hahwul

Offensive Security Engineer, Rubyist/Crystalist/Gopher and H4cker

Posts

Revive ZAP with a Java Swap

3 min read

Recently, I encountered persistent crashes while running ZAP 2.15 on macOS. The issue seemed to stem from the bundled Java version. After some debugging and testing, I found a solution by downgrading the bundled Java version in ZAP.

LunarVim + Warp + Tokyo Night ๐ŸŒ™

2 min read

Warp์—์„œ lunarvim, lazyvim ๋˜๋Š” neovim์— ์ง์ ‘ ํ…Œ๋งˆ๋ฅผ ์ ์šฉํ•˜์—ฌ ์‚ฌ์šฉํ•˜๋‹ค ๋ณด๋ฉด ์•„๋ž˜์™€ ๊ฐ™์ด ์—ฌ๋ฐฑ์ด ๋ฐœ์ƒํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

Placeholder Trick for Security Testing

3 min read

์ตœ๊ทผ์— ์ €๋Š” Burpsuite, Caido, ZAP์„ ๋ชจ๋‘ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๊ธฐ์กด ํ™˜๊ฒฝ์—์„œ Caido๊ฐ€ ์ถ”๊ฐ€๋˜์—ˆ๊ณ , ์—ฌ๋Ÿฌ๊ฐ€์ง€๋ฅผ ์‹คํ—˜์ค‘์— ์žˆ์Šต๋‹ˆ๋‹ค. ์ด ์‹คํ—˜์„ ์ง„ํ–‰ํ•˜๋ฉด์„œ ์˜ˆ์ƒ๋Œ€๋กœ ๋Œ์•„๊ฐ€์ง€ ์•Š์•˜๋˜ ๊ฒƒ๋“ค์ด ๋งŽ์•˜์ง€๋งŒ ๋ฐ˜๋Œ€๋กœ ๋ช‡๊ฐ€์ง€ ์–ป์–ด๊ฐ€๊ณ  ์žˆ๋Š” ๊ฒƒ๋“ค์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์˜ค๋Š˜์€ ๊ทธ ์ค‘์— ์ œ๊ฐ€ ์ž˜ ์‚ฌ์šฉํ•˜์ง€ ์•Š์•˜๋˜ ํŠธ๋ฆญ์— ๋Œ€ํ•ด ๋ฐ”๋€ ์ƒ๊ฐ๊ณผ ๋‚ด์šฉ์„ ๊ณต์œ ํ• ๊นŒ ํ•ฉ๋‹ˆ๋‹ค.

ZAP 2.15 Review โšก๏ธ

~1 min read

ZAP 2.15๊ฐ€ ๋ฆด๋ฆฌ์ฆˆ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. OWASP๋ฅผ ๋‚˜์˜ค๋Š” ์ด์Šˆ๋กœ ์ธํ•ด 2.14๊ฐ€ ๋น ๋ฅด๊ฒŒ ์ถœ์‹œ๋ฌ๋˜ ์ƒํƒœ๋ผ 2.15๊นŒ์ง€์˜ ๊ธฐ๊ฐ„ ๋˜ํ•œ ์งง์•˜๋„ค์š”. ์˜ค๋Š˜์€ 2.15 ๋ฒ„์ „์— ๋Œ€ํ•ด ๋น ๋ฅด๊ฒŒ ๋ฆฌ๋ทฐํ•ด๋ด…๋‹ˆ๋‹ค.

Malicious code in xz/liblzma ๐Ÿ˜ฑ

1 min read

๋ฐ”๋กœ ์–ด์ œ ์••์ถ• ์ฒ˜๋ฆฌ๋ฅผ xz ํŒจํ‚ค์ง€์˜ upstream tarballs์—์„œ ์•…์˜์ ์ธ ๋™์ž‘์ด ํ™•์ธ๋˜์–ด ์ด์Šˆ์ž…๋‹ˆ๋‹ค. ๊ฒฐ๋ก ์€ xz ๋‚ด Malicious code๊ฐ€ ์‚ฝ์ž…๋˜์—ˆ๊ณ  ์ด๋กœ ์ธํ•ด ๋งŽ์€ ์‹œ์Šคํ…œ์ด ์˜ํ–ฅ๋ฐ›์„ ๊ฒƒ์œผ๋กœ ๋ณด์ž…๋‹ˆ๋‹ค. CVE-2024-3093๋ฅผ ํ• ๋‹น๋ฐ›์€ ์ด ์ด์Šˆ์— ๋Œ€ํ•ด ์ด์•ผ๊ธฐํ•ด๋ณผ๊นŒ ํ•ฉ๋‹ˆ๋‹ค.

Smuggling with JSON

2 min read

JSON์€ YAML๊ณผ ํ•จ๊ป˜ ์ž์ฃผ ์‚ฌ์šฉ๋˜๋Š” ํฌ๋งท ์ค‘ ํ•˜๋‚˜์ž…๋‹ˆ๋‹ค. K:V ํ˜•ํƒœ์˜ ๋‹จ์ˆœํ•œ ๊ตฌ์„ฑ์ด์ง€๋งŒ, JSON์˜ ํŠน์„ฑ์„ ์ด์šฉํ•˜๋ฉด ๋ฐ์ดํ„ฐ๋ฅผ ์ˆจ๊ธฐ๊ณ  Application์˜ ์ž˜๋ชป๋œ ๋™์ž‘์„ ์œ ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Preventing LLM Prompt Leak

1 min read

ChatGPT๋Š” ์‚ฌ์šฉ์ž ๊ฐœ๊ฐœ์ธ์ด Bot์„ ๋งŒ๋“ค๊ณ  ์„œ๋น„์Šคํ•  ์ˆ˜ ์žˆ๋„๋ก ์ œ๊ณต๋˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ €๋„ ์ œ ํŽธ์˜๋ฅผ ์œ„ํ•ด ๋ช‡๊ฐ€์ง€ ๋งŒ๋“ค์–ด์„œ ์‚ฌ์šฉํ•˜๋Š”๋ฐ ๋„ˆ๋ฌด๋‚˜๋„ ์‰ฌ์šด ๋ฐฉ๋ฒ•์œผ๋กœ Prompt๋ฅผ ์ฝ์–ด๋‚ผ ์ˆ˜ ์žˆ์—ˆ๋„ค์š”.

Prompt Injection via Ascii Art

1 min read

LLM ๋ชจ๋ธ์„ ์‚ฌ์šฉํ•˜๋Š” ์„œ๋น„์Šค์—์„  Prompt Injection๊ณผ ๊ฐ™์€ LLM Attack์„ ๋ฐฉ์–ด, ์™„ํ™”ํ•˜๊ธฐ ์œ„ํ•ด ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๋ณดํ˜ธ ๋กœ์ง์„ ๊ฐ€์ง€๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ์ด๋ฅผ ๊นจ๊ธฐ ์œ„ํ•ด์„œ ๋…์ฐฝ์ ์ธ ๋ฐฉ์‹์˜ Prompt๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

PQ3 and PQC ๐Ÿ—๏ธ

2 min read

Apple์—์„œ ์กฐ๋งŒ๊ฐ„ iMessage์— PQ3๋ผ๋Š” ์•”ํ˜ธํ™” ํ”„๋กœํ† ์ฝœ์„ ์ ์šฉํ•  ์˜ˆ์ •์ด๋ผ๊ณ  ๋ฐœํ‘œํ–ˆ์Šต๋‹ˆ๋‹ค.

Do you need a config? Now, Pkl

1 min read

์ตœ๊ทผ์— Apple์ด ๋‚ด๋ถ€์—์„œ ์‚ฌ์šฉํ•˜๋˜ Configuration language๋ฅผ ์˜คํ”ˆ์†Œ์Šค๋กœ ๊ณต๊ฐœํ—€์Šต๋‹ˆ๋‹ค. ๋ฐ”๋กœ Pkl(ํ”ผํด)์ธ๋ฐ์š”, ๊ณผ์—ฐ Pkl์€ JSON๊ณผ YAML๊ณผ ํ•จ๊ป˜ Config๊ณ„์˜ ๋Œ€ํ‘œ ์ฃผ์ž๊ฐ€ ๋  ์ˆ˜ ์žˆ์„๊นŒ์š”?