Offensive Security Engineer, Rubyist/Crystalist/Gopher and H4cker

Posts - Page 15 of 86

Dalfox 2.6 Released ๐ŸŽ‰

2 min read

Wow! Dalfox 2.6.0 has finally been released! This time, I improved the focus on Result and PoC object. and a new global flag called โ€“poc-type was added. Letโ€™s play it quickly ๐Ÿ˜Ž

Hugo aliases์—์„œ noindex๋กœ ์ธํ•œ SEO ๋ฌธ์ œ ํ•ด๊ฒฐํ•˜๊ธฐ

1 min read

Hugo์—์„œ aliases๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ํ•ด๋‹น ์ฃผ์†Œ๋Š” meta tag๋ฅผ ์ด์šฉํ•œ redirect๋ฅผ ํŽ˜์ด์ง€๊ฐ€ ์ƒ์„ฑ๋ฉ๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ํ˜•ํƒœ๋Š” ์ผ๋ฐ˜์ ์œผ๋กœ url์„ ์ด๋™ํ•˜๊ธฐ์—” ์ ํ•ฉํ•˜์ง€๋งŒ, 30x์˜ status code๊ฐ€ ์•„๋‹ˆ๊ณ  200์ด๊ธฐ ๋•Œ๋ฌธ์— ๊ตฌ๊ธ€ ๋“ฑ ๊ฒ€์ƒ‰ ๋ด‡์ด ํ•ด๋‹น ํŽ˜์ด์ง€๋ฅผ ์ˆ˜์ง‘ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

pkg.go.dev์— go ํŒจํ‚ค์ง€ ์ฆ‰์‹œ ์—…๋ฐ์ดํŠธํ•˜๊ธฐ

~1 min read

golang์œผ๋กœ ๊ฐœ๋ฐœ๋œ ์•ฑ์€ pkg.go.dev์— ์ €์žฅ๋˜๋ฉฐ ํ•ด๋‹น ์‚ฌ์ดํŠธ๋ฅผ ํ†ตํ•ด ํŒจํ‚ค์ง€ ์ •๋ณด๋ฅผ ๋ณผ ์ˆ˜ ์žˆ๊ณ  ์‹ค์ œ go get ์œผ๋กœ ํŒจํ‚ค์ง€๋ฅผ ๊ฐ€์ ธ์˜ฌ ๋•Œ ์ด๊ณณ์˜ latest ๋ฒ„์ „์„ ๊ฐ€์ ธ์˜ค๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ ์ด ์‚ฌ์‹ค์„ ์ž˜ ๋ชฐ๋ž๋˜ ๊ณผ๊ฑฐ์˜ ์ €๋Š” ์ด๋Ÿฐ ์‹ค์ˆ˜๋„ ํ–ˆ์—ˆ๋˜ ๊ธฐ์–ต์ด ๋‚˜๋„ค์š”.

Kubernetes ingress์—์„œ์˜ 413 ์—๋Ÿฌ ํ•ด๊ฒฐ ๋ฐฉ๋ฒ•

~1 min read

Kubernetes์—์„œ nginx-ingress๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค๋ฉด ํŒŒ์ผ ์—…๋กœ๋“œ ๋“ฑ ํฐ ๋ฐ์ดํ„ฐ๋ฅผ ์ „์†กํ•  ๋•Œ 413 Request Entity Too Large ์—๋Ÿฌ๊ฐ€ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” nginx-ingress์—์„œ ๊ธฐ๋ณธ์ ์œผ๋กœ ๊ฐ€์ง€๊ณ  ์žˆ๋Š” ์ตœ๋Œ€ body size๊ฐ€ ํฌ์ง€ ์•Š๊ฒŒ ์ถ”๊ฐ€๋˜์–ด ์žˆ์–ด์„œ ๋ฐœ์ƒํ•˜๋Š” ๋ฌธ์ œ๋กœ ์•„๋ž˜์™€ ๊ฐ™์ด ingress์˜ annotation์„ ์„ค์ •ํ•˜์—ฌ ํ•ด๊ฒฐํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Solving issue the POST scan in zap-cli not work

1 min read

During the test, I found that POST-based scanning(active-scan / quick-scan) was not working in zap-cli ๐Ÿ˜ฑ This problem is zap-cli issue, and it has already been reported as an issue below.

Github repo ๋‚ด Languages ๋ณ€๊ฒฝํ•˜๊ธฐ (.gitattributes)

1 min read

Github repository ํŽ˜์ด์ง€์˜ ์šฐ์ธก์—๋Š” ํ•ด๋‹น repo์˜ ์–ธ์–ด ํ†ต๊ณ„์ธ Languages๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ํŽ˜์ด์ง€์— ์ ‘๊ทผํ•œ ์‚ฌ์šฉ์ž๋กœ ํ•˜์—ฌ๊ธˆ ์ด ํ”„๋กœ์ ํŠธ๊ฐ€ ์–ด๋–ค ์–ธ์–ด๋ฅผ ์ฃผ๋ ฅ์œผ๋กœ ๊ตฌ์„ฑ๋˜์—ˆ๋Š”์ง€ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋Š” ์ง€ํ‘œ๊ฐ€ ๋˜๊ณ , ์ผ๋ถ€ ๋„๊ตฌ๋“ค์€ ์ด ๋ฐ์ดํ„ฐ๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ์˜คํ”ˆ์†Œ์Šค ํ”„๋กœ์ ํŠธ๋“ค์„ ๋ถ„๋ฅ˜ํ•˜๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค.

Go์—์„œ ์•„์ฃผ ํฐ JSON ํŒŒ์ผ์„ ํ•ธ๋“ค๋งํ•˜๊ธฐ

2 min read

์ตœ๊ทผ์— ์‹œ๋ฅ์ง€ ์•Š์€ ๋ฌธ์ œ๋กœ ๊ตฌ๊ธ€๋งํ•˜๋‹ค๊ฐ€ ๋‹จ์ˆœํ•˜๊ฒŒ ํ•ด๊ฒฐํ•œ ์ผ์ด ์žˆ์–ด์„œ ์งง๊ฒŒ ๊ธ€๋กœ ๊ณต์œ  ํ•ด๋ณผ๊นŒ ํ•ฉ๋‹ˆ๋‹ค. ๋ณต์žกํ•œ ๋ฌธ์ œ๋กœ ์ƒ๊ฐํ•ด์„œ ์˜คํžˆ๋ ค ๊ฐ€๊นŒ์ด์— ์žˆ๋Š” ๋‹ต์„ ๋†“์น˜๊ณ  ๋ง์•˜์—ˆ๋„ค์š”.

[Cullinan #21] Add RFD(Remote File Download)

~1 min read

์ปฌ๋ฆฌ๋„Œ ์—…๋ฐ์ดํŠธ ๋กœ๊ทธย #21์ž…๋‹ˆ๋‹ค. RFD(Remote File Download)๋ฅผ ์ถ”๊ฐ€ํ•˜๊ณ  Cache Poisoning์—์„œ wordlist ๋ถ€๋ถ„ ์ˆ˜์ •ํ–ˆ์Šต๋‹ˆ๋‹ค.

[Cullinan #20] LDAP Injection, ClickJacking, Cache Poisoning ๊ทธ๋ฆฌ๊ณ  ๊ฐœ์„ ์‚ฌํ•ญ

~1 min read

์ปฌ๋ฆฌ๋„Œ ์—…๋ฐ์ดํŠธ ๋กœ๊ทธย #20์ž…๋‹ˆ๋‹ค. ์˜ˆ์ „ Jekyll ๋ธ”๋กœ๊ทธ์—์„œ ์‚ฌ์šฉํ•˜๋˜ ๊ฒƒ๊ณผ ๋™์ผํ•˜๊ฒŒ Cullinan์˜ ๋ฉ”์ธ ํŽ˜์ด์ง€๋ฅผ ๊ตฌ์„ฑํ–ˆ๊ณ  Slug ๋ถ€๋ถ„์— ๊ฐœ์„ ์„ ํ•ด์„œ, ์ œ๋ชฉ์— ์•ฝ์ž ๋“ฑ ์ผ๋ถ€ ๋‚ด์šฉ๋“ค์ด ๋” ์ถ”๊ฐ€๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  LDAP Injection, ClickJacking, Web Cache Poisoning ํ•ญ๋ชฉ์„ ์ถ”๊ฐ€ํ–ˆ์Šต๋‹ˆ๋‹ค :D