CodeMagi Blogs

Stop Forcing Password Rotation!

Arbitrary password rotation policies encourage users to choose weak passwords. How many times have you been forced to change your password and simply added a '1' at the end? NIST has finally taken notice and added the following to their guidelines: 

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). 

Source: (Section Paragraph 9)

Forcing a password change every 90 days is archaic and psychologically it leads users to choose less complex passwords. 

Clear HSTS Cache on Chrome

HSTS stands for Hypertext Strict Transport Security. It is a header set by servers to tell supporting browsers to only load a site via HTTPS. In general, this is a good thing. However, a pentester may occasionally need to do otherwise (such as when using a proxy such as Burp Suite to view the site's traffic).

Fortunately Chrome gives you a means to clear the cache of sites that have requested HSTS using the net-internals path: 


Simply enter the fully-qualified domain name into the Delete Domain text field and click delete. Then you can get on with your hacking. 

Using Hashing Functions in Google Sheets

I recently created a spreadsheet with a lot of custom formulas in Google Sheets. The custom formulas are Javascript functions that use SpreadsheetApp.getActive().getRange('namedRange') to read data from several different cell ranges across the workbook and compute values based on them.

Unfortunately, Google Sheets does not recalculate the result of a custom function unless the parameters to that function actually change. So my options were:

  1. Pass all data required for the calculations as arguments to the custom functions
  2. Find some other way to trigger recalculation when the underlying data changed

The first option was impractical for a number of reasons. The function was already in use in dozens of places throughout the sheet and I would have had to add the new parameters to each cell that called it. And since the function was still under development, I would also have to change it each time I needed to add a new piece of data to the calculation.

So I needed a way to trigger the function to update, when any number of (a potentially changing) underlying variables changed. Enter hashing. Hashing functions are used to compute a unique, non-reversible value from any input. I discovered Aaron Toponce's excellent post about implementing cryptographic hash functions in Google Sheets and I got an idea.

I changed my custom function to accept one parameter, a hash code generated form the SHA256 function in Aaron's post. Then I added one cell to the spreadsheet which contained a call to the hash function, taking the range of underlying data as input:


Now, whenever there is a change to the data in any of the underlying cells, the SHA-256 hash recalculates to a new, unique value. When Sheets detects a change to the hash value passed as a parameter to my custom code, it triggers the function to recalculate and the spreadsheet updates. Plus I am easily able to update my function, and the ranges of data it consumes, without having to change every place it is called in the sheet. 

Running Multiple Burp Suite Instances

If using the OSX application version of Burp Suite, you can launch multiple instances using the following command: 

open -n -a "Burp Suite Professional"

Burp Suite Passive Scanning

I recently had an interesting discussion regarding when Burp Suite actually runs its passive scan tests. It turns out that passive scanning is only done in certain instances and NOT on every singe response as I had previously imagined. Here are the conditions under which passive scan checks are run: 

  • First request of an active scan
  • Proxy requests
  • Any time 'Do a passive scan' is selected from the context menu

Passive scans are not run: 

  • On every active scan response
  • On Repeater responses
  • On Intruder responses
  • On Sequencer responses
  • On Spider responses
This is a pretty huge gap as far as I am concerned -Especially for active scanner responses where fuzzing is more likely to throw an error message that can be picked up by my Error Message Checks extension, or reveal server information that can be picked up by Software Version Checks.

I have updated Error Message Checks to scan responses during Active Scan, and I will soon be adding selectable capability to passively scan responses for other tools as well.