This weekend I noticed the schedule for BruCON 2009 is almost complete, so now the hard part begins; deciding what to attend to and what to skip .. Tough decisions have to be made :)
If you're interested in BruCON an want to stay up-to-date; join the linkedin group:
http://events.linkedin.com/BruCON-Security-Conference/pub/31107
Pentest(ing) politics
This week I started on a long term assignment involving the implementation of web application security testing in the SDLC. Although it is fun to do something more structural than the average 'pentest a website and get out' assignment, there's also the element of politics that immediately shows it's head.
For example choosing a scanner .. Although you can get good results with a collection of open-source or freeware tools, sometimes a commercial scanner is the better choice from a political perspective. Especially when there are quite strict regulations about the format of your reporting, choosing a commercial scanner can make your life a lot easier... On the other hand it's absurd to decide on the acquisition of tools based on the format of a report.
It makes you wonder if you should deal with pentest politics or if you should pentest politics.
For example choosing a scanner .. Although you can get good results with a collection of open-source or freeware tools, sometimes a commercial scanner is the better choice from a political perspective. Especially when there are quite strict regulations about the format of your reporting, choosing a commercial scanner can make your life a lot easier... On the other hand it's absurd to decide on the acquisition of tools based on the format of a report.
It makes you wonder if you should deal with pentest politics or if you should pentest politics.
Corporate Espionage with Google Analytics
With the start of this blog I also installed Google Analytics just to see how it works and what data it collects. What surprised me is the fact that you can add any domain without any form of authentication. The only thing you need to do is add a piece of javascript to the site and add the domain to your profile.
Since most sites have a few XSS holes or other vulnerabilities which you can (ab)use to add this script, a scenario for corporate espionage or information gathering is easy to imagine ...
Am I just being paranoid or could it really be that simple ?
Since most sites have a few XSS holes or other vulnerabilities which you can (ab)use to add this script, a scenario for corporate espionage or information gathering is easy to imagine ...
Am I just being paranoid or could it really be that simple ?
QEMU: Portable Virtualization
Sometimes you find yourself in a situation where you really need that one tool on another LiveCD, but that means rebooting and losing the stuff you're working on (or at least slow you down in the progress).
For this I found QEMU to be very useful. Combined with QEMU Manager this tool provides a nice GUI based portable virtualization tool. Best of all it's able to boot a CD, USB device or ISO.
So put QEMU, QEMU Manager and all of your favorite ISO's on a USB stick and you are able to use all the tools you want, whenever you want. (well .. off course you cannot run any WLAN hacking tools, but that goes without saying).
For this I found QEMU to be very useful. Combined with QEMU Manager this tool provides a nice GUI based portable virtualization tool. Best of all it's able to boot a CD, USB device or ISO.
So put QEMU, QEMU Manager and all of your favorite ISO's on a USB stick and you are able to use all the tools you want, whenever you want. (well .. off course you cannot run any WLAN hacking tools, but that goes without saying).
Fun with Firefox
Besides being a browser, Firefox can be a lot more due to availability of hundreds of add-ons. "FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful firefox extensions oriented application security auditing and assessment"
The current official version of Firecat is still based on FF2, but most add-ons are also available on FF3. If you want to start using FF3, you should also take a look at some FF3 only add-ons: Cipherfox, Javascript Deobfuscator, JSON View, and Lazarus form recovery. The only big disadvantage of switching to FF3 is the incompatibility of XML developer toolbar for which I did not find a worthy successor yet....
The big disadvantage of using all these add-ons is that if you, for some reason, have to use another machine, you have to install all your favourite add-ons again. To tackle this problem, take a look at Firefox Portable. It is a modified installer of firefox that allows you to install it on an USB stick. All add-ons that you install on FF portable are also instantaneously portable. This way you can always have your fully customized Firefox with you !
The current official version of Firecat is still based on FF2, but most add-ons are also available on FF3. If you want to start using FF3, you should also take a look at some FF3 only add-ons: Cipherfox, Javascript Deobfuscator, JSON View, and Lazarus form recovery. The only big disadvantage of switching to FF3 is the incompatibility of XML developer toolbar for which I did not find a worthy successor yet....
The big disadvantage of using all these add-ons is that if you, for some reason, have to use another machine, you have to install all your favourite add-ons again. To tackle this problem, take a look at Firefox Portable. It is a modified installer of firefox that allows you to install it on an USB stick. All add-ons that you install on FF portable are also instantaneously portable. This way you can always have your fully customized Firefox with you !
LinkedIn group on Web Application Security Testing
I admit, I am spamming my own blog, but I created a LinkedIn group for discussions and knowledge exchange regarding Web Application Security Testing.
Please check it out en join if you're interested.
http://www.linkedin.com/groups?gid=1964541
Please check it out en join if you're interested.
http://www.linkedin.com/groups?gid=1964541
Going to BruCON 2009 !
Completed the registration this weekend so I'll be at BruCON 2009 !
I'm also participating at one of the trainings to refresh my "hacker-skills", now all I have to do is find a course to refresh my ethics ;)
I'm also participating at one of the trainings to refresh my "hacker-skills", now all I have to do is find a course to refresh my ethics ;)
The beginning
I finally gave in; I started a blog.
I never saw the use of it, but seeing the fun my wive got out of it I thought "why not give it a try". I'm not sure yet how often I will post anything on it, but I can always delete it again .. i think .. you never know with a Google service, right ;)
Last week was a busy week; besides getting a new (actually reoccuring old) assignment I went to Belgium for a presentation and also to an OWASP meeting (for which I still had to create some minutes).
Full disclosure:
Check my LinkedIn profile: http://www.linkedin.com/in/dvstein
Anything else you can find about me: good for you ! :)
I never saw the use of it, but seeing the fun my wive got out of it I thought "why not give it a try". I'm not sure yet how often I will post anything on it, but I can always delete it again .. i think .. you never know with a Google service, right ;)
Last week was a busy week; besides getting a new (actually reoccuring old) assignment I went to Belgium for a presentation and also to an OWASP meeting (for which I still had to create some minutes).
Full disclosure:
Check my LinkedIn profile: http://www.linkedin.com/in/dvstein
Anything else you can find about me: good for you ! :)
Subscribe to:
Posts (Atom)