Recently, I was stuck in figuring how the Firebase gRPC calls worked and how I could generate, modify, and replay them. Trapping and modifying the existing gRPC traffic was not working too well. Finally, I took a step back and spent some time on learning how to build and debug simple Firebase applications. This approach helped me tremendously and I was able to make further progress with my original task in almost no time. ...
Here is a quick script to verify that the certificate chain is valid and will work. % cat verify-cert-key.sh #!/usr/bin/env bash certFile="${1}" keyFile="${2}" caFile="${3}" certPubKey="$(openssl x509 -noout -pubkey -in "${certFile}")" keyPubKey="$(openssl pkey -pubout -in "${keyFile}")" if [[ "${certPubKey}" == "${keyPubKey}" ]] then echo "PASS: key and cert match" else echo "FAIL: key and cert DO NOT match" fi openssl verify -CAfile "${3}" "${1}"
Aim Finding 'Heartbleed' class of bugs with taint analysis. Background reading: https://heartbleed.com/ Motivation While Coverity is now able to detect this bug, we wanted to evaluate the state of open-source security tooling in 2024. Have we been able to reduce the cost of finding such bugs after all these years? The Idea Can we find an execution path from the tainted data in the n2s function to sensitive functions? Since n2s typically operates on network received bytes, it can serve as a taint source. ...