So, Clickjacking… “The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click any link you see on the current page, you are in fact clicking on the externally [...]
Earlier this week (or rather end of last week) Robert Hansen aka RSnake released a huge, compiled list of Remote File Include Vulnerable parameters. To sweeten the deal Rob Fuller (mubix) and a few others parsed out the OSVDB’s CSV database and the compiled milw0rm site for all RFI’s listed there. What we’re left with [...]
** Note: We all love the Internet Storm Center. By far it’s one of the largest conglomerations of brilliant engineers i know. So it doesn’t really surprise me that when i was going to write a blog on Nmap’s new UDP payload scanning yesterday, contributor Rob VandenBrink beat me to it. Here is mine anyways [...]
The 2009 Summer of code has a special present for us pentesters. Normally, we use hydra or medusa to crack network service passwords (telnet, ftp, SSH, etc). Ncrack changes the game a bit. By bringing the nmap dev team/community to the table it shows promise to fix some current issues in bruteforcing network service passwords. [...]
You either love or hate Sun Tzu Quotes but, when they apply i’m inclined to use them 
“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle”
And so it is also with some web servers! Do you manage your own hosting? Or, like the million others out there, do you share one mega-server hosting hundreds of other sites as well?
Also featured on Ethicalhacker.net Feel free to respond to this article or ask any/all questions to Ferruh at Ethicalhacker.net’s Forums Today we showcase a new web application scanner called Netsparker, and believe us when we say that we put this app through the ringer. There’s a big distinction between testing a tool against dummy apps [...]
One thing you learn when you start a career pentesting is: Never assume anything. In my experience hacks aren’t always elegant and elaborate. Sometimes something simple and effective is your avenue of penetration. Which brings us to today’s topic: directory bruteforcing. Directory bruteforcing is a favorite of mine. I can’t tell you how many times [...]
Today HD Moore and Rapid7 announced that Rapid7 has purchased the Metasploit Framework Project. The speculation around this has taken the pentest and vulnerability scanning community by storm. After talking with some colleagues I have come up with the following, here’s some things you should know: First, be happy for H.D. Moore. He is one [...]