Cover graphic with the text 'BBB #2 - Hello, Daneel'

BBB #2 - Introducing Daneel

This week, I began building my own bug bounty automation tool. This post introduces daneel and talks about how I plan to use daneel to hunt for bugs.

11 June 2024 | 8 min | 1621 words | Jakob Pennington

BBB #1 - Back Hunting

G’day! I’m Jakob, an Application Security consultant from Australia, welcome to my Bug Bounty Blog (BBB). After a long hiatus from bug bounty, I have decided to fire up nikto again and start scanning the web for fun and profit. This blog is all about committing what I’m learning and thinking to paper, and to share it with the world. Why did I stop bug bounty? Good question, thanks for asking....

2 June 2024 | 5 min | 961 words | Jakob Pennington
Jakob Pennington standing in front of an audience, giving a presentation on DevSecOps at the DDD Adelaide conference.

About

G’day, I’m Jakob Pennington, and I help development teams build secure software. I have an obsession for learning, and I aspire to share what I learn with others. Professionally, I share my time between software development, cybersecurity, and where the two disciplines intersect: application security. Background My career has led to application security for two key reasons: Early in my career, as I was cutting teeth as a penetration tester, I realised that a pentest is far too late in the software lifecycle to start thinking about security....

26 November 2022 | 2 min | 376 words | Jakob Pennington
Running a python script inside a kali docker container running on Windows.

Building hacking tools in Windows using Docker

Something that I have struggled with in the past as a software developer turned penetration tester is the fact that I use two operating systems on a daily basis, and this sometimes causes friction in my workflow. Note: I really don’t intend or want this to be a discussion of the merits of one OS or IDE compared with another. I use the tools that I am familiar and productive with, and it’s totally cool if you use something different....

28 July 2020 | 5 min | 1000 words | Jakob Pennington
The docker logo, a blue whale with shipping containers on it's back.

Can Docker containers replace VMs for bug bounty hunters and penetration testers?

There were many things to consider, and we may talk about some of those things in the future, but the aspect of penetration testing I want to talk about today is the infrastructure we use to conduct a penetration test. Note: With a few minor exceptions, the same thought process applies for bug bounty hunting. If that’s more your thing, feel free to sed s/penetration testing/bug bounty hunting/g. What do we need from our infrastructure?...

22 July 2020 | 10 min | 1920 words | Jakob Pennington
A flow diagram representing the 8 phases the DevOps pipeline, with security baked into each phase.

Shifting Left: DevSecOps as an Approach to Building Secure Applications

So far in the Introduction to DevOps series, we’ve covered what DevOps is at a high-level and what the practice aims to achieve. We then broke down the DevOps pipeline into phases to get a better understanding of how a DevOps pipeline hangs together as well as some common terminology. If you haven’t already go check them out first 👇 Part 1: What is DevOps? Part 2: The Eight Phases of a DevOps Pipeline...

18 July 2019 | 6 min | 1066 words | Jakob Pennington
A figure of 8 loop representing the DevOps pipeline, including continuous integration and continuous deployment.

The Eight Phases of a DevOps Pipeline

In my last article, I covered the basics of DevOps and highlighted the benefits that have motivated so many organisations to shift for this new model for software development. This article will build on the last, so if you haven’t already, go check it out 👇 Part 1: What is DevOps? When talking about DevOps, it’s useful to divide the process into phases which come together to make a DevOps pipeline....

18 July 2019 | 10 min | 2023 words | Jakob Pennington
A figure of 8 loop showing the 8 phases of the DevOps lifecycle: Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.

What is DevOps?

DevOps as a philosophy for software development has been around for some time now. It has evolved from being a buzzword, the new hip thing in software development, to a tried and tested practice by organisations of all sizes. But, for people and organisations who are considering DevOps or have recently adopted a DevOps approach, it can be difficult to see the benefits of DevOps and how it works in practice....

18 July 2019 | 6 min | 1114 words | Jakob Pennington
A photo of a cute puppy.

Exploiting XSS via Markdown

I recently came across a web application in which I was able to exploit a Cross-Site Scripting (XSS) vulnerability through a markdown editor and rendering package. It was the first time I had come across this type of vulnerability, and I found it particularly interesting because it allowed me to bypass multiple layers of XSS filtering that was implemented in the application. Here’s a short article on how I came across the vulnerability and set about crafting an exploit....

8 February 2019 | 7 min | 1350 words | Jakob Pennington
A Superman Lego figurine on a tree stump.

Breaking into Encrypted iPhone Backups

This is a story about my favourite moment in Information Security so far. I thought, rather than just breaking down the technical part, I’d branch out and try something different. If you’re just interested in iOS security, feel free to skip ahead 👌 Note: Unfortunately, for legal reasons, I can’t crack your password for you. If you’ve ever worked in the IT industry, are good with computers, or were simply born after 1980, then you’re probably asked every other week to provide tech support....

21 November 2018 | 12 min | 2398 words | Jakob Pennington