alla's blog

Webmail XSS Tester - Excess2

Here is a script to automate testing of webmail systems for cross-site scripting. It uses XSS Cheat Sheet to generate the injection strings. Compared to the previous version this version downloads XSS cheat sheet on the fly (instead of having it hard-coded) and supports SMTP authentication.

NAME
       excess2 - A script for testing webmail systems for cross-site scripting
       problems

DESCRIPTION

MagicTree Beta Two Publicly Available

Here we go with the first public release of MagicTree, unimaginatively called Beta Two. MagicTree is a penetration tester productivity tool, it allows easy and straightforward data consolidation, querying, external command execution, and (yeah!) report generation. In case you wonder, “Tree” is because its stores all the data in a tree, and “Magic” because it is designed to magically do the most cumbersome and boring part of penetration testing – data management and reporting. See What is MagicTree for more details.

Windows vs Linux vs MacOS vs OpenBSD

Or Quality Vs. Quantity

It seems to be an unsolvable puzzle for programmers: why would users prefer a buggy and awkward operating system, like Windows, to an elegant and slim one, like Mac OS X? Or prefer a patchy and dirty Linux to clean and secure OpenBSD? Obviously a program that does a few tasks very well is better than a program that does a lot of things badly?

Exploiting cross-site scripting in Referer header

The application that echoes the Referer header is vulnerable to cross-site scripting. And it is perfectly exploitable. Here is how:

Tags: 

CSRF protection also fixes reflected XSS

An application I have recently tested had cross-site request forgery protection implemented throughout - every single form or link with parameters had an additional parameter with a value derived from the session id. When the form is submitted or the link is clicked, before any other processing, this parameter value is checked.

And guess what - that also makes all reflected cross-site scripting bugs not exploitable. How?

Tags: 

Porting MagicTree to Mac OS X

Well, MagicTree is written in Java, so in theory we shouldn't need to port anywhere. But, as they say, "In theory, theory and practice are the same. In practice, they are not." Actually most things worked without any porting, which is a good thing. Still, a few things had to be done.

To get more Mac OS-like look and feel we had to make MagicTree show the menu bar on top of the screen, rather than in the main frame, respond to application menu items, such as "About" and "Quit" (and remove those menu items from File and Help respectively) and to get the application icon look pretty.

Tags: 

Russian Spying Operation Cracked

Passwords on post-it notes, unencrypted Wi-Fi, Windows hanging, laptops breaking and other IT misery

This article in Computerworld is absolutely hilarious.

Worst security hole you've ever seen?

In a thread on StackOverflow people (programmers mostly) post about worst security holes they have ever seen. It's pretty interesting reading.

You know what's most interesting about it? If you are a practising pentester, you'll be bored half way through the first page, because you have seen most of those holes. Negative amount of pizza? You bet.

(Avoiding) SQL Injection In LIKE Clause

A lot of web developers have gotten the message about the SQL injection and are using parametrized statements. Still, there are a few cases where using parametrized statements is not quite straightforward, such as in LIKE clause.

Suppose you want to do something like this:

SELECT * FROM people WHERE name LIKE 'joe%'

and the string "joe" is supplied by the user. How do you do that? This won't work:

SELECT * FROM people WHERE name LIKE '?%'

Neither will this:

SELECT * FROM people WHERE name LIKE ?%

MagicTree Beta One Is Out

MagicTree Beta One is out!MagicTree Beta One is out!

They don't have <dance> or <jump-up-and-down-excitedly> tags in HTML or I'd use those too.

Pages

Subscribe to RSS - alla's blog