The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as […]
Archives for May 2015
IRS Was Not Hacked – Taxpayer Data Stolen For 100,000 People
So the IRS was not hacked – as many media outlets are claiming. Was taxpayer data stolen from IRS systems? Yes, did it involve any kind of hack (by any definition) – no. There was no intrusion, there was some clever phishing, data slurping and brute forcing – of people who already had their data […]
zzuf – Multi-Purpose Application Input Fuzzing Tool
zzuf is a transparent application input fuzzing tool or fuzzer. Its purpose is to find bugs in applications by corrupting their user-contributed data (which more than often comes from untrusted sources on the Internet). It works by intercepting file and network operations and changing random bits in the program’s input. zzuf’s behaviour is deterministic, making […]
Web Security Dojo 2.0 – Self-Contained Web Hacking Training
Web Security Dojo is a free open-source self-contained web hacking training environment for Web Application Security penetration testing. Tools + Targets = Dojo What? Various web application security testing tools and vulnerable web applications were added to a clean install of xubuntu 12.04. Build scripts are available in git at Sourceforge. Targets include: OWASP’s WebGoat […]
The Logjam Attack – ANOTHER Critical TLS Weakness
So it seems SSL/TLS has not been having a good time lately, alongside Heartbleed and POODLE we now have the Logjam attack. It’s somewhat similar to the FREAK attack earlier this year, but that attacked the RSA key exchange and was due to an implementation vulnerability rather than Logjam which attacks the Diffie-Hellman key exchange […]