Image for post
Image for post

A few weeks ago I decided to take PTO to focus on understanding the current state of Rust and Web Assembly (WASM), two promising technologies that look completely unrelated. Rust is a language designed for systems programming, WASM is a bytecode standard designed for web browsers to be an alternative runtime to JavaScript.

On the surface, WASM looks immature, niche, and barely usable. You can’t even send text strings between a WASM guest and host, only numbers. Below that surface is a community on fire. Teams are sprinting at breakneck speeds to create runtimes, host environments, cloud solutions, system bindings, and everything in between. It’s not just one more new technology surrounded by a bunch of excitable nerds. These projects are taking first stabs at drawing a line around the smallest and most portable bundle of logic. …

Image for post
Image for post
Screenshot of Hackium and the REPL

with shift-refactor and shift-interpreter

I’m super excited to release Hackium, shift-refactor, and shift-interpreter — three tools that I’ve been using to analyze, automate, and manipulate web sites for the past year. These projects have been a long time in the making, they incorporate techniques I started playing with 20+ years ago. Granted, those techniques were little more than a hacky HTTP proxy and dozens of regular expressions, but the spirit was there.

Hackium is a command line tool, a browser, and a framework. That’s the elevator pitch, anyway. Technically, Hackium is a nodejs library that extends puppeteer to control a bundled version of Chromium, preconfigured to disable security controls and expose more APIs. That’s less catchy. …

Puppeteering for fun and outerwear

I wouldn’t say I have a problem. I have an inclination. I like to take things apart and change how they work. As a kid I’d stay on the computer all night poking at bits in memory trying to change a program’s behavior. Most programs would just break. Sometimes you’d hit the right bit and be rewarded with infinite cash in a computer game.

Fast forward a few decades and this inclination led to a career in software development and web security. Websites are perfect for the curious. You can view source code, inspect every request, and tweak an app live via the dev tools. As an application developer, it’s a nightmare. …

Image for post
Image for post
The result of one week of deepfake experimentation

How easy is it to create a deepfake?

This is my experience getting started with deepfakes using DeepFaceLab. This article chronicles the general steps I went through to create a deepfake video to demonstrate how advanced the technology has gotten and how simple it is to use. This is not a step-by-step tutorial but it will point you to where you need to go.


I am beyond fascinated with deepfakes. From the videos of celebrity mashups like Jim Carrey’s face transferred onto Alison Brie’s body…

…to the implications fake video and audio will have on the world in general…

Why? We’ve all seen The Avengers or The Lord of the Rings movies and their incredible computer effects. We know what good CGI looks like because we’ve also seen awful CGI. Great CGI is expensive and big-name movies that have bad computer effects stand out because you expect the opposite. The contrast between expectation and reality is jarring. It’s not that the CGI is bad, it’s that you’re expecting it to be good. The deepfakes we’ve seen go viral are so compelling because the videos have virtually no value but the quality of the effect is incredible. You’re not expecting much but you get Steve Buscemi’s face on Jennifer Lawrence. Your Instagram filters are going to get wild. …

Image for post
Image for post
Photo by Samuel Zeller on Unsplash

Get started with Node & GCP

The serverless trend is the latest evolution of network application architecture. You no longer need to think about the hardware, the OS, or even the running application. Deploy nothing more than the lines of code you need to run wrapped in a node.js function.

Deploying serverless functions to Google’s Cloud Platform (GCP) is not difficult but it requires using and understanding the gcloud command line tool. The gcloudtool enables you to administer your Google Cloud setup via the command line.

Install the gcloud command line tool by downloading the Google Cloud SDK. Make sure the executables are located in your path. …

Image for post
Image for post

Transform, manipulate, and deobfuscate JavaScript with shift-refactor

For the last few weeks I have live streamed several reverse engineering and deobfuscation sessions. In these sessions I’ve been using an up-til-now unpublished library.

Today I am publishing a preview version of shift-refactor that you can install via npm:

$ npm install shift-refactor

What does shift-refactor do?

shift-refactor is a general purpose JavaScript manipulation and refactoring tool. It provides many common methods you’d want to use when dealing with source code. Methods that allow you do things like rename variables, delete statements, or insert helper code before a line. Transforming JavaScript source is nothing new but it’s never been something many would call quick and easy. Existing methods often rely on tree traversals, tree folds or reducers, and other code-or-configuration-heavy ways of finding and modifying an AST, an abstract syntax tree. An AST is just a big data structure that represents parsed source code. shift-refactor abstracts all the work of traversing an AST away via by leveraging shift-query, a library that queries the tree via CSS-style selectors like IdentifierExpression[name=”program”]. …

Image for post
Image for post
Image courtesy of

An attacker allegedly gained access to an npm user account and published modules that broke dependents. But why?

On July 12th Harry Garrood posted a personal blog entry outlining deliberate sabotage aimed at the PureScript installer. Two separate dependencies, both owned by a user who goes by @shinnn, targeted the npm package purescript-installer with malicious code using techniques that I've seen in exploits by other attackers. Shinnn claims his account was compromised and that these packages were published without his knowledge.

How to use parsers and other tools to analyze JavaScript

Over 20 years after its creation, JavaScript is the most used language in the world. It is the only language that runs on the most popular platform (the web), it is more frequently the technology behind native applications (Visual Studio Code, Discord, and Slack), and powers critical mobile apps (Facebook, Skype, Tesla). Do you know what’s also grown popular? Bug bounty programs and discovering vulnerabilities that result in cold hard cash.

Any stereotypical hacker scene shown in a movie or on TV will, 100% of the time, show someone sitting in front of a terminal typing out cryptic commands on a black screen (unless you’re using the 3d unix UI from Jurassic Park). …

Credential Stuffing Myths #1


I work at a Shape Security, the company founded by the guy who coined “credential stuffing.” This post clarifies a misconception about credential stuffing as it relates to 2FA. You should still enable 2FA whenever possible — it is an effective method for reducing account takeovers — it just doesn’t stop credential stuffing attacks.

There’s a great post on the Google Security blog entitled “How effective is basic account hygiene at preventing hijacking.” The post provides insight into two-factor authentication and its effectiveness at Google scale. …

Image for post
Image for post

One of the problems with imitation attacks such as sophisticated credential stuffing is that they are designed to blend in with legitimate traffic. How can you measure something that you can’t detect? Fear-mongering marketing compounds this problem and makes everything sound like a snake-oil solution for a problem people don’t think they have.

Imitation attacks against your services and APIs leverage inherent functionality in your system. In other words, they can be successful even when you have patched, firewalled, and done everything perfectly from an application security standpoint. Blocking basic credential stuffing attacks generated from naive bots is straightforward but, as attackers evolve, they develop more sophisticated tools to launch attacks that blend in with legitimate traffic better. They use machine learning to emulate user behavior like mouse movements and keystrokes. They generate or harvest digital fingerprints to distribute across a botnet to make each node appear more “real.” They proxy requests through residential IP addresses to give the traffic the appearance of originating from known-good home networks. Googles themselves make tools like Puppeteer & headless Chrome to automate and script the world’s most common browser which is exactly what you would use if you were trying to blend in with legitimate users. …


Jarrod Overson

I write about JavaScript, Reverse Engineering, Security, and Credential Stuffing. Also a speaker, O'Reilly Author, creator of Plato, Director at Shape Security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store