It's Been a While...Again.

 In what feels like a now familiar post, it's been what might be generously describes as a "short eternity" since I've updated.

My goal is to get better at updating this thing, and I feel I was probably a bit over-ambitious in the past, aiming for bigger blog posts that take a lot of time and effort to cobble together, which doesn't always pair well with my ADHD between work and life going on in the background.

That said, I've been diving more into the studying lately, and I felt like it would be a great time to actually try and get some more updates out there. At work, I've been fortunate to move more into the Vulnerability Management side of things, while still having my work with the Incident Response team about half the time. One thing I realized pretty quickly when I started working with the web application scans and vulnerability assessments was just how much more knowledge and skills were needed to do this at even a competent level. I'd taken the GIAC GWAPT cert exam and that gave me a decent foundation, but even with all of that in my pocket, it still felt like there was just so much information out there to know.

I wanted to get to a point where I didn't feel like I was essentially just running web scans on autopilot, essentially configuring Burp Suite and our other tools and just setting them off to run and hoping for the best when it wrapped up. A space I realized was a pretty glaring hole in my knowledge was APIs. I remember seeing a video from Corey Ball a little while ago talking about APIs and how they were a pretty significant security gap for a lot of places, because a lot of people just didn't focus on them or really know how to handle them. Back then, I realized that was me, but as that was before I'd taken the GWAPT or really done anything more than some cursory web app pen testing, I figured it was just like everything else in the field...a wide body of knowledge I'd only scratched the surface on.

But after taking the GWAPT, I had a web scan where it reported a potential vulnerability with an API on a site we were reviewing, and I realized I just had no idea where to even start examining it to make sure it was a false positive and something we were comfortable saying wasn't a risk. That's when I decided to start diving into the API world to try and gain some knowledge, figuring that with myself and my teammate both being pretty green with the work we were doing, having at least one of us deep-diving into APIs would be beneficial, and I could document everything so we can both get better at digging into these things as they are unlikely to get less frequent with time. 

So, here's the plan: I've been working my way through Corey Ball's great book Hacking APIs: Breaking Web Application Programming Interfaces and it's been a great resource so far. It does a great job of just going through the basics of APIs as well as the security threats and common vulnerabilities. I'm also to the portion of the hands-on lab, which is what I think would make a great bit of content for some blog posts. I'm already in the process of documenting and spinning up my VM lab for doing the hands-on labs. I've taken my Dell R710 server and finally dusted it off, as I didn't really have anywhere to set the thing up in my apartment previously. Now it's been jammed into my closet and hooked up to the network and powered on, and the plan is the spin up roughly 5 VMs. One will be my Kali Linux box that I'll use for the hacking itself, and then the other 4 will each have their own individual vulnerable web applications. The book uses OWASP's DevSlop Pixi, the OWASP Juice Shop, Damn Vulnerable GraphQL and then finally, Completely Ridiculous API (crAPI). Initially, I had spun these up on my desktop, before realizing it was going to be a bit of a headache either keeping the VMs thin enough to not steal precious desktop resources, or bloating them and making the whole process sluggish. After getting the server configured and back up and running, I'm able to give them more generous resources, as the server has two CPU's and 72GB of RAM to allocate, so it shouldn't be an issue giving all 5 VMs enough power to make it so I'm not bouncing my head off of my desk in frustration.

That's what's next, so stay tuned. I'm hoping to get at least the initial Ubuntu blog up, as some of the commands needed have changed a bit from when the book was published and provided me a bit of a headache and hurdle to get over. 

Comments

Popular posts from this blog

My Poor Mistreated Blog

Small Life Update!

Cyber Security Studying or: How I Learned to Stop Hand-Writing and Love the Digital Docs