Home
liamg
Cancel

Running Custom Rego Against Live AWS

It’s now easy to run custom Rego policies against your live AWS account(s) with Trivy, as of version v0.33.0. In this post I’ll run through several example policies to demonstrate how it works and...

Scanning for AWS Security Issues With Trivy

What is Trivy? Trivy is a multifunctional, open-source security scanner. It can scan various targets (filesystems, containers, git repositories and more) in order to discover security issues (vuln...

Writing Go Linters

Recently I looked into writing a custom linter for an open-source project called defsec. We had a fairly unique problem with an all-too-frequent bug. We decided if we could catch this type of bug a...

Write-up: Intigriti 0722 (July 2022) XSS Challenge

It’s been a while since I’ve done an XSS write-up, and the latest Intigriti challenge was fun, so here goes… 0x00: Initial Recon The site provided by Intigriti is a single-page application that s...

5 Ways To Speed Up Go Tests

A slow test-suite/build is one of the most frustrating hurdles to productivity for software engineers. Here are a few tips to speed things up with Go… 1. Run Tests in Parallel Go runs each test i...

Malicious Rego: OPA Supply Chain Attacks

I’ve been using Rego a lot lately and have been very pleased with it. Like any technology though, it can be abused - especially if used irresponsibly. I was inspired by this post about IaC supply-c...

OPA Rego + tfsec: Custom security policies for your infrastructure

Recently, tfsec added support for applying Rego policies to your Terraform code. Clear rules can be written against simple data structures, whilst providing the developer with a wealth of informati...

Escalating Privileges with Dirty Pipe (CVE-2022-0847)

The Dirty Pipe vulnerability allows users to write to files for which they should only have read access. I recommend reading Max Kellermann’s vulnerability abstract to get a good grounding in how i...

Configuring Google Authenticator on Ubiquity EdgeOS OpenVPN

The following guide will help you to set up Google Authenticator based 2FA for OpenVPN on EdgeOS 2.0+ devices. It’s recommended to ensure you have another method to access your device in case you a...

Write-up: Intigriti March 2021 XSS Challenge

The following is my write-up for the March 2021 Intigriti XSS challenge. Let’s Get Started… The challenge takes place on a single web page, though this one appears more dynamic than those I’ve ...