►
A
A
So
the
progress
for
February,
what
it's
been
shipped
so
far,
is
I've
gone
ahead
and
worked
with
the
dynamic
dialysis
team
to
add
support
in
for
HTTP
authentication
for
Dost.
Previously
there
was
an
open
issue
around
documentation,
documenting
that
usage
for
users
and
just
as
part
of
my
testing
on
breach
attack
simulation
and
adding
in
additional
checks
for
callback
attacks.
A
A
Callback
servers
allow
you
to
test
for
out-of-band
interactions,
so
interactions
that
shouldn't
take
place,
that
you
may
have
a
tooling
network
in
your
typical
Network,
where
you'd
want
to
say
hey
that
triggers
a
firewall
rule
or
something
because
it's
actual
trading
data
in
some
way,
whether
it's
a
firewall
rule
or
an
alert
from
SIM
Tool.
That
type
of
interaction
is
something
that
we
want
to
test
for
and
to
do
that,
I've
gone
ahead
and
added
generic
support
for
a
callback
server.
A
So
an
HTTP
callback,
server,
very
simple
I
allow
running
that
as
a
HTTP
on
an
HTTP
ports
and
listening
inside
of
your
job
as
a
service
container,
and
so
your
gitlab
CI
job.
The
dots
job
has
the
ability
to
now.
If
you
enable
this,
a
callback
service
feature
flag,
which
is
in
in
America
request
right
now
being
reviewed.
If
you
enable
a
feature
flag,
we
actually
will
perform
a
callback
attack
in
the
case
of
different
cwes,
like
CW
94,
which
is
around
code
code
injection.
A
A
I'll
be
documenting
all
of
that
in
a
public
issue
with
all
those
findings,
once
I've
made
those
sort
of
internal
changes,
the
browser,
browsarker
scanner
for
out
of
bound
interaction,
one
of
the
things
I've
done
in
my
previous
showcase
I
went
over
using
a
nuclei
and
where
I
was
able
to
use
nuclei,
interact,
sh
interaction
and
then
append
those
details
into
the
vulnerability
reports.
Using
the
generic
report
schema
well.
A
I've
now
moved
that
natively
into
our
own
dos
dungeon,
where
I'm
actually,
pending
that
interaction
details,
whether
constant
interact,
sh
or
whether
it
comes
from
another
callback
server.
So
I've
made
a
generic
report
on
top
of
the
generic
Port.
What
I've
done
is
I've
added
in
details
about
different
interaction,
types.
What
and
it
doesn't
matter
which
engine
you
use
for
your
callback
server,
it's
ill
across
those.
A
But
so
I
have
additional
metrics
that
we
start
collecting,
where
we
can
see
that
there's
not
many
users
using
the
Callback
server
attack
feature
flag,
and
then
we
can
see
the
growth
and
I
can
provide
metrics
around
the
growth
of
the
unique
number
of
projects
that
we're
seeing
with
the
Callback
attack,
feature
flag,
enabled
for
their
dos
jobs,
and
so
that's
going
to
be
totally
Anonymous,
but
we'll
just
get
it.
She
was
a
really
quick
metric
around
hey.
A
That's
something
I
really
want
to
say
because
right
now,
it's
it's
heavily
around
code
injection
there's
other
types
of
vulnerabilities,
where
I
can
enforce
a
website
to
reach
out
to
my
callback
server
to
Prevail,
there's
also
integration
with
custom
scanners.
That's
some
really
good
conversations
with
the
nuclei
team
and
the
and
the
project.
Discovery
team.
A
You
build
nuclei
around
potential
Integrations
there
and
I've
planned
some
Upstream
changes
around
the
nuclear
analyzer
tool
that
I
built
and
merging
a
lot
of
that
functionality
for
generating
a
gitlab
security
reports
back
into
the
the
open
source
nuclei
tool
and
giving
back
to
the
community
there
as
well
as
that
is
there's
integration
with
third-party
callback
servers
interact.
Sh
is
one
that
I've
demoed
in
the
past
and
adding
in
the
integration
from
there
from
the
gitlab
side.