dotfiles - A Treasure Trove

Dotfiles, for the context of this blog is a framework/methodology/concept. It is a collection of files, often starting with dots (as the name implies) where users (developers, system admins, etc) store their personalised configurations for a variety of software. These collections are often pushed to a git repository and contain configuration files for software such as Vim, VSCode, Zsh, .aliases, git, and so on. A common use case for dotfiles is when users join new companies and get issued a work laptop....

May 26, 2024 · 3 min

Credential Harvesting via Postman

Postman is an API platform for developers to design, build and test their APIs. The platform allows users to work in teams and organizations, giving users the option to share their workspace over the Internet. One of the features includes the ability to organize requests (GET, POST, PATCH, etc) on different ‘pages’, with the option to define request parameters, headers, authorization, body and tests. The issue at hand comes into play when request parameters are directly populated with values such as passwords, API tokens and secrets, combined with a workspace which has been shared publicly....

August 28, 2022 · 2 min

urlscan.io Dorking

urlscan.io is a free and paid tool that is used to scan and analyse URLs. The tool is often used by Security Analysts and employees working in a SOC. It is also available as an integration add-on in several popular security toolings such as Splunk SOAR and Cortex XSOAR. This post will be focusing on the Search functionality in urlscan.io and how it can be abused to extract sensitive content due to tooling misconfigurations or accidental information leakage....

April 15, 2022 · 4 min