https://www.jakobthe.dev/categories/application-security/ Recent content in Application Security on JakobTheDev | Jakob Pennington https://www.jakobthe.dev/images/profile.png https://www.jakobthe.dev/images/profile.png Hugo -- gohugo.io en-us Tue, 11 Jun 2024 00:00:00 +0000 https://www.jakobthe.dev/posts/bbb-2-hello-daneel/ Tue, 11 Jun 2024 00:00:00 +0000 https://www.jakobthe.dev/posts/bbb-2-hello-daneel/ This week, I began building my own bug bounty automation tool. This post introduces daneel and talks about how I plan to use daneel to hunt for bugs. https://www.jakobthe.dev/posts/bbb-1-back-hunting/ Sun, 02 Jun 2024 00:00:00 +0000 https://www.jakobthe.dev/posts/bbb-1-back-hunting/ G’day! I’m Jakob, an Application Security consultant from Australia, welcome to my Bug Bounty Blog (BBB). After a long hiatus from bug bounty, I have decided to fire up nikto again and start scanning the web for fun and profit. This blog is all about committing what I’m learning and thinking to paper, and to share it with the world. Why did I stop bug bounty? Good question, thanks for asking. https://www.jakobthe.dev/posts/building-hacking-tools-docker/ Tue, 28 Jul 2020 15:45:00 +1030 https://www.jakobthe.dev/posts/building-hacking-tools-docker/ Something that I have struggled with in the past as a software developer turned penetration tester is the fact that I use two operating systems on a daily basis, and this sometimes causes friction in my workflow. Note: I really don’t intend or want this to be a discussion of the merits of one OS or IDE compared with another. I use the tools that I am familiar and productive with, and it’s totally cool if you use something different. https://www.jakobthe.dev/posts/docker-for-pentesters/ Wed, 22 Jul 2020 15:45:00 +1030 https://www.jakobthe.dev/posts/docker-for-pentesters/ There were many things to consider, and we may talk about some of those things in the future, but the aspect of penetration testing I want to talk about today is the infrastructure we use to conduct a penetration test. Note: With a few minor exceptions, the same thought process applies for bug bounty hunting. If that’s more your thing, feel free to sed s/penetration testing/bug bounty hunting/g. What do we need from our infrastructure? https://www.jakobthe.dev/posts/shifting-left/ Thu, 18 Jul 2019 15:45:00 +1030 https://www.jakobthe.dev/posts/shifting-left/ Why traditional security testing should not be the core of your application security program. https://www.jakobthe.dev/posts/eight-phases-devops-pipeline/ Thu, 18 Jul 2019 15:45:00 +1030 https://www.jakobthe.dev/posts/eight-phases-devops-pipeline/ Let’s break down the phases of a DevOps pipeline and clarify some common terms. https://www.jakobthe.dev/posts/what-is-devops/ Thu, 18 Jul 2019 15:45:00 +1030 https://www.jakobthe.dev/posts/what-is-devops/ The simplest introduction to DevOps and the benefits it can provide to your organisation. https://www.jakobthe.dev/posts/exploiting-xss-via-markdown/ Fri, 08 Feb 2019 15:45:00 +1030 https://www.jakobthe.dev/posts/exploiting-xss-via-markdown/ I recently came across a web application in which I was able to exploit a Cross-Site Scripting (XSS) vulnerability through a markdown editor and rendering package. It was the first time I had come across this type of vulnerability, and I found it particularly interesting because it allowed me to bypass multiple layers of XSS filtering that was implemented in the application. Here’s a short article on how I came across the vulnerability and set about crafting an exploit. https://www.jakobthe.dev/posts/breaking-into-iphone-backups/ Wed, 21 Nov 2018 15:45:00 +1030 https://www.jakobthe.dev/posts/breaking-into-iphone-backups/ The day that being a hacker made me feel like a hero. https://www.jakobthe.dev/posts/codepipeline-notifications/ Sun, 05 Aug 2018 15:45:00 +1030 https://www.jakobthe.dev/posts/codepipeline-notifications/ This post is Part 3 in a 🤷-Part series on CI/CD in AWS. Go check out my other posts to see how we got here: Part 1: Deploy a Single-Page Application (SPA) to AWS Part 2: Automated Build / Deploy with AWS CodePipeline In the last post, we set up a simple CI/CD pipeline that deploys our codebase into production each time new code is merged into the production codebase. This is great, but once we kick off a build we have two options: https://www.jakobthe.dev/posts/aws-codepipeline/ Sun, 22 Jul 2018 15:45:00 +1030 https://www.jakobthe.dev/posts/aws-codepipeline/ In my last post, I showed how you can deploy a Single Page Application to AWS using AWS’ S3, CloudFront and Route 53. This post picks up where the last one left off, so if you haven’t read it, go check it out! This time, we’ll be improving our DevOps by building a basic CI/CD pipeline. Since we’re already using AWS to host our site, it makes sense to keep using their services since they do integrate well together (That’s how they get you! https://www.jakobthe.dev/posts/deploy-spa-aws/ Tue, 17 Jul 2018 15:45:00 +1030 https://www.jakobthe.dev/posts/deploy-spa-aws/ Recently, I made a simple personal website — a hub for my online presences and a place to share my personal projects. I developed the site using the Angular CLI, and when it came time to host the site, I chose AWS since my domain was already set up in Route 53. Overall, the process of building the application and hosting it on AWS was a fairly simple one (you could probably set the whole thing up in about an hour), but there were a couple of gotchyas that prompted me to write down the process. https://www.jakobthe.dev/posts/minifying-xss/ Sun, 18 Mar 2018 15:45:00 +1030 https://www.jakobthe.dev/posts/minifying-xss/ How I bypassed Cross-Site Scripting sanitisation in fewer than 20 characters.