One of the most common bugs that you may encounter in go are race conditions. This is often the case when working with goroutines and non-atomic data types. Plenty of articles have covered goroutine race conditions, but why don’t we take another look and, this time, debug a couple race conditions to death by looking at what happens under the hood? Let’s take a look at a typical example. We will examine what happens when we dereference a method receiver and assign it an object that we later modify. Read more

The developer’s console is perhaps one of the most underutilized tools by application security professionals. Yet, there is a great deal of information that can be learned about a web application by dynamically exploring its client-side code from the console. Depending on how front-end code is loaded in the browser, you may manipulate the application’s behavior by calling functions built-in by their developers. This can be extremely useful when testing authentication and authorization issues in a web application. Read more

I would like to introduce Gorp, A modular bug hunting, pentesting, and web application reverse engineering framework written in Go that I have been working on for the past few months. The idea of gorp came up as I started exploring the Chrome Dev Tools protocol and how to use it in my pentesting and bug hunting work. If you want to learn more about how that came about you can read this blog post. Read more

Creating your email may be seen as equivalent to making your own cheese, or crafting your own beer: it is kinda of hipster thing. There are so many email services out there so why would you spend the time to do that? What I like about it is that it allows me to learn to work with OpenBSD through a fun, useful project, and it’s kinda of radical thing to do. Read more

I recently found this article about using the Chrome DevTools protocol to intercept and modify traffic. I found the article very enlighting given that the technique can allow pentesters to use complex logic when intercepting and modifying web requests. And yes, you can capture, intercept and modify traffic with tools like Burp, but you often have to rely on a heavy GUI and complex regex rules (and while I find regex very useful for my work, I don’t find it fun to work with it! Read more