The latest news and research from the Nagarro Security team.

Creating a DOCX/Python Polyglot

May 7, 2021 Eivind Utnes
Last year, I ran into this tweet from John Gordon (@indiecom): By researching, I found that Python has been able to execute modules from zip files since version 2.6, and considering that office documents (docx, xlsx etc.) are also zip files, I wanted to know if this would work with them as... Read more...

Does your computer respect your rights? Part 1

April 6, 2021 Thomas Roka-Aardal
A story about nostalgia, freedom and laptops This is part 1 of a 2-story blog, in part 2 we go even further into data and hardware isolation. My dear laptop… choices, choices… In 2018, I needed to replace my laptop. It was a MacBook Air, 2012 model (6,5 years of productive life), and though it... Read more...

A Fundamental Tool in the Toolkit: Evasive Shellcode Launchers – Part 1

February 27, 2020 Ni‍co‍lai W‍a‍ng
It is important to consider the likelihood of detection when selecting tools for a red teaming engagement. Unintended detections, while good news for the blue team, can result in burned C2 infrastructure, loss of access and increased security measures. The goal of this blog is to showcase some of... Read more...

Sec in your DevOps: Adding the OWASP Dependency Check to your Jenkins pipeline

January 23, 2020 Eivind Utnes
This blog post aims to help DevOps practitioners and security professionals to take a first step towards adding security testing to an existing CI/CD pipeline. We will install the OWASP Dependency Check plugin in a Jenkins instance, verify that it gives us the expected output, and create a suppres... Read more...

Interactive guide to Buffer Overflow exploitation

December 16, 2019 Vetle Økland
A Buffer Overflow is a bug class in a program typically written in a memory unsafe language like C or C++. Buffer Overflow bugs from user-input can often allow someone to overwrite some data in memory they weren't supposed to. Before we dive into how to exploit Buffer Overflow bugs, we will do a qui... Read more...

What Makes a Great Penetration Tester

November 4, 2019 Péter Gombos
Recently at a conference in Oslo, someone at a Managed Service Provider (MSP) told me they were not particularly jealous of my work. “As a penetration tester, don’t you all the time test the same systems at the same customer, finding the same vulnerabilities every year?” I answered that this is not... Read more...
2  3