Events Related:

Resources:

  • Review: Advanced Penetration Testing (APT) – ethicalhacker.net
    This year I had the opportunity to take a few stellar instructor-led training courses, one of which was Joe McCray’s “Advanced Penetration Testing: Pentesting High Security Environments” course from his training entity LearnSecurityOnline.
  • Marcell published “Writing your own password cracker” presentation – red-database-security.com
    Marcell describes different ways to achieve this goal, e.g. source code analyze, debugging or reverse engineering.
  • Website Security Statistics Report (2010) – Industry Bechmarks – jeremiahgrossman.blogspot.com
    “How are we doing?” That’s the question on the mind of many executives and security practitioners whether they have recently implemented an application security program, or already have a well-established plan in place.
  • How to View a Report in WACA? – msdn.com
    Web Application Configuration Analyzer v1.0 is the latest tool released by our team that scans a machine for deployment best practices.
  • How to Scan a Server using WACA? – msdn.com
    The tool will perform prerequisite scanning first to determine server existence, administrative access, IIS and SQL versions and remote services availability.
  • Beyond Nmap: Other network scanners – irongeek.com
    This is a presentation I did for the Blugrass ISSA chapter. Tools covered, at least lightly, are: Nmap, Hping, UnicornScan, AutoScan, Netscan, Metasploit, NetworkMiner and of course BackTrack 4 R1.
  • DOM Hacking – Paper and Tools – shreeraj.blogspot.com
    DOM Hacking was presented at BlackHat and going to present at next HackInTheBox.

Tools:

  • Websecurify 0.8 Alpha 1 – code.google.com/p/websecurify/
    Websecurify is a powerful web application security testing platform designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.
  • Dom Xss Test Cases Wiki Project – code.google.com/p/domxsswiki/
    Dom Xss Test Cases Wiki is a KB for defining sources of attacker controlled inputs and sinks which potentially could introduce DOM Based Xss issues.
  • Havij – Advanced Automated SQL Injection Tool– darknet.org.uk
    Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
  • Web Application Configuration Analyzer v1.0 RTW is live! – msdn.com
    Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production and production servers.
  • TA-Mapper: Application Penetration Testing Effort Estimator – coffeeandsecurity.com
    Time and Attack Mapper (alternatively known as TA-Mapper) is an effort estimator tool for blackbox security assessment (or Penetration Testing) of applications.
  • skipfish 1.67b – code.google.com/p/skipfish/
    A fully automated, active web application security reconnaissance tool.
  • Ethical Hacking ASP.NET 1.3.0.1 – ethicalhackingaspnet.codeplex.com/
    The v.1.3.0.1 contains minor fixes and enhancements to the Padding Oracle test.
  • CERT Basic Fuzzing Framework Update – cert.org
    The BFF is a framework to perform file mutation fuzzing for Linux applications.
  • Samurai WTF 0.9 BruCON pre-release – brucon.org
    Justin Searle was so kind to release the latest version of Samurai Webapplication Testing Framework made for the BruCON workshops.
  • PyLoris 3.2 – sourceforge.net/projects/pyloris/
    PyLoris is a scriptable tool for testing a server’s vulnerability to connection exhaustion denial of service (DoS) attacks.

Techniques:

Vulnerabilities:

Vendor/Software Patches:

Other News: