Amazon S3. I have not used Cloudfront yet, I doubt my blog has any visitors to justify that. It was really easy to redirect everything to cryptogangsta.com. parsiya.net, www.parsiya.net and www.cryptogangsta.com should all point to cryptogangsta.com. I have decided (for n-th time) to start updating this blog. Hopefully I will do it this time, I have some ideas to keep this blog running ;).

Nov 17, 2013 - 2 minute read - Comments - Crypto

How do I TLS Ciphersuite?

“Should we use RC4 or AES-CBC ?” This is a legitimate question. Many have heard of the highly publicized attacks against AES-CBC (CRIME, BEAST etc) and lean towards RC4. If asked (granted no one asks me), my answer would be: If you can control web servers (not feasible in all situations) and users’ browsers (almost impossible), upgrade to TLS 1.2 and go with AES-GCM. However, not many browsers supported these and to be honest, more users trumps loss of security in many cases.

Sep 29, 2013 - 1 minute read - Comments - Reverse Engineering

Microsoft Bluehat Challenges

Microsoft has released their Bluehat challenges. You answer the challenge, send it out and if correct they will send the next level (at least that is what they say). There are three categories: Reverse Engineering, Web and Vulnerabilities. The first Reverse Engineering challenge was quite easy. But it was level 1 and I do not expect anti-debugging techniques. Let’s see about the next level. Anyway, Enjoy. Linkie.