Published inInfoSec Write-ups·PinnedSandboxing Python dependencies in your codeRunning code from an untrusted source is still an unsolved issue. Especially in dynamic languages like Python and Javascript. I will begin with 2 unanswered questions; If you import requests for http, why should requests be able to open a terminal and switch to sudo? If you import logging, Why…Dtrace8 min readDtrace8 min read
Published inInfoSec Write-ups·PinnedHow I Discovered Thousands of Open Databases on AWSMy journey on finding and reporting databases with sensitive data about Fortune-500 companies, Hospitals, Crypto platforms, Startups during due diligence, and more. Table Of Contents Overview Background My Hypothesis Scanning BI & Automation: From thousands to hundreds Examples of data I found Conclusion Overview It is easy to find misconfigured assets…AWS10 min readAWS10 min read
Published inInfoSec Write-ups·PinnedBrowsers Are Localhost Gateways: Client Port Scanning Using WebAssembly And GoWebsites tend to scan the open ports of their users, from the browser, to identify new/returning users better. Can ‘localhost’ be abused by the browser? Can it be done through WebAssembly? Live Demo is available at http://ports.sh or https://ports.sh, The code is available at https://github.com/avilum/portsscan, You are welcome to contribute! …Browsers9 min readBrowsers9 min read
Published inInfoSec Write-ups·PinnedFacebook Knows What You Eat: Discover The Entire Data Facebook Collects About You, Step By Step.I bet most Facebook users are not aware of what they really know about them. What if I told you that YOU can visualize it in just 5 minutes? A story of how I have explored https://facebook.com/dyi programmatically. I’m gonna show you how to do it yourself, and we will…Facebook7 min readFacebook7 min read
Published inInfoSec Write-ups·PinnedGoogle Phishing with SSL: Google.news is not google.newsBack in 2016, I ran into a post about someone buying ɢoogle.com. It was used for phishing proposes (notice the first G). Homographic characters look like ASCII letters, but their encoding is different, in a way that is usually not noticeable for the human eye. Phishing is the fraudulent attempt…Google7 min readGoogle7 min read
Published inInfoSec Write-ups·Sep 3Secure FastAPI with eBPFLeverage eBPF to secure internet-facing APIs: FastAPI, BlackSheep, Flask, Django, aiohttp, Tornado, and more. In the previous post, I used secimport to secure PyTorch code. I showed how PyTorch models from insecure sources can be evaluated safely on any Linux machine. Table Of Contents: A word about API security — How to trace…Api Security8 min readApi Security8 min read
Published inInfoSec Write-ups·Jul 23Secure PyTorch Models with eBPFThis article was not generated by GPT In this blog, I will present secimport — a toolkit for creating and running sandboxed applications in Python that utilizes eBPF (bpftrace) to secure Python runtimes. I will start with why it is needed (feel free to skip that part), and then demonstrate how…Sandbox10 min readSandbox10 min read
Published inDeci AI·Jul 22, 2021Infery — Run Deep Learning Inference with Only 3 Lines of Python CodeImagine having the power of all frameworks at your fingertips with one friendly yet powerful API Our mission is to help AI developers easily build, optimize, and deploy deep learning models. As part of this mission, we developed Infery, a Python runtime engine that transforms running inference on optimized models…Inference7 min readInference7 min read
