So let’s say that you decide to write a tool for doing some web related exploitation, enumeration, etc. The preferred language of choice comes down to perl, python ruby (C if you are an old school diehard).
It has to run from the command line. It has to have flags, etc, etc, and pretty much everything else a command line tool usually needs. [...]
Here is a common problem. You have to write an web-based email, im, ssh, xmmp, SMB, etc. client which must connect to a server other then the originating one. What do you do then? Hint: You cannot use Java!
Well, due to the fact the the browser has no idea how to spawn a tcp socket, you are stuck in the proxy-land. Typically you will write an application that will do a lot of transcoding and state management. [...]
This will be an old new if you are following Ronald’s blog but nevertheless I’ve decided to make it public here as well, because the only way you can fight these menace is by sharing and dissecting. The malware is heavily obfuscated but not as much as it can get. In fact, just by glancing through the code you can see the key points of the execution process.
Don’t get too excited about this source as it is useless. In fact there is nothing interesting about it. [...]
I don’t want to brag about it but this project was slashed in 5 minutes and this is not due to some amazing tech wizardy. It is mainly due to the powerful Java development platform and the tones of development information resources, Java coders have on their hands. I just made use of them. This morning I had some thoughts around the Metasploit and w3af projects and how the GNUCITIZEN team can contribute some modules to make both of them even more powerful. [...]
Over the weekend I started thinking more seriously about where AttackAPI is going. I’ve come up to the conclusion that there is a lot of work ahead of us and we need to start thinking a lot more about the design before doing anything drastic. It quickly came to my mind that some of you may like to use the stable parts of the attack library for other things. For example, I quite often make use of the core utilities for all kinds of command line tools. [...]
SPI Dynamics released a paper on how to port scan and do other cool stuff with JavaScript. I found the paper quite interesting and I decided to make my own port scanner in JavaScript. My aim was to build a small, fast and reusable javascript portscanning object. After a couple of hours fiddling around with IMG tags and other DOM elements I came up with the following solution.
The code depends on your connection speed and might not be very accurate. [...]
test your web apps with websecurify application security testing runtime