{"id":946,"date":"2016-11-25T15:18:05","date_gmt":"2016-11-25T14:18:05","guid":{"rendered":"http:\/\/www.floyd.ch\/?p=946"},"modified":"2022-02-09T11:32:51","modified_gmt":"2022-02-09T10:32:51","slug":"activity-wrap-up-inlcuding-afl-crass-and-burp","status":"publish","type":"post","link":"https:\/\/www.floyd.ch\/?p=946","title":{"rendered":"Activity wrap-up including AFL, CRASS and Burp"},"content":{"rendered":"<p>Here&#8217;s a little overview of my last few months:<\/p>\n<ul>\n<li>Thinking about using libjson? <a href=\"https:\/\/github.com\/vincenthz\/libjson\/issues\/20#issuecomment-250103033\" target=\"_blank\" rel=\"noopener\">Maybe you should wait for a bug fix<\/a>.<\/li>\n<li><a href=\"https:\/\/github.com\/floyd-fuh\/AFL_GCJ_Fuzzing_Simple\" target=\"_blank\" rel=\"noopener\">Trying to fuzz Java code with afl-gcj was not a very pleasant experience<\/a>.<\/li>\n<li>Made some efforts to <a href=\"https:\/\/github.com\/floyd-fuh\/afl-cgi-wrapper\" target=\"_blank\" rel=\"noopener\">show how to fuzz CGI scripts with AFL<\/a>.<\/li>\n<li><a href=\"https:\/\/github.com\/floyd-fuh\/crass\/blob\/master\/grep-it.sh\" target=\"_blank\" rel=\"noopener\">My CRASS project that includes a script to grep for interesting security related tokens<\/a> is constantly growing.<\/li>\n<li><a href=\"https:\/\/twitter.com\/floyd_ch\/status\/753133495304785920\" target=\"_blank\" rel=\"noopener\">Burp collaborator is blocked in certain company networks<\/a>, that&#8217;s why you should setup your own private Burp collaborator instance.<\/li>\n<li>For web pentests of websites that allow image uploads I can recommend using <a href=\"https:\/\/github.com\/tmendo\/BurpIntruderFilePayloadGenerator\" target=\"_blank\" rel=\"noopener\">this burp plugin<\/a> together with fuzzing images (if you have your own fuzzed crash images, otherwise <a href=\"https:\/\/lcamtuf.coredump.cx\/afl\/demo\/\" target=\"_blank\" rel=\"noopener\">try the corpus from AFL<\/a>).<\/li>\n<li>I did <a href=\"https:\/\/hackerone.com\/reports\/168538\" target=\"_blank\" rel=\"noopener\">my first Hackerone report for the Twitter iOS app<\/a>. I was able to intercept TLS traffic and Twitter confirmed it as a high severity issue. Hopefully I&#8217;ll be able to give more details in an upcoming blog post as soon as it&#8217;s disclosed.<\/li>\n<li>The Vallader Romansh dictionary app I wrote for Android is now available for <a href=\"https:\/\/apps.apple.com\/us\/app\/vallader-romansh-german-dict\/id1145027464\" target=\"_blank\" rel=\"noopener\">iOS on the Apple app store<\/a> as well.<\/li>\n<li>When you are a big German security news portal and write an article about misleading advertisement, you should make sure that <a href=\"https:\/\/web.archive.org\/web\/20190107105255\/https:\/twitter.com\/floyd_ch\/status\/696945691642478592\" target=\"_blank\" rel=\"noopener\">your advertisement in the article is not misleading<\/a>.<\/li>\n<\/ul>\n<p>cheers,<br \/>\nfloyd<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here&#8217;s a little overview of my last few months: Thinking about using libjson? Maybe you should wait for a bug fix. Trying to fuzz Java code with afl-gcj was not a very pleasant experience. Made some efforts to show how &hellip; <a href=\"https:\/\/www.floyd.ch\/?p=946\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[148,178,12,179,161,180,177],"class_list":["post-946","post","type-post","status-publish","format-standard","hentry","category-various","tag-afl","tag-afl-gcj","tag-burp","tag-cgi","tag-crass","tag-hackerone","tag-libjson"],"_links":{"self":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=946"}],"version-history":[{"count":9,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/946\/revisions"}],"predecessor-version":[{"id":1295,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/946\/revisions\/1295"}],"wp:attachment":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}