OWASP AppSec Ireland 2010

Over the weekend I attended OWASP AppSec Ireland 2010 at Trinity College in Dublin. The event was a full day event held on the 17th September starting at 9AM and ‘officially’ ending at 9PM. On my first night in Dublin I went for an excellent Italian meal with some great people, these include @securityninja, @Angelill0, @danielcornell and others. The evening was polished off with a traditional pint of Guiness in a local pub.

On the day of the conference I arrived a little early and had some brief discussions with a couple of the attendees. The conference kicked off with the keynote talk by John Viega titled “Application Security in the Real World”. This was an excellent talk that put into perspective the reality of application security within business. The keynote was followed by a brief unplanned summary by Samy Kamkar on his talk which he is touring Europe with. I look forward to seeing his full talk at BruCON next weekend.

read more…

Posted on 19 September, 2010 by ethicalhack3r

No Comments

DVWA 1.0.7 is here!

After 9 months since the last release we are proud to present the all new Damn Vulnerable Web Application version 1.0.7.

What’s new?
The vulnerability help page has been improved.
We now display the logged on username along with the vulnerability level and php-ids status.
Blind SQL injection has been implemented.
We now have official documentation.
You can now compare all vulnerable source code in one page with the ‘view all’ button.
The whole theme has been redesigned, including a new great looking logo.
Many bug fixes and small changes throughout the application.

read more…

Posted on 8 September, 2010 by ethicalhack3r

No Comments

DropBox Security

For those of you new to Dropbox:

“Dropbox is a Web-based file hosting service operated by Dropbox, Inc. which uses cloud computing to enable users to store and share files and folders with others across the Internet using file synchronization.”

http://en.wikipedia.org/wiki/Dropbox_%28service%29

Dropbox has become very popular and widely used as it has so many different uses and makes file sharing over the internet easy. Dropbox allows you to make public image galleries, share files publicly, share files between computers and manage version control. All this straight from your file system. I like to think of it as git or a subversion repository with a nice interface.

read more…

Posted on 3 August, 2010 by ethicalhack3r

26 Comments

[Interview] The Jester

It’s not often I interview people for the blog however when some one catches my eye and raises my interest I like to find out more about them and share it with my readers. This time I interviewed ‘The Jester’. The Jester has been in the media spotlight recently for taking down Jihadist terrorist web sites via use of a targeted DoS attacks.

* Can you tell us a little bit about yourself and what you do?

Ryan, I would like to give you and your readers a little more about me but it’s kind of difficult to do that, given the nature of my targets, all I can give you sir is what’s already ‘out there’ – I am ex-mil – and slightly pissed at the surge in Jihadist online activities.

Now with regard to what I do: I aim to cause disruption to the online efforts of Jihadists on the internet. They have realized that they can recruit, train and coordinate home-grown terrorists completely via the internet, without ever having to meet. This cuts out much of the risk associated with any face-to-face contact for the recruiters. Web recruitment targets young, tech-savvy, vulnerable Muslims, the iPod generation if you like. By making these sites unreliable, the potential recruit numbers start to dwindle. I limit my hits to defined time-slots (rather than killing them completely) because I am well aware that official Counter Terrorist Agencies use some of these sites for intelligence gathering. I have been asked why I DON’T hit certain sites, well it’s simple. By NOT hitting certain sites (and hitting others hard) I am ‘herding’, people give up easily when a site is constantly up and down, and move on to a more reliable one. So it creates a funnel-effect, funneling terrorists and potential terrorists away from peripheral sites and into a smaller space that is easier to monitor.

read more…

Posted on 3 July, 2010 by ethicalhack3r

12 Comments

Why Johnny Can’t Pentest

A white paper released recently (not dated) by the University of California titled ‘Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners’ evaluates eleven commercial and open-source black-box web vulnerability scanners.

The three authors of the paper (Adoupe, Marco, Vigna) test the black-box scanners against their custom vulnerable web application they called WackoPicko. Their custom web application contained a number of different technical and business logic vulnerabilities, both authenticated and un-authenticated.

They tested each scanner against WackoPicko in three different modes. Initial (point-and-click), Config (login credentials/mechanism provided) and Manual (local proxy use). The eleven scanners tested were Acunetix, Appscan, Burp, Grendel-Scan, Hailstorm, Milescan, N-Stalker, NTOSpider, Paros, w3af and Webinspect.

read more…

Posted on by ethicalhack3r

1 Comment