Pro Tip: The Right Way to Test JSON Parameters with Burp
Dan McInerney, Senior Security Consultant, Coalfire
Here’s a Burp trick you might not know, which helped find this instance of command execution and lots of SQL injection in other applications. Despite PortSwigger claiming otherwise, Burp does not parse JSON very well, especially nested JSON parameters and values like you see below.
Cloud Security Governance - Optimizing the Business Benefits of Security in the Cloud
Michael Addo-Yobo, Managing Principal, Cyber Risk Advisory, Coalfire
Enterprises are increasingly pursuing the business advantages of migrating technology platforms and services into the cloud environment leveraging one or more of the three main cloud service areas – Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). These advantages include but are not limited to rapid information system deployment, significantly reduced operating costs, massive economies of scale, processing speed, and agility. However, subscription to these services often imply security and compliance challenges for enterprises who are often unprepared to resolve them.
Managing Your Vulnerabilities, FedRAMP Style
Dana Scaffido, Senior Consultant, Cyber Engineering, Coalfire
As a member of Coalfire’s Cyber Engineering team, I frequently get questions about vulnerability Deviation Requests (DRs) from Cloud Service Providers (CSPs) seeking Federal Risk and Authorization Management Program (FedRAMP) authorizations. In this post, I’ll try to answer questions we frequently encounter about Deviation Requests and provide some useful resource links.
Scripted Inputs and Splunk
Josh Porto, Senior Consultant, Cyber Engineering, Coalfire
Splunk is an extremely versatile tool when dealing with data:
- Monitor files? Check!
- Listen in on an open port? Check!
- Monitor the file system? Performance monitor? HTTP Event Collector?
- Check, check aaaaand check!
But what if the data you want to ingest does not have a method listed above? Say, something like a database or a security tool’s API? Scripted inputs are the solution! Splunk can even employ a variety of scripts to include (but not limited to) PowerShell, shell scripts, and Python. Besides working around data sources, which do not use log files and cannot send via TCP or UDP, the advantages abound and include:
Forensically Imaging a Microsoft Surface Pro 4
Robert Meekins, Director, Forensics, Coalfire
Working on digital forensics can sometimes create some challenging situations. Recently, we received a couple of Microsoft Surface Pro tablets to image and analyze. Having conducted forensics for a while, I realized that, depending on the version, imaging this tablet could be a challenge. Some setbacks normally associated with Surface tablets include not being able to remove the hard drive, the inability to place the device in target mode, and the hardware being very finicky about what OS can and cannot boot. Ultimately, the challenge comes down to having to use the tablet itself to perform the image, and the only option for input is a single USB port.