Blog

Prepare to Write A Scanner Plugin Before Your Next Platform Test!

BurpSuite is a remarkably extensible platform. While I have written a number of extensions for testing specific applications, as well as more general extensions, one type of extension I had never attempted before was creating my own BurpSuite Scanner plugin. Because modern applications are increasingly difficult to exhaustively test for certain types of issues, I...

Building a “Quick” Lab Environment with Linux Containers

As a penetration tester, I often need to stand up small environments (and sometimes not so small) for a few different reasons—to try things out before making a mess of a client’s production system, to avoid being detected, or to use it simply for our own practice. A lot of us at TrustedSec are remote,...

Ruby ERB Template Injection

Written by Scott White & Geoff Walton Templates are commonly used both client and server-side for many of today’s web applications.  Many template engines are available in several different programming languages.  Some examples are Smarty, Mako, Jinja2, Jade, Velocity, Freemaker, and Twig.  Template injection is a type of injection attack that can have some particularly...

SHIPS version 2 Released! (major release)

The Shared Host Integrated Password System (SHIPS) is an open-source solution created by Geoff Walton from TrustedSec to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts. Our goal is to make post exploitation more difficult and provide a...

The Internet Gets a Dress Code!

Next generation firewalls have been the buzz for a few years now, but only on some of my more recent field experiences have I encountered organizations doing what I really like to see being done with them. Next generation firewalls are really all about one thing in my opinion: real honest egress monitoring and they...

Scaling New Walls with Old Ladders

The security landscape is always changing. Both attackers and defenders are constantly facing new challenges. The content of the pentester’s toolbox today is very different from just a few short years ago, as has the array of technologies, network administrators, and security practitioners have at this disposal to defend against increasingly capable threat agents. With...