Web Apps Archives - 7ASecurity Blog

BruCon 2011 Lightning Talk winner slides, experience and some pics

Admin — Fri, 02 Dec 2011 02:06:00 +0000

I would like to use this opportunity to thank everybody that voted my lightning talk “Web app testing without attack traffic” as the “BruCon 2011 Lightning Talk winner”. I only had 5 minutes so I had to take out many things I wanted to cover, for this reason, I have significantly expanded this talk (106 slides …

The post BruCon 2011 Lightning Talk winner slides, experience and some pics appeared first on 7ASecurity Blog.

Testing Web apps without attack traffic

Admin — Mon, 12 Sep 2011 23:00:00 +0000

I will be giving a lightning talk at Brucon next week. My goal is to give a quick overview on the vast amount of tests possible before you have permission to test a target. This is particularly useful if you are given a short test window but you are willing to put the extra effort …

The post Testing Web apps without attack traffic appeared first on 7ASecurity Blog.

Testing for SSL-TLS (OWASP-CM-001)

Admin — Sat, 16 Jul 2011 01:17:00 +0000

A nice tool for SSL cipher testing is this Perl script: ssl-cipher-check.pl, however, in Backtrack and also on other distros you may get this error the first time you run it: ssl-cipher-check.pl -vw my.exampledomain.com 443 … ERROR: Unable to find /usr/bin/gnutls-cli-debug. Please install the gnutls-devel package To avoid that simply install the missing package as …

The post Testing for SSL-TLS (OWASP-CM-001) appeared first on 7ASecurity Blog.

Testing for HTTP Methods and XST (OWASP-CM-008)

Admin — Sat, 02 Jul 2011 00:36:00 +0000

When Testing for HTTP Methods and XST a common vulnerability to find is XST. When you manually verify that this vulnerability is truly present (i.e. not a tool false positive) you can use tools like netcat but sometimes the web server is using SSL and netcat will not work straightaway. You can get around this …

The post Testing for HTTP Methods and XST (OWASP-CM-008) appeared first on 7ASecurity Blog.

XSS myths: input validation is not enough!

Admin — Fri, 29 Apr 2011 01:07:00 +0000

Do you still believe input validation is enough to fix Cross Site Scripting (XSS)? Billy Hoffman said it best at Schmoocon 2007 (4 years ago!!!) in his talk “JavaScript Malware for a Grey Goo Tomorrow” (fast forward to Q & A, minute 51:45): Person in the audience asks: “You said that AJAX doesn’t really change …

The post XSS myths: input validation is not enough! appeared first on 7ASecurity Blog.

iptables: white-listing TCP connections to reduce self-0wnage potential

Admin — Fri, 01 Apr 2011 04:20:00 +0000

NOTE: This will work in backtrack, ubuntu and pretty much any Linux distro as far as I know There are times where you would like to open a service to the internet and it is ok to only allow one host/IP address to connect to you, for example: – Host-to-host transactions – During a pentest …

The post iptables: white-listing TCP connections to reduce self-0wnage potential appeared first on 7ASecurity Blog.

Migitating ISP disruption

Admin — Fri, 17 Dec 2010 06:26:00 +0000

The problem There was an unexpected challenge to put together the security weekly news last night: My ISP mistakenly thought I had not paid my bills last month and decided to disrupt my web browsing experience by displaying a web page that said something like “information page … you have not paid x,y,z .. to …

The post Migitating ISP disruption appeared first on 7ASecurity Blog.