With the start of this blog I also installed Google Analytics just to see how it works and what data it collects. What surprised me is the fact that you can add any domain without any form of authentication. The only thing you need to do is add a piece of javascript to the site and add the domain to your profile.
Since most sites have a few XSS holes or other vulnerabilities which you can (ab)use to add this script, a scenario for corporate espionage or information gathering is easy to imagine ...
Am I just being paranoid or could it really be that simple ?
QEMU: Portable Virtualization
Sometimes you find yourself in a situation where you really need that one tool on another LiveCD, but that means rebooting and losing the stuff you're working on (or at least slow you down in the progress).
For this I found QEMU to be very useful. Combined with QEMU Manager this tool provides a nice GUI based portable virtualization tool. Best of all it's able to boot a CD, USB device or ISO.
So put QEMU, QEMU Manager and all of your favorite ISO's on a USB stick and you are able to use all the tools you want, whenever you want. (well .. off course you cannot run any WLAN hacking tools, but that goes without saying).
For this I found QEMU to be very useful. Combined with QEMU Manager this tool provides a nice GUI based portable virtualization tool. Best of all it's able to boot a CD, USB device or ISO.
So put QEMU, QEMU Manager and all of your favorite ISO's on a USB stick and you are able to use all the tools you want, whenever you want. (well .. off course you cannot run any WLAN hacking tools, but that goes without saying).
Labels:
virtualization,
WAST
Fun with Firefox
Besides being a browser, Firefox can be a lot more due to availability of hundreds of add-ons. "FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful firefox extensions oriented application security auditing and assessment"
The current official version of Firecat is still based on FF2, but most add-ons are also available on FF3. If you want to start using FF3, you should also take a look at some FF3 only add-ons: Cipherfox, Javascript Deobfuscator, JSON View, and Lazarus form recovery. The only big disadvantage of switching to FF3 is the incompatibility of XML developer toolbar for which I did not find a worthy successor yet....
The big disadvantage of using all these add-ons is that if you, for some reason, have to use another machine, you have to install all your favourite add-ons again. To tackle this problem, take a look at Firefox Portable. It is a modified installer of firefox that allows you to install it on an USB stick. All add-ons that you install on FF portable are also instantaneously portable. This way you can always have your fully customized Firefox with you !
The current official version of Firecat is still based on FF2, but most add-ons are also available on FF3. If you want to start using FF3, you should also take a look at some FF3 only add-ons: Cipherfox, Javascript Deobfuscator, JSON View, and Lazarus form recovery. The only big disadvantage of switching to FF3 is the incompatibility of XML developer toolbar for which I did not find a worthy successor yet....
The big disadvantage of using all these add-ons is that if you, for some reason, have to use another machine, you have to install all your favourite add-ons again. To tackle this problem, take a look at Firefox Portable. It is a modified installer of firefox that allows you to install it on an USB stick. All add-ons that you install on FF portable are also instantaneously portable. This way you can always have your fully customized Firefox with you !
Labels:
WAST
LinkedIn group on Web Application Security Testing
I admit, I am spamming my own blog, but I created a LinkedIn group for discussions and knowledge exchange regarding Web Application Security Testing.
Please check it out en join if you're interested.
http://www.linkedin.com/groups?gid=1964541
Please check it out en join if you're interested.
http://www.linkedin.com/groups?gid=1964541
Going to BruCON 2009 !
Completed the registration this weekend so I'll be at BruCON 2009 !
I'm also participating at one of the trainings to refresh my "hacker-skills", now all I have to do is find a course to refresh my ethics ;)
I'm also participating at one of the trainings to refresh my "hacker-skills", now all I have to do is find a course to refresh my ethics ;)
The beginning
I finally gave in; I started a blog.
I never saw the use of it, but seeing the fun my wive got out of it I thought "why not give it a try". I'm not sure yet how often I will post anything on it, but I can always delete it again .. i think .. you never know with a Google service, right ;)
Last week was a busy week; besides getting a new (actually reoccuring old) assignment I went to Belgium for a presentation and also to an OWASP meeting (for which I still had to create some minutes).
Full disclosure:
Check my LinkedIn profile: http://www.linkedin.com/in/dvstein
Anything else you can find about me: good for you ! :)
I never saw the use of it, but seeing the fun my wive got out of it I thought "why not give it a try". I'm not sure yet how often I will post anything on it, but I can always delete it again .. i think .. you never know with a Google service, right ;)
Last week was a busy week; besides getting a new (actually reoccuring old) assignment I went to Belgium for a presentation and also to an OWASP meeting (for which I still had to create some minutes).
Full disclosure:
Check my LinkedIn profile: http://www.linkedin.com/in/dvstein
Anything else you can find about me: good for you ! :)
Labels:
about_me
Subscribe to:
Posts (Atom)