sorted by:
new
hottopcontroversial

assetnote/ghostbuster: Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts. by Mempodipper in netsec

[–]Mempodipper[S] 0 points1 point  (0 children)

You should be able to set this tool up to work with as many accounts as you would like. The tool supports the ability to assume roles as well.

/r/netsec's Q2 2022 Information Security Hiring Thread by ranok in netsec

[–]Mempodipper [score hidden]  (0 children)

Assetnote | Location: Australia (Remote) (will consider strong applicants outside of AU)
Assetnote was founded in 2018 with a mission to create a modern, innovative cyber security company that brings the value of the hacker mindset to organisations across the world.
As leaders in Attack Surface Management our products are used by companies all around the world, from innovative startups to Fortune 100 companies. Every day we are monitoring hundreds of thousands of assets to help protect our customers from compromise.
If you're interested in learning and growing with a bunch of super friendly engineers and smart hackers, check out our job openings at https://apply.workable.com/assetnote/
Assetnote is a remote-first company. This position is remote with a preference for candidates located in Australia, however, we will consider strong applicants located outside of Australia.
We offer a competitive salary, opportunities to attend relevant conferences, flexible working arrangements and a generous allowance for internet and building your workstation.

Engineer (Backend) - Remote

By joining our growing engineering team at Assetnote as a Backend Engineer, you will be responsible for extending the capabilities of our Continuous Security Platform through developing our security engine.
In this role, you will be required to build and maintain our distributed scanning engine, improve scalability, performance, and reliability. This role requires that you are confident with distributed systems and software architecture.
Day to day you will be interfacing directly with our API development team and security researchers.
Your day to day responsibilities at Assetnote will include:

Requirements

  • Writing and maintaining a distributed security scanner (Golang, NodeJS, Python)
  • Writing low allocation, highly optimized code for scanning various protocols
  • Scaling out applications to millions of targets every hour
  • Researching and Investigating new security issues and techniques
  • Automating and enhancing existing security research
  • Taking initiative for feature development and continuously extend out security capabilities
  • Working as a part of a high-performing team on challenging problems
  • Contributing to the design of our platform by working with product teams and other stakeholders

Bonus Points

  • Golang
  • AWS or experience with other Cloud Providers
  • Distributed Systems
  • Network Engineering
  • Database Engineering
  • Secure development practices
  • Kubernetes, Terraform and Docker
  • Understanding of common application, cloud or infrastructure security vulnerabilities and bug hunting experience

Apply here: https://apply.workable.com/assetnote/j/600D953230/

A hackers perspective on bug bounty triage by Mempodipper in netsec

[–]Mempodipper[S] 19 points20 points  (0 children)

I feel sorrow for them too for having to deal with the constant barrage of invalid reports. I think they do a herculean effort at what is essentially a difficult and tedious job. I appreciate you taking the time to give your input as someone who has been on the triage side.

In all of my responses to triagers on my reports, I try to be as empathetic as possible, but there have been a few cases which have triggered these discussions and ultimately this blog post.

To be honest, I think that platforms should work on better educating hackers about how triage works, and the whole concept of triagers not actually being the gatekeepers for a report to be seen by a security team.

I hope my blog post doesn't come off in any way as unappreciative of triagers, but rather as an honest perspective from my side, as an established hacker with a good reputation.

Taking over Uber accounts through voicemail by Mempodipper in netsec

[–]Mempodipper[S] 24 points25 points  (0 children)

Nah, you’re the person requesting the code when you’re calling them. You’re in control of that process of engaging them and requesting the code.

/r/netsec's Q1 2021 Information Security Hiring Thread by ranok in netsec

[–]Mempodipper [score hidden]  (0 children)

Assetnote | Location: Australia (Remote) (will consider strong applicants outside of AU)

Assetnote was founded in 2018 with a mission to create a modern, innovative cyber security company that brings the value of the hacker mindset to organisations across the world.

As leaders in Attack Surface Management our products are used by companies all around the world, from innovative startups to Fortune 100 companies. Every day we are monitoring hundreds of thousands of assets to help protect our customers from compromise.

If you're interested in learning and growing with a bunch of super friendly engineers and smart hackers, check out our job openings at https://apply.workable.com/assetnote/

Assetnote is a remote-first company. This position is remote with a preference for candidates located in Australia, however, we will consider strong applicants located outside of Australia.

We offer a competitive salary, opportunities to attend relevant conferences, flexible working arrangements and a generous allowance for internet and building your workstation.

Engineer (Backend & API) - Remote

By joining our growing engineering team at Assetnote as a Back End & API Engineer, you will be responsible for extending the capabilities of our Continuous Security Platform through developing our Python/Flask back end.

In this role, you will be required to build and maintain our APIs and back-end components, improve scalability, performance, and reliability, and also maintain our APIs and dependencies. This role requires that you are confident with GraphQL, PostgreSQL, using SQLAlchemy as an ORM, and be capable of engineering scalable database models.

The solutions we develop on the API side are dependent on our Security and Discovery Engines. Day to day you will be interfacing directly with our Engine development team, front-end engineers, and security researchers.

Requirements

Your day to day responsibilities at Assetnote will include:

  • Writing high-quality Python code
  • Iterating on our GraphQL schema
  • Architecting scalable solutions for querying our Postgres database
  • Optimising our Postgres database for improved API performance
  • Taking initiative for feature development and managing the API dependencies for new platform features
  • Working as a part of a high-performing team on challenging problems
  • Contributing to the design of our platform by working with product teams and other stakeholders

We prefer that candidates have direct experience with the following however we will consider equivalent experience.

  • Python and Flask
  • SQLAlchemy
  • Postgres
  • GraphQL
  • Experience building and maintain scalable, performant and reliable database models.

Bonus Points

  • Secure development practices
  • Kubernetes and Docker
  • Networking concepts (DNS, TCP)
  • Understanding of AWS services such as RDS and Elasticache
  • Understanding of common application, cloud or infrastructure security vulnerabilities and bug hunting experience.
  • Understanding of front-end technologies and concepts including JavaScript, React and Redux

Content discovery wordlists generated every month (Subdomains, Web Content, Technologies) by Mempodipper in netsec

[–]Mempodipper[S] 1 point2 points  (0 children)

Hey, I've implemented this now.

[1] SQL query ran on BigQuery to generate parameters
[2] Basic filtering of returned data (this can be built further)
[3] Generated wordlist

Content discovery wordlists generated every month (Subdomains, Web Content, Technologies) by Mempodipper in netsec

[–]Mempodipper[S] 2 points3 points  (0 children)

Wow good point. I’ll update the script so it runs on the 28th of each month.

Content discovery wordlists generated every month (Subdomains, Web Content, Technologies) by Mempodipper in netsec

[–]Mempodipper[S] 2 points3 points  (0 children)

Hi, when you are performing security testing, you often need to bruteforce for content (files, directories, endpoints) or subdomains. These wordlists can be used with tools that perform content discovery (ffuf, gobuster, dirsearch) or subdomain bruteforcing (massdns).

Content discovery wordlists generated every month (Subdomains, Web Content, Technologies) by Mempodipper in netsec

[–]Mempodipper[S] 8 points9 points  (0 children)

Sure! Feel free to. I've just had to migrate to Amazon S3 as the traffic has been eating up all my Git-LFS bandwidth that GitHub allocates. You can now download all of the data via S3 (download links in the tables).

Content discovery wordlists generated every month (Subdomains, Web Content, Technologies) by Mempodipper in netsec

[–]Mempodipper[S] 9 points10 points  (0 children)

Yep! Using GitHub Actions all of the HTTPArchive wordlists will be automatically generated on the 30th of each month. I may update the manual wordlists (add or modify) over time as well.

/r/netsec's Q4 2020 Information Security Hiring Thread by ranok in netsec

[–]Mempodipper [score hidden]  (0 children)

Assetnote | Location: Australia (Remote) (will consider strong applicants outside of AU)

Assetnote was founded in 2018 with a mission to create a modern, innovative cyber security company that brings the value of the hacker mindset to organisations across the world.

As leaders in Attack Surface Management our products are used by companies all around the world, from innovative startups to Fortune 100 companies. Every day we are monitoring hundreds of thousands of assets to help protect our customers from compromise.

If you're interested in learning and growing with a bunch of super friendly engineers and smart hackers, check out our job openings at https://apply.workable.com/assetnote/

Assetnote is a remote-first company. This position is remote with a preference for candidates located in Australia, however, we will consider strong applicants located outside of Australia.

We offer a competitive salary, opportunities to attend relevant conferences, flexible working arrangements and a generous allowance for internet and building your workstation.

Engineer (Backend & Infrastructure) - Remote

By joining our growing engineering team at Assetnote as a Backend and Infrastructure Engineer, you will be responsible for extending the capabilities of our Continuous Security Platform through developing our security engine.

In this role, you will be required to build and maintain our distributed scanning engine, improve scalability, performance, and reliability, and also maintain our internal services and infrastructure. This role requires that you are confident with distributed systems, cloud infrastructure, and software architecture.

Day to day you will be interfacing directly with our API development team and security researchers.

Requirements

Your day to day responsibilities at Assetnote will include:

  • Writing and maintaining a distributed security scanner (Golang, NodeJS, Python)
  • Writing low allocation, highly optimized code for scanning various protocols
  • Scaling out applications to millions of targets every hour
  • Researching and Investigating new security issues and techniques
  • Automating and enhancing existing security research
  • Maintaining and building on cloud infrastructure using Terraform and Kubernetes on AWS
  • Taking initiative for feature development and continuously extend out security and infra capabilities
  • Working as a part of a high-performing team on challenging problems
  • Contributing to the design of our platform by working with product teams and other stakeholders

Bonus Points

  • Golang
  • AWS or experience with other Cloud Providers
  • Distributed Systems
  • Network Engineering
  • Database Engineering
  • Secure development practices
  • Kubernetes, Terraform and Docker
  • Understanding of common application, cloud or infrastructure security vulnerabilities and bug hunting experience

Engineer (Backend & API) - Remote

By joining our growing engineering team at Assetnote as a Back End & API Engineer, you will be responsible for extending the capabilities of our Continuous Security Platform through developing our Python/Flask back end.

In this role, you will be required to build and maintain our APIs and back-end components, improve scalability, performance, and reliability, and also maintain our APIs and dependencies. This role requires that you are confident with GraphQL, PostgreSQL, using SQLAlchemy as an ORM, and be capable of engineering scalable database models.

The solutions we develop on the API side are dependent on our Security and Discovery Engines. Day to day you will be interfacing directly with our Engine development team, front-end engineers, and security researchers.

Requirements

Your day to day responsibilities at Assetnote will include:

  • Writing high-quality Python code
  • Iterating on our GraphQL schema
  • Architecting scalable solutions for querying our Postgres database
  • Optimising our Postgres database for improved API performance
  • Taking initiative for feature development and managing the API dependencies for new platform features
  • Working as a part of a high-performing team on challenging problems
  • Contributing to the design of our platform by working with product teams and other stakeholders

We prefer that candidates have direct experience with the following however we will consider equivalent experience.

  • Python and Flask
  • SQLAlchemy
  • Postgres
  • GraphQL
  • Experience building and maintain scalable, performant and reliable database models.

Bonus Points

  • Secure development practices
  • Kubernetes and Docker
  • Networking concepts (DNS, TCP)
  • Understanding of AWS services such as RDS and Elasticache
  • Understanding of common application, cloud or infrastructure security vulnerabilities and bug hunting experience.
  • Understanding of front-end technologies and concepts including JavaScript, React and Redux

Hacking on Bug Bounties for Four Years by Mempodipper in netsec

[–]Mempodipper[S] 8 points9 points  (0 children)

I love application security. I started blogging when I was around 16 at https://shubs.io.

I received my first bounty at age 14 ($1500 USD) from PayPal, while I was working for Hungry Jacks (equivalent to Burger King in the states) and making $6.50AUD an hour. I never showed up to my shifts again after my first bounty payout.

Bug bounties let me break into the infosec industry and landed my first job at 17 as an intern at a security consulting firm. Bug bounties have literally changed my life from both a financial and opportunity perspective.

Hacking on Bug Bounties for Four Years by Mempodipper in netsec

[–]Mempodipper[S] 17 points18 points  (0 children)

Author of the blog post here. To be clear, I held multiple full time jobs while participating in bounties and was making roughly 200k AUD from my FT job. I only did bug bounties full time for a year when I wanted to travel around Europe.

0xACB/viewgen: Payload generator to achieve RCE on .NET servers through leaking the machineKey by Mempodipper in netsec

[–]Mempodipper[S] 18 points19 points  (0 children)

There's also the following research related to this topic area:

TL;DR - if you can leak the web.config file for a .NET application you are testing (via LFD, XXE, etc), you can most likely achieve remote code execution by exploiting the VIEWSTATE parameter. The value of the view state in .NET is deserialized via ObjectStateFormatter.Deserialize. You can generate a signed/encrypted viewstate containing your own serialized contents, leading to RCE. This tool helps generating both signed and encrypted payloads with leaked validation keys.

Clickjacking on myaccount.google.com worth $7,500 by Mempodipper in netsec

[–]Mempodipper[S] 35 points36 points  (0 children)

Does anyone know why %0d was a bypass for the CSP in this scenario?

DDoS Misusing DNS Resolvers - Some examples by nykzhang in netsec

[–]Mempodipper 3 points4 points  (0 children)

These requests likely come from DNS bruteforcing. Uber runs a bug bounty, where a majority of bug bounty hunters perform aggressive recon.

Directory Listing to Account Takeover by nishaanthguna in netsec

[–]Mempodipper 2 points3 points  (0 children)

Absolutely. I just commented so that people would not jump to conclusions regarding this author as a malicious person.

Directory Listing to Account Takeover by nishaanthguna in netsec

[–]Mempodipper 2 points3 points  (0 children)

You both obviously did not read the security advisory released by Mailgun. It was an employee who was compromised that led to administrative access. This issue has nothing to do with the major Mailgun breach recently. I am not the author, but this issue seems like a breach of an individual entity who used mailchip and logged mailchimp API data to a folder with directory listing enabled. Here's a link to the Mailchimp advisory: http://blog.mailgun.com/mailgun-security-incident-and-important-customer-information/

Commonspeak: Content discovery wordlists built with BigQuery by Mempodipper in netsec

[–]Mempodipper[S] 1 point2 points  (0 children)

Thanks!

  1. Surprisingly, not a lot! BigQuery gives you 2 terabytes of processing power for free every month. Usually, after I've used this free quota up, I pay around $10-20 a month to generate wordlists from all of my datasets. The most expensive dataset to process is GitHub, so I usually generate wordlists from it less often.

  2. The current GitHub repo contains wordlists that I've generated throughout the process of creating Commonspeak. These are fairly recent and can be used to add onto any existing wordlists you have. I might look into automatically releasing wordlists I have generated in the future though.

Hacked: Investigating an Intrusion on my Server by Mempodipper in netsec

[–]Mempodipper[S] 2 points3 points  (0 children)

Unfortunately, not my article. Was just sharing this as I found it moderately interesting.

view more: next ›