gRPC is getting increasingly popular and as a result, it is encountered more often during security assessments. In this blog post, I explain the different approaches to security test gRPC services depending on the type of assessment. At the end, I will show how to extend the blackboxprotobuf Burp extension to support...Read more...

Web applications often keep state corresponding to the current user. The user gets a cookie with an opaque token, the session token. The browser includes this cookie in each request. The web application uses this token to retrieve the corresponding data from the database, which can be used by the web application.
In...Read more...

While the sleep mask kit is doing a great job at encrypting the beacon at rest, the beacon resides unencrypted in memory during the execution of BOFs. This leads to detection if a memory scan is performed during the execution of the BOF. To overcome this, we encrypt the beacon memory and configuration block at the...Read more...

What if your external developer won’t let you share the code of an application with us for a pentest, even though the application was made specifically for you? This is problematic because it forces you to accept a less effective test of your application: one in which we cannot look at the code while we carry out the...Read more...

You may want a pentest for a variety of reasons: in this blog we will discuss four common reasons for pentests of (web) applications or hardware and I will give you tips.
Above all: understand what your own reason is and communicate this with your pentest provider. It will improve your pentest experience, I promise!...Read more...