Over the last couple of weeks I’ve added more features to the Jeriko toolkit which I briefly covered in my post over here. For those of you who don’t know, Jeriko is a compilation of various bash scripts to ease manual penetration testing practices. The idea is to automate only the things which are sort of boring.
Anyway, now you have a few more scripts at your disposal. [...]
I’ve got quite a lot of good feedback on the security buzzword generator I announced yesterday. For those of you who do not know, the generator is a fun little utility part of the GNUCITIZEN campaigns which helps you with coming up with new and exciting buzzwords like a security pro.
We often laugh when a new buzzword makes its rounds in the media but the matter of fact is that buzzwords are important. [...]
In the light of the Month of New Security Buzzwords, I am releasing an online fuzzer to help you generate as many security buzzwords as you like. Sweet!
Jokes aside, tools like this one are quite helpful to brainstorm new ideas. If you ever do research inspired by our buzzword generator, please give us a credit. That way we will know that the tool is actually useful.
We certainly don’t need the ultimate pentesting framework but we can make use of the ultimate pen-testing environment.
This is sort of pre-announcement of a tool I am currently working on, different from jeriko, which I hope will improve the way we do pentests. The tool is in its early stage of development and I could make use of several JavaScript coders if someone is up for the challenge.
This is a quick announcement just to let you know that our codes are now getting synced at code.gnucitizen.org, which is basically a file browser interface to the source repositories.
The reason I had to come up with something like this is because most of our projects are dispersed across several Google Code repositories, personal SVNs and many other places. We have started so many ideas in the past that now it is hard to keep track of everything. [...]
The truth is that some things will never get picked up by the community unless you really start bragging about them. Repetition is a key element.
Obviously not an extremely devastating vulnerability but the issue, which I have reported here and also logged in Mozilla’s bugzilla 3 months ago, is still present and works quite well. This is yet another design bug which abuses the way browsers work rather then exploit a vulnerability within the software.
The issues is quite simple. [...]
Do some people have the magical skill to find vulnerabilities with ease while others don’t! Of course not! I disagree with the whole tendency to believe that technical understandings is all that is needed to find vulnerabilities.
It is mostly persistence that plays a role. Most of the researchers I know have almost zero knowledge on the subjects they dive into. [...]
You’ve already got it! It is laying on your PC and it is called the shell. The shell was designed to start/strop and control process with ease so why do we need yet another universal pen-testing framework, which does what another tool is already doing for us and it comes by default? In this post we are going to delve in the world of advanced shell programming for penetration testing purposes.
The shell is defacto the interface to your operating system. [...]
In my last post I showed my own implementation of an HTTPS Man-in-the-middle proxy written from scratch in Python. I’ve spent great deal of time to make the proxy as programmer-friendly as possible. I this post I am planning to show how you can use the code to write your own proxies in the spirit of Burp, Paros, WebScarab, RatProxy, etc.
Why is this interesting? Well, it is interesting to Python developers/hackers only. [...]
Lately I’ve been busy with putting together a python module which allows me to create man-in-the-middle (MITM) HTTP Proxies with a programmer-friendly extension interface and support for SSL. This kind of proxies can be used for many things ranging from creating your own tampering proxies to hijacking network traffic via a transparent proxy connection.
I am quite pleased with the end result! [...]
test your web apps with websecurify application security testing runtime