Last week was the first public release of vpc-vpn-pivot , a tool that allows you to connect to private VPC subnets using an AWS Client VPN. I created this tool to allow penetration testers to pivot into private VPC subnets: given the right set of IAM privileges, vpc-vpn-pivot will allow you to connect to any resource […]

Just published the white-paper for my latest research: Internet-Scale analysis of AWS Cognito Security. The white-paper contains the methodology and results of an internet-scale security analysis of AWS Cognito configurations. The research identified 2500 identity pools, which were used to gain access to more than 13000 S3 buckets (which are not publicly exposed), 1200 DynamoDB […]

Conferences. We have plenty of them these days, good and bad, underground and business-focused, small, large and extra large. When you are young and start attending conferences all you care about is content: the latest and greatest talk from Juliano on Padding Oracles or how Sebastian Muñiz and Alfredo Ortega take control of a satellite […]

New to AWS security? Want to learn more about AWS hacking techniques? You should definitely attend my “Intro to AWS Hacking” training at Ekoparty Los Angeles! The training was designed for penetration testers, DevOps, SecDevOps, application security specialists, web developers and team leaders. And covers these areas: Shared responsibility model AWS’ responsibility [...]

Will and I have teamed up to bring you the Web Application Hacker Level-up Lab at Black Hat USA 2019! This hands-on course is designed for hungry intermediate+ penetration testers and seasoned web application developers who want to level up their skills in a challenging training that focuses on just a few vulnerability classes. This […]

Cloud computing provider will suffer major breach And we’ll all reconsider running our most business-critical applications and storing our unencrypted information in the cloud. The hack will most likely affect one of the second tier cloud computing providers, and compromise their backend systems: hypervisor or client REST APIs. This breach will show how helpless our […]

I’m hooked on cloud security, it has a little bit of everything: network security, application security, automation and DevOps . One of my latest cloud security assessments was on a huge AWS account: 500k USD / month billing 2500 EC2 instances 200 RDS instances 2000 IAM users and roles 250 IAM groups 500 security groups […]

As an external consultant that focuses on application penetration testing I’m not usually invited to application design, business logic discussions or threat modelling sessions. A few weeks ago a client invited me to be part in a threat modelling exercise for their latest and greatest feature that is still in design phase. The client wanted […]

tl;dr I reported a reCAPTCHA bypass to Google in late January. The bypass required the web application using reCAPTCHA to craft the request to /recaptcha/api/siteverify in an insecure way; but when this situation occurred the attacker was able to bypass the protection every time. The security issue was fixed “upstream” at Google’s reCAPTCHA API and no […]

Developers and Application Security Every year OWASP local chapters from Latin America organize a huge one month event called OWASP LATAM Tour, where each chapter hosts a one day conference in their city. These events are a great place for security professionals and developers to get together and exchange ideas and knowledge. Just like the […]