profile

ESPRESSO FRIDAYS

The Essential Skill Every Engineer Should Master

Published 27 days ago • 3 min read

Hi!

Let’s say you’re an entrepreneur, you know what, a “solopreneur”. You have you own side gig and it’s making a few hundred bucks a month. If I told you you can lost the entire thing in a heartbeat because you missed something, you’d be anxious to know what it, right?

Rewind 34 months, I was sitting at my desk, assisting the frontend team in troubleshooting their configuration issue. As I opened the devtools pane and launched the network tab, my goal was to locate "config.json". However, something unexpected caught my eye – a file named "client-secrets.json" was also present.

  • “This has to be a mistake”, I thought. Let’s click.
  • BOOM. Our entire list of authentication secrets, holding customers tokens across partners and other services, has been leaked.


My heart began to race. I immediately sent a message to the entire engineering team, instructing them to cease all activities and convene in a Slack "war room." To summarize, after a grueling 48 hours, we succeeded in rotating all necessary keys, informing our partners, and mitigating an issue that had the potential to be catastrophic for the company.

A week later, out of curiosity, I started searching for IDORs, and broken access control within our system. “If every key we had got leaked, I might as well search for smaller things.” What do you know, I found one, not very complicated either. I just fired an API request to our backend and changed the role value to admin. Simple as that.


Many engineers tend to focus more on progress, feature development, and meeting tight deadlines than on security concerns. It's understandable, given their workflow: they operate in sprints, engage in various ceremonies, manage story points, and work under close supervision from managers. In such an environment, prioritizing security can often take a backseat.

During interviews, I began querying developers about their knowledge of SQL injections, methods to test for IDORs, strategies to prevent XSS, and ways to avert CSRF, among other security topics. The responses were disheartening; it seemed that security was not a priority, and that's an understatement.


Security isn't only about rotating passwords or implementing MFA (though adding MFA everywhere is highly recommended due to its simplicity and effectiveness).

I see it more as a marketing issue: developers should be versed in hacking techniques. To clarify, I'm not advocating for backend engineers to delve into hacking systems. However, experimenting with SQL injections on a vulnerable (test) database can be surprisingly enjoyable and informative. Gaining insight into how the code you write might be susceptible to various attack vectors can be a real eye-opener.

A "hackathon" could genuinely be utilized in a manner true to its name.

There’s no need to go too far, the OWASP Top 10 is a great place to start. You’ll find broken access control, security misconfiguration, XSS, and other simple vulnerabilities, that are relatively easy to test, protect from and fix.

As an engineer, I think you should care, or at least take some interest and learn about the basics to keep your applications secure.

This can also become quite a lucrative gig if you decide to take part in bug bounty programs like HackerOne, where some hackers make hundreds of thousand every year. I had to pleasure to find bugs (simple XSS and no payouts but a great learning experience), as well as being on the other side; receiving reports from solo hackers and handing payouts!


Basic understanding of straightforward hacking techniques has enabled me to identify potential domain takeovers for numerous clients, discover unencrypted data leaks in JavaScript files, and unearth various other intriguing findings over the years.

Moreover, this knowledge has proven valuable in job interviews, often providing the unique edge interviewers looked for in candidates but didn't anticipate.

Above all, I believe that cultivating an interest in basic hacking relevant to your area of expertise is a form of taking responsibility.


Whenever I discuss this topic, it often sparks controversy and intense debates. Nevertheless, I encourage you to reply to this email with your thoughts, questions, or to share any similar experiences you've had.

In keeping with this week's theme, I want to highlight an open-source project that has been instrumental in helping me scan and resolve local Wifi issues from my Mac: Bettercap. While operating systems like Kali Linux offer tools such as Wifite and the Aircrack-ng toolset, it's somewhat rare to find a tool as effective as Bettercap for other platforms!


I hope you found this post insightful, feel free to respond directly.

Have an awesome weekend,
Omer

ESPRESSO FRIDAYS

Every once in a while I send hand picked things I've learned. Kind of like your filter to the tech internet. No spam, I promise!

Read more from ESPRESSO FRIDAYS

Hi friends, Here's a quote from Deep Work which I'm 30% through the second reading round: Focus intensifies by getting used to NOT being distracted. And can improve with practice.” - “Deep Work”, Cal Newport An MIT recent study shows that when the brain forms memories or learns a new task, it encodes the new information by adjusting connections between neurons. They also remind of the principle of “neurons that fire together, wire together”, proposed by Donald Hebb in the 1940s. This is...

6 days ago • 3 min read

Hi! Today I want to share a security researching flow Disclaimer: I am not a security expert. Disclaimer II: Every story and example shown here were either made with Prior consent My own systems As part of a VDP (vulnerability disclosure) The WHAT For the next magic trick you’re going to need - A browser - A proxy - A pair of eyes Easy, right? I’m assuming most readers have at least 2/3 but never made them work together to get an insight into how their browser interacts with the...

20 days ago • 2 min read

Happy Friday! Today I want to talk about something that pretty much transformed the way I work. Stenography is a shorthand writing method allowing users to transcribe text at speeds exceeding 200 words per minute, using abbreviated symbols for real-time speech transcription. It is mandated in all courtes of law as a method for recording the protocols simply because of the speed in which they’re processes and the reduced number of mistakes that can be made. While I’m not a Stenographer, and I...

about 1 month ago • 3 min read
Share this post