Mutillidae Session Hijacking Lab

Overview This is a list of steps to perform to perform a web application session hijacking attack against a logged-in user of a web app. It uses the wonderful Mutillidae ( vulnerable web application for the victim server, Burp Suite (free or pro, and a web browser (in this case, I've chosen Firefox). Steps... Continue Reading →

Cross Site Scripting Resources

Micah here. Recently, I've found several great resources for those of you that perform web application hacking/penetration testing.​ Most people are aware of the old RSnake XSS filter evasion cheat sheet now maintained and enhance by OWASP ( There are two other sites/web apps that can help too. One has a NSFW domain name but, as... Continue Reading →

Quick post for my current SEC542 Students

Of course if you aren't one of my students you still can read this. 🙂 In class I showed some extra slides on SQL injection. They are here Additionally, for the RFI (Remote File Include) examples, I showed a text file with the following in it: <?php $command='uname -a;id -a'; echo "Running the '$command' command:";... Continue Reading →

LIRC and Findings Template

Quick blog post to publish some documents I've created over the years.Sample Web Application Pen Test Excel Report Format you don't need a full Word document to share your test results. That is what this doc is. It has just the facts and should be combined with a ZIP file of test data such as... Continue Reading →

Web Hacking Firefox Plugins

When conducting a penetration test of a web application, it is very helpful to have some additional functionality built into our web browsers. My primary browser I use for conducting assessments is Mozilla's Firefox. Firefox Add-ons I UseAdBlock Plus - I disable this AdBlocker while testing as I want to see all the images and ads.... Continue Reading →

A Website.

Up ↑

%d bloggers like this: