WhatsMyName Project

What Is It? I've created the WhatsMyName project on Github (https://github.com/WebBreacher/WhatsMyName) to help with #OSINT searches by using target user names. Here's how it works: We understand that people use the same username across multiple web sites. For example, I am "WebBreacher" on both the Github and BitBucket web sites. Some web sites make it... Continue Reading →

Mutillidae Session Hijacking Lab

Overview This is a list of steps to perform to perform a web application session hijacking attack against a logged-in user of a web app. It uses the wonderful Mutillidae (https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project) vulnerable web application for the victim server, Burp Suite (free or pro, https://portswigger.net/burp/download.html) and a web browser (in this case, I've chosen Firefox). Steps... Continue Reading →

Cross Site Scripting Resources

Micah here. Recently, I've found several great resources for those of you that perform web application hacking/penetration testing.​ Most people are aware of the old RSnake XSS filter evasion cheat sheet now maintained and enhance by OWASP (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet). There are two other sites/web apps that can help too. One has a NSFW domain name but, as... Continue Reading →

Quick post for my current SEC542 Students

Of course if you aren't one of my students you still can read this. 🙂 In class I showed some extra slides on SQL injection. They are here http://www.slideshare.net/webbreacher/sans-night-talk-sql-injection-exploited Additionally, for the RFI (Remote File Include) examples, I showed a text file with the following in it: <?php $command='uname -a;id -a'; echo "Running the '$command' command:";... Continue Reading →

LIRC and Findings Template

Quick blog post to publish some documents I've created over the years.Sample Web Application Pen Test Excel Report Formathttps://drive.google.com/file/d/0B4pazXmFTvF2dGFYdlJYWDVKUkk/view?usp=sharingSometimes you don't need a full Word document to share your test results. That is what this doc is. It has just the facts and should be combined with a ZIP file of test data such as... Continue Reading →

Behind the Curtain: User-Agent and You

Let me ask you a question dear reader, have you ever visited a website that one of your friends posts a link to only to find that the site requires you to register for an account before you can see the content? Or perhaps you visited a web site on your computer and then also... Continue Reading →

Web Hacking Firefox Plugins

When conducting a penetration test of a web application, it is very helpful to have some additional functionality built into our web browsers. My primary browser I use for conducting assessments is Mozilla's Firefox. Firefox Add-ons I Use AdBlock Plus - I disable this AdBlocker while testing as I want to see all the images... Continue Reading →

A WordPress.com Website.

Up ↑

%d bloggers like this: