All

This week, I began building my own bug bounty automation tool. This post introduces daneel and talks about how I plan to use daneel to hunt for bugs.

G’day! I’m Jakob, an Application Security consultant from Australia, welcome to my Bug Bounty Blog (BBB). After a long hiatus from bug bounty, I have decided to fire up nikto again and start scanning the web for fun and profit. This blog is all about committing what I’m learning and thinking to paper, and to share it with the world. Why did I stop bug bounty? Good question, thanks for asking....

G’day, I’m Jakob Pennington, and I help development teams build secure software. I have an obsession for learning, and I aspire to share what I learn with others. Professionally, I share my time between software development, cybersecurity, and where the two disciplines intersect: application security. Background My career has led to application security for two key reasons: Early in my career, as I was cutting teeth as a penetration tester, I realised that a pentest is far too late in the software lifecycle to start thinking about security....

Something that I have struggled with in the past as a software developer turned penetration tester is the fact that I use two operating systems on a daily basis, and this sometimes causes friction in my workflow. Note: I really don’t intend or want this to be a discussion of the merits of one OS or IDE compared with another. I use the tools that I am familiar and productive with, and it’s totally cool if you use something different....

There were many things to consider, and we may talk about some of those things in the future, but the aspect of penetration testing I want to talk about today is the infrastructure we use to conduct a penetration test. Note: With a few minor exceptions, the same thought process applies for bug bounty hunting. If that’s more your thing, feel free to sed s/penetration testing/bug bounty hunting/g. What do we need from our infrastructure?...

So far in the Introduction to DevOps series, we’ve covered what DevOps is at a high-level and what the practice aims to achieve. We then broke down the DevOps pipeline into phases to get a better understanding of how a DevOps pipeline hangs together as well as some common terminology. If you haven’t already go check them out first 👇 Part 1: What is DevOps? Part 2: The Eight Phases of a DevOps Pipeline...

In my last article, I covered the basics of DevOps and highlighted the benefits that have motivated so many organisations to shift for this new model for software development. This article will build on the last, so if you haven’t already, go check it out 👇 Part 1: What is DevOps? When talking about DevOps, it’s useful to divide the process into phases which come together to make a DevOps pipeline....

DevOps as a philosophy for software development has been around for some time now. It has evolved from being a buzzword, the new hip thing in software development, to a tried and tested practice by organisations of all sizes. But, for people and organisations who are considering DevOps or have recently adopted a DevOps approach, it can be difficult to see the benefits of DevOps and how it works in practice....

I recently came across a web application in which I was able to exploit a Cross-Site Scripting (XSS) vulnerability through a markdown editor and rendering package. It was the first time I had come across this type of vulnerability, and I found it particularly interesting because it allowed me to bypass multiple layers of XSS filtering that was implemented in the application. Here’s a short article on how I came across the vulnerability and set about crafting an exploit....

This is a story about my favourite moment in Information Security so far. I thought, rather than just breaking down the technical part, I’d branch out and try something different. If you’re just interested in iOS security, feel free to skip ahead 👌 Note: Unfortunately, for legal reasons, I can’t crack your password for you. If you’ve ever worked in the IT industry, are good with computers, or were simply born after 1980, then you’re probably asked every other week to provide tech support....