kto: A Powerful Web Scanner used by researchers and Cybercriminals Alike
by Eduard Kovacs
Cyber security has become a highly important issue in the past period. Both individuals and companies have started realizing that computers and the Internet in general are not only a way to have fun or perform various work tasks in an efficient manner, but also a “tool” for criminals to commit crimes with.
Nikto: How to Launch Mutation Techniques
Nikto is an open source web server assessment tool. It is designed to find various default and insecure or dangerous files/CGI, configurations and programs on any type of web server. It scans a web server for software misconfigurations, insecure files, outdated servers and programs to find security vulnerabilities.
Four Misconceptions Abouut ISO/IEC 27001
by Paulo Coelho
Article tries to deconstruct some of the misconceptions about ISO/IEC 27001. This security management standard is said to require the introduction of control activities into the normal business and IT operations, which consequently increases the workload and causes operational inefficiencies.
Testing Your Most Valuable Assets
by Alan Cook
When thinking about Information Security, we can sometimes be forgiven for thinking that technology is the answer to all our security problems. Though a little rare in these later times, hardware and software products are often sold as the ‘silver bullet’ to solve all our security or compliance woes, but it’s actually ‘People’ who represent the core operating component of any business and therefore are both a very real threat and blessing to our infrastructure and its layered Information Security Management System. It is therefore ‘people’ who are ultimately responsible for the success or failure of security in an organisation and it is they who need to be considered most within the scope of our security testing.
Burp Suite – Automated and Manual Processes Used to Identify Vulnerabilities
by Killian Faughnan
As most penetration testers know, there is no amount of automated tools that could replace a real life pen-tester. Sure, in our testing we use automated tools to assist and speed up the process, but when you really get down to it there is no substitution for doing it yourself. This article will go through some of the more commonly used components of the PortSwigger Burp Suite, looking at the automated and manual processes that can be used to identify vulnerabilities in web applications, and how to leverage both methods in order to get the most out of the Burp Suite.
How To Infiltrate Corporate Networks Using XML External Entity Injection
by Gerasimos Kassaras
This tutorial is going to explain how to exploit an External Entity Injection (XXE) vulnerability using Burp suite and make the most out of it. Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Web Application Penetration Testing Using Burp Suite
by Omar Al Ibrahim
Burp Suite is an integrated platform with a number of tools and interfaces to enumerate, analyze, scan, and exploit web applications. Its main tool, Burp Proxy, is used to intercept HTTP request/responses, but it has recently been extended to provide a suite of other useful tools for web penetration testing. In this article, I will introduce some of the features of Burp Suite and share my experiences in web penetration testing using these tools.
SSH Tunnels: How to Attack Their Security
by Andrea Zwirner
You will learn how to use SSH tunnels to bypass network and web application firewalls, antiviruses; how to encapsulate SSH tunnels to bypass proxies and content in spection devices; how privilege separation programming pattern enforces local processes security; how to trace SSH daemon activities in order to steal login passwords and sniff SSH tunneled communications catching interprocess communications.