WhatsMyName Project

What Is It? I've created the WhatsMyName project on Github (https://github.com/WebBreacher/WhatsMyName) to help with #OSINT searches by using target user names. Here's how it works: We understand that people use the same username across multiple web sites. For example, I am "WebBreacher" on both the Github and BitBucket web sites. Some web sites make it... Continue Reading →

Mutillidae Session Hijacking Lab

Overview This is a list of steps to perform to perform a web application session hijacking attack against a logged-in user of a web app. It uses the wonderful Mutillidae (https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project) vulnerable web application for the victim server, Burp Suite (free or pro, https://portswigger.net/burp/download.html) and a web browser (in this case, I've chosen Firefox). Steps... Continue Reading →

Cross Site Scripting Resources

Micah here. Recently, I've found several great resources for those of you that perform web application hacking/penetration testing.​ Most people are aware of the old RSnake XSS filter evasion cheat sheet now maintained and enhance by OWASP (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet). There are two other sites/web apps that can help too. One has a NSFW domain name but, as... Continue Reading →

Quick post for my current SEC542 Students

Of course if you aren't one of my students you still can read this. 🙂 In class I showed some extra slides on SQL injection. They are here http://www.slideshare.net/webbreacher/sans-night-talk-sql-injection-exploited Additionally, for the RFI (Remote File Include) examples, I showed a text file with the following in it: <?php $command='uname -a;id -a'; echo "Running the '$command' command:";... Continue Reading →

LIRC and Findings Template

Quick blog post to publish some documents I've created over the years.Sample Web Application Pen Test Excel Report Formathttps://drive.google.com/file/d/0B4pazXmFTvF2dGFYdlJYWDVKUkk/view?usp=sharingSometimes you don't need a full Word document to share your test results. That is what this doc is. It has just the facts and should be combined with a ZIP file of test data such as... Continue Reading →

Web Hacking Firefox Plugins

When conducting a penetration test of a web application, it is very helpful to have some additional functionality built into our web browsers. My primary browser I use for conducting assessments is Mozilla's Firefox. Firefox Add-ons I Use AdBlock Plus - I disable this AdBlocker while testing as I want to see all the images... Continue Reading →

Up ↑

%d bloggers like this: