The Hustle

Found this cool new list called “The Hustle” that sends tech and business news each day.   It’s had some really interesting stuff so far.

Check it out here!

Posted in Other | Leave a comment

Playing with Content Security Policy (CSP) today…

Playing around with Content Security Policy (CSP) today.  Found these resources so far that I like.

Any other suggestions?

Posted in Security | Leave a comment

Injection on Windows

So, I’ve been playing around a bit with DLL injection on Windows. The basic process is-

  • Identify the process
  • Open the target process
  • Create a buffer in the target process that’s large enough to hold the path to the DLL to inject
  • Write the path to the DLL to the buffer
  • Create a remote thread in the target process using LoadLibrary as the thread function and the buffer created as the parameter

That’s it in a nutshell. Will show in-depth soon!

Posted in Security | Leave a comment

The Witchcraft Compiler Collection by @endrazine

In case you missed Defcon 24 or were there and happened to miss this talk, this is some amazing stuff. It’s called the Witchcraft Compiler Collection (WCC) by my co-worker and friend, Jonathan Brossard.

Some things you can do with WCC:

  • Transforming ET_EXEC ELF executables into shared libraries (id est: transforming an executable into a shared library !) Demoed this by patching proftpd into a shared library and then calling functions in it from C.
  • Unlinking ELF binaries into relocatable object files, then relink them back using gcc and verify they still work !
  • Running OpenBSD binaries natively on linux by relinking it. 0 patching required !
  • Using ET_DYN executables as shared libraries (Used /usr/sbin/apache2 as a shared library ! Called internal functions from C code)
  • Prototyping exploits from symbolic execution partial traces (did a live exploit from an old version of Samba)
  • In memory JIT translation from ARM to Intel x86_64 + debugging : did a demo on running a ARM library natively on amd64 linux with inprocess JIT binary translation.

Abstract of the talk :

The slides are available here :

The codebase is available here : under MIT License (proper open source).

The code for all the demos is available here :

Check it out!

Posted in Open Source, Security | 1 Comment

An Overview of HSTS

What is HSTS?

HSTS stands for HTTP Strict Transport Security.  It’s a web security policy that allows a web server to inform a web browser that it should only be accessed over HTTPS and never HTTP.  It also helps prevent things like downgrade attacks (switching from HTTPS to HTTP).

How do you set it up?

HSTS is a response header that is set by the web server and sent back to the web browser.   In the HTTP section of your web configuration, you need to configure it to redirect the client to access via HTTPS.  In the HTTPS section of your web configuration is where you set the HSTS header.   From that point on (until the header times out), your browser will only access your site via HTTPS automatically.  Even if you try to access via HTTP, it will enforce you accessing via HTTPS.  This way of doing it allows a client browser to access via HTTP once.

HSTS can also be enforced by being in the browsers’ HSTS preload list.

Web server setup for

This is what the relevant part of the HTTP VirtualHost would look like-

#Redirect to HTTPS if requested via HTTP
<IfModule mod_rewrite.c>;
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

This is what the relevant part of the HTTPS VirtualHost would look like-

Header always set Strict-Transport-Security "max-age=108000; preload"

This is what a response from a request to over HTTPS looks like-

HTTP/1.1 200 OK
Date: Thu, 23 Jun 2016 13:32:23 GMT
Server: localhost
Strict-Transport-Security: max-age=108000; preload
Last-Modified: Thu, 23 Jun 2016 13:32:24 GMT
Pragma: public
Cache-Control: max-age=7200, public
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 64416
Connection: close
Content-Type: text/html; charset=UTF-8

What does the header look like?

Strict-Transport-Security: max-age=<seconds>; includeSubdomains; preload

The parameters are-

  • max-age is the number of seconds you want the browser to cache the header.  Keep in mind that every time time you get a response over HTTPS, the max-age in the client browser is reset
  • includeSubdomains informs the browser to also enforce HTTP on subdomains by default
  • preload is a tag that announces the fact that your site can be added to the default preload list that the browsers have built-in.  If your site is in this list, any time a browser access the site it will be over HTTPS.  You can add your site to the list by going to  Most browsers use this shared list, so it will be included in future browser updates.   The reason the preload tag exists is so that not just anyone can add a site to the preload list.   If they could, they would be able to deny service to sites that don’t have HTTPS, but are in the pre-load list.
Posted in Security | Leave a comment