Chandrapal Badshah Profile picture
Security Research Lead @RedHuntLabs ❤️ Product Security & philosophy. Working on @BurpSuiteGuide. Maintainer- @HackwithGithub Opinions are from my intellect.
Oct 22, 2021 16 tweets 5 min read
Okay folks, let's talk about bypassing #SSLPinning in #Android applications.

It's going to be a bit long Twitter 🧵 First, let's talk about SSL Pinning.

It's "pinning" some content of your website's public SSL certificate to your Android app.

It can be hash from your leaf cert, intermediate CA or even root CA.
Oct 5, 2020 7 tweets 2 min read
Wow ! @Cloudflare introduces API Shield to protect your APIs…

How does it do ?

By adding mTLS for the API endpoints and enforcing schema validation in JSON / gRPC payloads in API POST requests

Will it really secure / help secure APIs ?

[thread] 1/n Reading the article, Cloudflare claims to "secure" your APIs with the help of mTLS.

To simply put, mTLS is when both entities (server and client) validate each other's SSL cert and make sure its signed by common trusted Root / Intermediate CA.

Apr 17, 2020 15 tweets 4 min read
How we monitor secrets committed in our self hosted @gitlab instance in real time ?

(Twitter thread which summarises multiple experiments)

#ProductSecurity #gitlab #security Use Pre-commit / Pre-receive / Post-receive git hooks ?

Pre-commit : scan for secrets before commit. Prevents committing secrets by devs

Problem: requires access to dev laptops (privacy issue?). Hard to manage regexes in their laptop. Harder in a company hiring lots of devs