Monday, June 20, 2016

XSS Challenges for All levels. Check this out!

Just updated the challenges.

http://www.sudo.co.il/xss/

Stay tuned.

Tuesday, June 7, 2016

Web-App Penetration Testing Cheat-Sheet

Target: example.com
  1. example.com/robots.txt
  2. Login Page? Default Credentials.
  3. Wordpress: wpscan --url example.com --enumerate vp --random-agent
  4. nikto -host test.com
  5. wfuzz -I -c t 60 -w your_dictionary.txt  --hc 404,302 http://example.com/FUZZ.php // i like it more than dirbuster
  6. Open Burp Suite, explore application, analyze requests/responses.
  7. Pass to every parameter character validation locator '">my_string\ //there Apostrophe, Quote and escaping char at the end.
  8. Configure Burp to intercept responses if "my_string" is found. // This may reveal XSS & SQL Injection and other errors
  9. Is there file upload functionality?
  10. "page" param in url? LFI/RFI?
  11. XML? XXE.
  12. See console-alike output? Command Injection?
  13. In case of command injection, don't forget to: nc sudo.co.il 5353
  14. Is there WebSockets? Open network tab in browser or Burp Suite for easy examination.
  15. Google for outdated scripts: site:example.com ext:php
  16. In google's results, append to the end of url: &filter=0&start=900 to analyze most outdated results.
  17. Look for application logic issues: like sending price in request.
  18. Suggestions??


quick post... any suggestions?

Knocking Server in 50 lines with Scapy

You may prefer knockd daemon, but i prefer something custom.. as always.

If you don't know what it is, google for Port Knocking.

Get my knocking client-server:
git clone https://github.com/nopernik/knocking-client-server

On server-side, i have this iptables config:

root@ubuntu:~# iptables-save
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT

I'm using whitelisting technique, so all policies set to DROP.
This particular machine will not reply to pings, and will seem to be down.

But, it runs my knocking server and web server in background.
It will accept connection to the web server only if knocking-client will active.

Configuration is pretty simple, just open the source.