⭕️ RADAR: How DevSecOps is Revolutionizing Security at Snapp

در این مقاله یکی از AppSec Engineer های Snapp به بررسی جزئیات DevSecOps توی اسنپ پرداخته.

به طور خیلی خلاصه فریمورک رادار اسنپ که ترکیب Security Testing در CI/CD هست شامل ابزار های زیر میشه:
1. SAST:‌ semgrep
2. SCA, SBOM: Grype, Syft
3. Secret Detection: Gitleaks
4. IaC: KICS
5. Container Scanning: Trivy
6. DAST: ZAP
7. Vulnerability Management: DefectDojo, OWASP Dependency-Track

مقاله:
https://medium.com/@mohammadkamrani7/radar-how-devsecops-is-revolutionizing-security-at-snapp-5f496fd08e79

#DevSecOps #AppSec #DAST #SAST
@Engineer_Computer

⭕️ Dangerous Regular Expressions

تو این پست Vickie Li از خطا های رایج در رجکس میگه و چندتا Best Practice برای رجکس های امن تر مثل اینکه:
- تا جایی که میشه برای چیزهایی مثل یوزرنیم و پسورد و ... خودتون رجکس ننویسید از رجکس های امن توی اینترنت استفاده کنید
- از Defense-in-depth استفاده کنید یعنی فقط به رجکس و اعتبار سنجی اش و ... اطمینان نکنید
- همچنین Fuzzing میتونه از اینکه رجکس شما داره درست کار میکنه یا نه اطمینان بیشتری حاصل کنه.

مطالعه بیشتر:
https://sec.okta.com/articles/2020/07/dangerous-regular-expressions

یه سری منابع هم معرفی شده برای امن تر کردن رجکس هاتون
https://owasp.org/www-community/OWASP_Validation_Regex_Repository
https://regexlib.com/DisplayPatterns.aspx
https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

#regex #security #AppSec
@Engineer_Computer

تو پروسه آموزش و یاددادن همیشه کلی چیز برای یادگیری هست✌️🏻
دارم یه اپ Vue آسیب پذیر آماده میکنم برای آموزش XSS in Vue.js بعد متوجه شدم این XSS ای که از طریق javascript scheme تو attribute href رخ میده زمانی که اتریبیوت target برابر blank_ باشه دیگ آسیب پذیر نیست
مثالش تو عکس بالا

#AppSec #XSS #web_security
@Engineer_Computer

🐞 What's security flaws with this code? How to fix it?
نقص امنیتی این کد چیه؟ اصلا نقص امنیتی داره؟ چنتا و به چه صورت؟‌ نحوه فیکس کردنش به چه صورت هست؟

#AppSec #code_challenge #vulnerable_code #web_security #FastAPI
@Engineer_Computer

Now the answer
مهم ترین آسیب پذیری ای که داشت و اکثرا دوستان هم گفتن Mass Assignment بود که میشد ما با role ای مثل admin برای خودمون account بسازیم که حالا توی fix فیلد های مهم رو صرف نظر از چیزی که کاربر میده ما تغییر میدیم، موضوع بعدی هم Insecure Password Storage بود که حالا پسورد hash میشه.

#AppSec #code_challenge #fixed_code #web_security #FastAPI
@Engineer_Computer

🐞 What's security flaws with this PHP code? How to exploit and fix it?
نقص امنیتی این کد چیه؟ چطور exploit و fix میشه؟

Code: https://github.com/amir-h-fallahi/code_challenge/blob/main/0x02-PHP/PHP-Vulnerable-Code.php

#AppSec #code_challenge #vulnerable_code #web_security #PHP
@Engineer_Computer

💥 Common developer security mistakes in working with IPG

As a security engineer, pentester or developer you should know about common security mistakes in working with IPG that leads to serious security vulnerabilities.

#AppSec #IPG

@Engineer_Computer

🚨 Metasploit becomes far more valuable when you stop treating it as just an exploitation tool and start understanding it as a full security assessment framework.

A lot of people learn Metasploit at the surface level:

search a module, set options, run the exploit, get a session.

But real mastery starts when you understand how to use it as a structured platform for workflow design, database organization, payload handling, post-exploitation management, automation, custom module development, and assessment documentation.

That is exactly why I put together this guide on Metasploit Framework Mastery.

Instead of focusing only on isolated commands, this document is designed to explore how Metasploit can be used more effectively in professional security assessments — from architecture and workspace strategy to automation, scripting, custom modules, and reporting discipline.

What stands out in this guide

✅ Metasploit is framed as a framework, not just a console

✅ Advanced workflow matters more than individual commands

✅ Automation is a force multiplier

✅ Custom module development builds real depth

✅ Post-exploitation and session handling are treated as part of methodology

✅ Ethics, scope, and documentation stay central

My takeaway

A strong Metasploit resource should help people do 3 things:

• understand how the framework actually works
• build repeatable and organized assessment workflows
• use the platform responsibly within authorized security testing

That is the real difference between knowing a few Metasploit commands and using Metasploit like a security professional.

I’m resharing this guide because I believe advanced tooling only becomes truly useful when it is combined with methodology, discipline, and ethical boundaries.

💬 In your view, which part of Metasploit takes the longest to master:
automation, payload handling, post-exploitation workflow, or custom module development?

#Metasploit #CyberSecurity #Pentesting #RedTeam #EthicalHacking #SecurityTesting #AppSec #InfoSec #Automation #ThreatSimulation

🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer