DerbyCon 7.0

So excited to be speaking at DerbyCon 7.0 this year! After attending every year since the conference started, I decided to submit a talk this year and it was accepted. The title of the talk is “Extending Burp”. I’ll run through how to create Burp extensions and some gotcha’s that I figured out.

Hope to see you there!

Elixir vs Ruby - A Simple Test

A coworker of mine is really excited about Elixir and it’s performance.   So, I created a little program in both Ruby and Elixir to return an array containing the squares of numbers from 1 to 1000.

This is the Ruby version.   It uses a gem called Parallel that I found quickly from searching. It uses all available processors and uses threads.

require 'parallel' do |i|
  i * i

Running this a few times gives results like this-

real	0m0.118s
user	0m0.090s
sys	0m0.059s

This is the Elixir version. It uses no external libraries. It uses all available processors and uses threads.

defmodule Parallel do
  def pmap(collection, func) do
    |> -> func.(&1) end)))

Parallel.pmap 1..1000, &(&1 * &1)

Running this a few times gives results like this-

real	0m0.271s
user	0m0.258s
sys	0m0.176s

Ruby is considerably faster on this simple example.  Definitely going to experiment more…

Favorite Podcasts

I’ve been spending most of my commute these days listening to podcasts.  I’ve found a few good ones, but am looking for ideas.   Security/development is my vocation, but I like a variety of things to listen to.

Currently I’m listening to-

  • The Art of Charm
  • The Changelog
  • The Complete Privacy & Security Podcast
  • Entrepeneur On Fire
  • Greater than Code
  • How I Built This
  • The James Altucher Show
  • The Marie Forleo Podcast
  • Nutrition Facts by Dr. Greger
  • Residual Income Podcast
  • Risky Business
  • Side School Hustle
  • Soft Skill Engineering
  • Stuff You Should Know
  • SUCCESS Insuder
  • Team Never Quit Podcast
  • The Tim Ferriss Show
  • Why Are Computers
  • Advanced Persistent Security

Any other suggestions?

Python - Day 1

Python or Ruby or PHP

Well…PHP isn’t really an option.  Only Ruby or Python  🙂

As many of you may know, I started off right out of college doing C/C++ programming and finished my software development days with Java.   Since then I’ve been doing application security.   When I do program now, it’s mainly for my own uses and it’s typically in Ruby.

I became interested in Ruby when Metasploit was ported to Ruby.   But in general, the prominent language for scripting related to security is Python.  So, I decided to experiment more with Python.

Right off the bat I’ve found a few things that are annoying

  • White-space scoping.   This is a common complaint if you’re used to languages that are more free-form and have explicit ways to scope.  But, in modern editors take care of it for you and it does enforce a consistent style.  It still bugs me some, though.
  • Library compatibly between versions.  There seem to be two major versions – 2.7X and 3.0.  I’ve not really done enough to know the difference, but there does seem to be a difference in community support for libraries between the two.
  • OO.  There are couple of interesting things about this.   First, why the explicit self parameter as the first parameter to every method?  Second, things like the len function.  It is used to determine the length of many different types of data.   But things like lists, should have a len method IMHO.  They do have a __len__ method, but nothing I’ve read talks about calling it.   It seems like the standalone len function expects it’s target to have a __len__ function so it knows how to get the length.  Why not just have len on the target?  It just seems not well thought-out.


Window.postMessage part 2 - an example

In Part 1 of the series, I talked about the basics of Window.postMessage and showed some sample code.  This post will show some real code with a demo link.   This code purposefully has some security issues which will be addressed in the third and final post of the series.

The demo code found at is –

`<iframe src="" style="width:100%; height:50%;"></iframe>


What it does is load in an iframe that is 50% of the height of the window and 100% of the width.  It then has a form where you can specify text and when you hit submit, it sends a message to the iframe with the text that is specified in the form.

The code for is –`


It first creates registers a function(receiveMessage) to handle the “message” event and creates a div.  When a message is received it, it  appends the text to the div.

Window.postMessage part 1 - the basics

What is Window.postMessage?

Window.postMessage is a way to safely communicate cross-origin between windows. Normally, pages are only allowed to interact with each other if they share the same origin(protocol+host+port matching). postMessage allows the a developer to get around that.


targetWindow.postMessage(message, targetOrigin, [transfer]);

The components are-

  • targetWindow – a reference to another window that you wish to send a message to. You can obtain a reference by a) the object returned by, b) the contentWindow of an iframe, and c) using the numeric index on the Window.frames object
  • message – data sent to the window
  • targetOrigin – specify what the origin of targetWindow must be in order for the event to be dispatched. Either ‘*’ or the full origin. This is necessary because the origin of the window may have changed. It is advised not to specify ‘*’, otherwise you may be sending data to an unintended origin.
  • transfer (optional) – objects that are transferred with the message. After transferring, they are no longer accessible by the sender

What does it look like in practice?

The code in the target window ( would look something like this. This script lives on the default page for

window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
  var origin = event.origin || event.originalEvent.origin; // For Chrome,
  if (origin !== "")

The above code is based off of

This is what the sending code would look like (on

var wnd =";
wnd.postMessage("Test Message", "");

That’s basically what it looks like and how you use Window.postMessage to send messages cross-origin. This gets around the same origin policy which restricts how windows can interact with each based on having the same protocol, host, and port. Part 2 of the series will continue the discussion with the security implications of Window.postMessage and how using it improperly can lead to unintended security vulnerabilities in a page.

The Hustle

Found this cool new list called “The Hustle” that sends tech and business news each day.   It’s had some really interesting stuff so far.

Check it out here!

Injection on Windows

So, I’ve been playing around a bit with DLL injection on Windows. The basic process is-

  • Identify the process
  • Open the target process
  • Create a buffer in the target process that’s large enough to hold the path to the DLL to inject
  • Write the path to the DLL to the buffer
  • Create a remote thread in the target process using LoadLibrary as the thread function and the buffer created as the parameter

That’s it in a nutshell. Will show in-depth soon!