The Days of XSS are Numbered: Content Security Policy Draft 1.1 Released
Posted on June 07, 2013 by DaveA working draft of version 1.1 of the Content Security Policy (CSP) was released on Tuesday (04/06/13). For those of you that don’t know, the CSP attempts to eliminate Cross-Site Scripting (XSS) by preventing the execution of all inline scripts, i.e.: <script>alert(1)</script> and event handlers, i.e.: <img src="xss.png" onerror=alert(1)/> When using the policy, all JavaScript must be placed in separate script files and called Read more ...
Penetration testing for the masses with Kali – Part 2
Posted on May 21, 2013 by FinianKali Linux – Pentesting for the masses? My previous blog post looked at the changing face of the Backtrack / Kali rebirth and how the Offensive Security team, along with Rapid7, are looking at progressing into the Enterprise space. In this post I will be looking a bit closer at the Kali distribution itself and getting to the bottom of some of the changes and reasoning behind the move. Progression to a more standardised approach At its core, it’s a move to Debian Wheezy as a base Read more ...
Penetration testing for the masses with Kali
Posted on May 15, 2013 by FinianKālī (Sanskrit: काली, IPA: [kɑːliː]), also known as Kālikā (Sanskrit: कालिका), is the Hindu goddess associated with empowerment, shakti. The name Kali comes from kala, which means black, time, death, lord of death, Shiva. [source: wikipedia] Interesting and a little scary on first glance, but perhaps more relevant to us, Kali Linux is the new generation of the industry-leading Backtrack Linux penetration testing and security auditing distribution. Kali Linux Read more ...
Book Review – Instant Penetration Testing: Setting Up a Test Lab How-to
Posted on April 23, 2013 by FinianInstant Penetration Testing: Setting Up a Test Lab How-to [Instant] by Vyacheslav Fadyushin, is available now from Packt Publishing at a price of £6.99 £5.94. It is aimed at the prospective or novice security consultant and will give a high level look at the penetration test process, methods and training requirements for someone to get their teeth into. The text starts by conveying the ethos and components of a penetration test in a logical and easy to understand fashion, and does so quite Read more ...
NFSShell: Installation on Ubuntu simplified.
Posted on March 25, 2013 by AbdulNFSShell is neat little tool that allows user level access to an NFS server and its NFS shares. It can be used by penetration testers to exploit known issues with the NFS Service typically associated with the port 2049/tcp. A whole host of vulnerabilities are associated with an NFS share being exposed. The screenshot below shows several simple steps I took to view an NFS share available to mount on the 192.168.0.16 host. I then used the NFSShell tool to export and mount the shares to view Read more ...
MySQL SQL Injection Practical Cheat Sheet
Posted on March 25, 2013 by DaveThere are lot of excellent SQL injection cheat sheets out there; however, I found the majority provide only the components of a SQL injection rather an entire, working string. As a result, successfully putting a valid query together can take some trial and error and waste precious time. I have thus attempted to create a list of pre-made strings for each type of SQL injection so that they can simply be pasted in with little modification. As SQL injections can loosely be grouped into three categories, Read more ...
