Cover
Security Post-it #4 – XSS yes, but with <style> !

In this short security post-it, I explain how exploit XSS with the inline style.

May 11, 2021

Top Security article

AWS Tower

AWS Tower has been developed by security engineers, for security engineers. Even without AWS knowledge you can still easily see the security issues or other information like DNS records, allowed IP addresses or opened ports.

Jan 06, 2021

Top Infrastructure article

Nginx : Security configuration tips

This article is going to give you some advices to improve the security of you web server Nginx. Several criteria are taken into account: system security, SSL/TLS security and data security.

Jan 04, 2021

Cover

Security Post-it #3 – Volatility Linux Profiles

Mar 15, 2021

In this short security post-it, I explain how to generate Linux profiles for Volatility 2 and 3, using an ephemeral docker container.

Cover

Security Post-it #2 – Volatility x Gimp

Mar 08, 2021

Short Security Post-it about using Gimp to observe a process memory dump, with Volatility.

Cover

AWS Tower

Jan 06, 2021

AWS Tower has been developed by security engineers, for security engineers. Even without AWS knowledge you can still easily see the security issues or other information like DNS records, allowed IP addresses or opened ports.

Cover

Nginx : Security configuration tips

Jan 04, 2021

This article is going to give you some advices to improve the security of you web server Nginx. Several criteria are taken into account: system security, SSL/TLS security and data security.

Cover

Static Application Security Testing

Jul 28, 2020

How we scan our applications for vulnerabilities at leboncoin.

Cover

KoaJS Security Tips

Dec 30, 2019

In this article, I explain how to use KoaJS in a production environment, avoiding the vulnerabilities induced by the default configuration, and a tool to test your own website.

Cover

Security Post-it #1 – SHA-1 is broken, not HMAC

Dec 13, 2019

In this first Security Post-it, I explain how SHA-1 can be broken and why it has no impact on the robustness of HMAC.

Cover

Comparison of the SSH Key Algorithms

Sep 23, 2018

This story is about comparing the main algorithms use to generate an SSH key, describe their weaknesses and place them on the Moore Law.

Cover

3 Tips to Boost the Performance of your Varnish Cache

Sep 16, 2018

This story presents three tips to increase the High availability and Scalability of your Varnish cluster, and increase Speed as well:

  • Sharded caching
  • Dynamic backend resolution
  • Browser optimization
Cover

Instacart Market Basket Analysis

Sep 07, 2018

In this competition organised by Kaggle and Instacart, Constance Beguier (Morel) and I had a dataset containing customer's orders over time. The goal was to predict which products will be in a user's next order. The dataset was anonymized and contained a sample of over 3 million grocery orders from more than 200,000 Instacart users.

Cover

Apache : Security configuration tips

Sep 05, 2018

This article is going to give you some advices to improve the security of you web server Apache. Several criteria are taken into account: system security, SSL/TLS security and data security.

Cover

Reconnaissance de type de conduite

Sep 05, 2018

Par le biais de Kaggle, AXA nous a fourni un ensemble de données de plus de 50 000 voyages de pilotes anonymes. De nombreux paramètres furent à prendre en compte comme la durée des voyages, l’intensité des accélérations ou des freinages. Ces caractéristiques se combinent pour former un profil global qui rend potentiellement chaque pilote unique.
Pour cette compétition, nous devions trouver un classifieur capable de distinguer si un voyage a été conduit par un conducteur donné.

Cover

Tentative d'exploit Postfix

Sep 05, 2018

Postfix n’implémente pas SASL de lui-même, ce qui veut dire que les fichiers de configuration vont appartenir à Postfix et à un logiciel tiers (dans notre cas Cyrus SASL).
Je vais vous montrer l’exploit que j’ai tenté au travers de cette partie, sur les versions ci-dessous :

  • OS : Ubuntu 10.04 (04/2010)
  • Postfix : 2.8.1 (22/02/2011)
  • Cyrus SASL: 2.1.23 (04/10/2014)
  • CVE: 2011–1720 (13/05/2011)
cover

CASSH: SSH Key Signing Tool

Jan 09, 2018

As SRE, one of our missions is to prevent intrusions in our infrastructure. How can authentication security be increased without penalising thousands of engineers working on the platform?
A classic way to authenticate with SSH is to use a pair of keys. Then you can deploy each public key on every server and add your custom flavor.
In fact there are quite a few unused functionalities in OpenSSH, such as signed certificates, which greatly increase both security and reliability.