Blog

Removing secrets from git history is straightforward. With help of BFG Cleaner and privileges to force push the modified history, it's a piece of cake. I believed this until I found I was partially wrong - removing something from git history doesn't remove them from git repository. …

If you listen to anyone discussing AWS security, you probably heard about Amazon GuardDuty. It's an intelligent "threat detection" service from AWS. Should you enable GuardDuty? I hope you'll reach closer to your answer by the end of this blog post. …

CloudQuery and Steampipe have very similar functionalities. The actual difference is with the way they work and the problems they solve. This blog post compares both the tools and helps you answer the question: What should I use - CloudQuery or Steampipe? …

Lessons from testing AWS WAF Bot Control with 10M+ weekly requests. It can double your WAF bill and is easily bypassed with a valid browser User-Agent. …

Most of the applications I see these days heavily depend on APIs. Pentesting them is a bit different than that of web applications. In this writeup I will show you how I discovered the vulnerabilities in the “Vulnerable API” project. …

There are so many resources around domain and subdomain takeovers but none around how to remove this bug class. In this blog post, I will walk you through the (sub)domain takeover bug class, the different types of takeovers, and finally the mitigations. …

How to integrate Gitleaks into a GitLab CI pipeline to scan only new commits for secrets, instead of scanning the entire repository history on every push. …

Step-by-step guide to creating a GCP Cloud Function with an HTTP endpoint that publishes messages to a Google Pub/Sub topic using Python. …

Perform fast reverse DNS lookups by loading Rapid7's FDNS dataset into MongoDB. Find all DNS records pointing to any IP in seconds. …

Use GNU Parallel to run nmap scans across 1000+ public IPs simultaneously, reducing scan time drastically and identifying unused firewall rules. …