Pentesting gRPC / Protobuf : Decoding First steps

Protocol Buffers (a.k.a ProtoBuf) and other binary serialization representations are gaining popularity, especially in inter-microservice communication. Unlike JSON or HTTP, ProtoBufs are not human readable (hence the "binary" part of binary serialization) , but that translates into an advantage of  less overhead, leading to performance gains, and the ability to code against a fixed schema … Continue reading Pentesting gRPC / Protobuf : Decoding First steps

Advertisements

Android hacking tools update for Sept 2018

This article outlines a few "lessons learned" during an Android pen-test, specifically on which parts of my toolset I needed to update to accommodate newer android versions (Android v7+) MultiDex support One of the standard pen-test techniques is to decompile the App's source code. Typically this is done by converting the APK DEX code to … Continue reading Android hacking tools update for Sept 2018

First steps in writing a custom OWASP ZAP extension

OWASP ZAP is a very popular attack proxy typically used in Web Application penetration tests. Think "Open Source BurpSuite", and that's ZAP in a nutshell. It has become my go-to tool for penetration tests, and it definitely is a fantastic piece of software that ticks all my boxes - except one. The problem : Note taking … Continue reading First steps in writing a custom OWASP ZAP extension

Apache NiFi: Custom Web Scraper Processor – Powered by Selenium

In this article we explore how to build a custom Apache Nifi processor. Our objective is to build a custom NiFi processor, written in Java, that uses Selenium to scrape an arbitrary piece of information off a web-page. The end result will look like this: https://www.youtube.com/watch?v=alRC8owgjl4&feature=youtu.be This highlights the flexibility of Apache NiFi, showing off … Continue reading Apache NiFi: Custom Web Scraper Processor – Powered by Selenium

Apache NiFi: From Syslog to Elasticsearch

Apache Nifi is the result of an project open-sourced by the NSA. It's described as a "data traffic program"... For users familiar with the Elastic ecosystem, think of it as a GUI-enabled mashup of Filebeat, Winlogbeat and Logstash. In essence Nifi allows you to build data processing pipelines of arbitrary complexity and enrich the data or … Continue reading Apache NiFi: From Syslog to Elasticsearch

Scraping real estate prices using python and visualization using maps

TL;DR An interactive map, accurate as of 13/08/2018 showing property prices per square meter in various areas of Tallin: https://dvas0004.github.io/TallinnRealEstate/ Data shown is for 3-bedroom apartments (resource limitations). Green is less expensive, red is more expensive. Clicking on a data point will show a popup containing the actual price per square meter for that data … Continue reading Scraping real estate prices using python and visualization using maps

Lessons learned: Spring Data Postgres application configuration

Scenario: During development of a Spring Boot application, with a PostgreSQL backend, we randomly observe errors such as: hikaripool-1 - connection is not available, request timed out after 30000ms   FATAL: remaining connection slots are reserved for non-replication superuser connections   Solution: There are a few checks to perform: Ensure that you use the correct … Continue reading Lessons learned: Spring Data Postgres application configuration