Parsia's Den

Because no one wants to be the other guy from Wham!

Jul 3, 2014 - 1 minute read - Comments - Crypto

Apple's Common Crypto Library Defaults to a Zero IV if One is not Provided

Today I was writing some guidelines about generating keys for mobile applications at work. While providing code examples in Java and Obj-C for AES encryption I happened to look at Apple’s Common Crypto library . While going through the source code for CommonCryptor.c, I noticed that IV is commented as /* optional initialization vector */. This makes sense because not all ciphers use IV and not all AES modes of operation (e.

Jun 25, 2014 - 2 minute read - Comments - Burp

Piping SSL/TLS Traffic from SoapUI to Burp

Recently I was trying to test a web service. The traffic was over SSL/TLS and everything was fine. As I am better with Burp than SoapUI, I wanted to use Burp as a proxy for SoapUI. This should be an easy matter. Burp will create a custom certificate (signed by its root CA) for each site and effectively Man-in-the-Middle the connection. But this time it was different, I was getting the dreaded Peer not Authenticated error.

May 25, 2014 - 2 minute read - Comments - Python

Pasting Shellcode in GDB using Python

A few days ago I was trying to write an exploit for a buffer overflow with GDB. This was a console application and pasting shellcode would mess with it. There are a few options: Writing shellcode to a file and then using it as input for GDB. # you can also include GDB commands like setting up breakpoints (e.g. b * 0xDEADBEEF) # remember to include a new line after each command $ python -c 'print "b * 0xDEADBEEF" + "\n" + "\x41"*1000 + "\n"' > input # $ perl -e for perl # start debugging with GDB # -q (quiet mode): no text at startup $ gdb executable1 -q (gdb) run < input After this you can manually debug in GDB.

Apr 22, 2014 - 1 minute read - Comments - Amazon S3 Not Security

Amazon S3 and CSS

After I deployed my blog to Amazon S3, I realized that there was no CSS applied to the pages. In Octopress, the look and feel of website is managed by stylesheets/screen.css. It was fine in rake preview but not on the S3 bucket. I looked around for a few hours to no avail. There was one other person who had the same issue on stackoverflow but no answers. Relevant xkcd:

Apr 20, 2014 - 1 minute read - Comments - Amazon S3 Not Security

Now hosted on Amazon S3

I moved my blog from Bluehost to Amazon S3. I have not used Cloudfront yet, I doubt my blog has any visitors to justify that. It was really easy to redirect everything to, and should all point to I have decided (for n-th time) to start updating this blog. Hopefully I will do it this time, I have some ideas to keep this blog running ;).

Nov 17, 2013 - 2 minute read - Comments - Crypto

How do I TLS Ciphersuite?

“Should we use RC4 or AES-CBC ?” This is a legitimate question. Many have heard of the highly publicized attacks against AES-CBC (CRIME, BEAST etc) and lean towards RC4. If asked (granted no one asks me), my answer would be: If you can control web servers (not feasible in all situations) and users’ browsers (almost impossible), upgrade to TLS 1.2 and go with AES-GCM. However, not many browsers supported these and to be honest, more users trumps loss of security in many cases.