Hello!
In my previous post I covered the 1.0.0-alpha.2 release of Secutils.dev. The headline feature was the Page tracker, but I want to highlight a much smaller change from the same release: "recover the original URL after sign-in". It is a tiny fix with a huge UX payoff, and it's also a nice case study in how easy it is to introduce a subtle security bug while shipping it.
Hello!
This is the third and final post in a series (Part 1, Part 2) on the surprisingly hard problem of detecting changes in a web page's JavaScript and CSS resources, written while building the Resources Tracker (now Page tracker) feature in Secutils.dev.
The previous posts covered scraping mechanics and storage. Today we look at the security side: what extra parts of the page have to be tracked to catch tampering, what it takes to scrape authenticated pages, and what defences a tool like this needs against malicious users (since "scrape an arbitrary URL" is a powerful primitive).
Hello!
This is Part 2 of a three-part series on the surprisingly hard problem of detecting changes in a web page's JavaScript and CSS resources, written while building the Resources Tracker (now Page tracker) feature in Secutils.dev.
In Part 1 we covered inline vs external resources, dynamically loaded resources, and how to keep storage costs low with hashing. Today we tackle two more challenges: resources that don't fit cleanly into "inline" or "external", and inline resources that change on every page load even though "nothing meaningful" changed.
Hello!
In a previous post, I explained the idea behind tracking the JavaScript and CSS resources loaded by a web page in Secutils.dev and who benefits from it. I had originally hoped to ship the feature as part of the "Q2 2023 - Apr-Jun" update, but it took noticeably longer than I thought. In this post (and the next two) I want to walk through why comparing JavaScript and CSS files between two snapshots of a web page is much harder than it looks, and what design choices made the feature work for Secutils.dev.
Hello!
It's an understatement to say there is a lot of hype around AI right now. It is being integrated into everything. The company I work for, Elastic, is part of the same wave with the Elasticsearch Relevance Engine (ESRE) and the Elastic AI Assistant. I'm usually skeptical of overhyped technology, but I have to admit AI is making genuine, lasting waves.
So a natural question for me is: would AI integration be useful to the users of Secutils.dev? Let's explore that with a small proof-of-concept I built this week.
Hello!
Today, I want to show how the Webhooks feature of Secutils.dev can be used to explore third-party services from the outside, what a security researcher would call basic active reconnaissance. Reconnaissance is just a fancy word for gathering information about a target system to understand exploitable vulnerabilities and attack vectors. In this post our intent is innocent: we want to learn how a particular service implements a feature we like. The technique, however, is the same one a researcher would use.