CONFidence 2009 coming up soon!

The new edition of CONFidence is coming up soon! CONFidence, which has become one of the biggest technical IT security conferences in Europe, is taking place on 15-16 May in the beautiful city of Krakow.

This is the fifth year CONFidence is taking place, and there have been several changes introduced. First of all there will be two simultaneous tracks after lunch time, whereas previous editions only offered one track all day. [...]

more | comments | comments rss | posted by

Codez Are Up

This is a quick announcement just to let you know that our codes are now getting synced at code.gnucitizen.org, which is basically a file browser interface to the source repositories.

The reason we had to come up with something like this is because most of our projects are dispersed across several Google Code repositories, personal SVNs and many other places. We have started so many ideas in the past that now it is hard to keep track of everything. [...]

more | comments | comments rss | posted by

It is Persistence

Do some people have the magical skill to find vulnerabilities with ease while others don’t! Of course not! I disagree with the whole tendency to believe that technical understandings is all that is needed to find vulnerabilities.

It is mostly persistence that plays a role. Most of the researchers I know have almost zero knowledge on the subjects they dive into. [...]

more | comments | comments rss | posted by

You Don’t Need the Ultimate Pen-testing Framework!

You’ve already got it! It is laying on your PC and it is called the shell. The shell was designed to start/strop and control process with ease so why do we need yet another universal pen-testing framework, which does what another tool is already doing for us and it comes by default? In this post we are going to delve in the world of advanced shell programming for penetration testing purposes.

The shell is defacto the interface to your operating system. [...]

more | comments | comments rss | posted by

New Version of dnsmap out!

We just released a new version of dnsmap. dnsmap is a subdomain bruteforcer for stealth enumeration.

Originally released in 2006, dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc. [...]

more | comments | comments rss | posted by

Trapping HTTP Requests and Responses with Python

In my last post I showed my own implementation of n HTTPS Man-in-the-middle proxy written from scratch in Python. I’ve spent great deal of time to make the proxy as programmer-friendly as possible. In this post I am planning to show how you can use the code to write your own proxies in the spirit of Burp, Paros, WebScarab, RatProxy, etc.

Why is this interesting? Well, it is interesting to Python developers/hackers only. [...]

more | comments | comments rss | posted by

Python SSL Mitm Proxy and More

Lately I’ve been busy with putting together a python module which allows me to create man-in-the-middle (MITM) HTTP Proxies with a programmer-friendly extension interface and support for SSL. This kind of proxies can be used for many things ranging from creating your own tampering proxies to hijacking network traffic via a transparent proxy connection.

I am quite pleased with the end result! [...]

more | comments | comments rss | posted by

Identity Theft Attacks

Work with the system rather against it. I have always been a big fan of this approach as it proved to be successful every time it was put into practice.

So you receive one of these phone calls. The girl on the other end presents herself as Jessica Smith. The company has to do something with financing. The conversation goes as usual. [...]

more | comments | comments rss | posted by

Submit Your Top Web Hacking Techniques for 2008

Jeremiah is calling all security researchers and hobbyists to submit their favorite Web hacking techniques released during 2008. There are some nice perks too. I say Sure!.

Although I don’t like the fact that there are judges appointed to select which one is the best one. Where did the democracy go? With all the vastly expressive, social technologies that we have today, we are still stuck with juries.

In a similar fashion, The Pwnie Awards lacks any reality, imho. [...]

more | comments | comments rss | posted by

Twitter’s Security is so Poor

…and there are a lot of privacy concerns too.

IMHO, the way the Twitter folks designed their system, is totally wrong. The one and only major concern is that 3rd-part software is allowed to communicate with Twitter’s API by using the user’s login credentials. This is a bit insane as you can imagine. Why would you want to share your username and password with someone you certainly don’t trust? [...]

more | comments | comments rss | posted by