Our Blog
Is URL / Variable Name the new Port Number ??
There has been a fair bit of blog buzz about the new SQL Injection worm that ran around infecting sites. I have not looked too deeply into it, but have not yet seen accounts of how the targeting was done. Since the sites do not appear to have been running a common framework i would guess that it was search-engine generated targets based on resource name (like inurl: search.asp).. For…
Strange Entries in your wbeserver logs, Wikto and questions about our Gender!
Over the past while we have been getting emails from people trying to figure out why they had entries like this in their http log files: 10.10.1.136 – – [32/Dec/2007:25:61:07 +0200] “GET //admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.1” 404 – Recently a concerned Wikto user figured out that this was linked to him using Wikto (our Win32 Nikto Replacement + Directory / File / Back-End Miner). A snippet from his email read: -snip- I…
Wikto 2 Bugfix
A seasonal Wikto version was released on the 22nd (Version 2.0.2911-20215) which has an issue with the web spider funtionality. HTTPS requests are being made in plain text, and this obviously means that attempts to spider such sites will not work. A bug fix for this is available from www.sensepost.com Thanks to Mark Murdock for the heads up.
Two pointless excuses to post two pictures..
a) At the end of the year we usually end up getting geek-gifts.. from SensePost, to SensePost.. Last years iPod nano’s were always going to be a tough act to follow.. but i think the picture says it all: (click pic for clearer view) I know for those across the pond its probably going to sound 3rd world, but i was genuinely suprised at how life-changing GPS technology is.. Of…
Applescript for HTTP BruteForcing..
A long time ago i blogged on the joys of using VBS to automate bruteforcing [1|2]when one didnt want to mess about duplicating an applications functionality at the protocol level.. Yesterday i had need to brute-force a web application which tried hard to be difficult and annoying.. Normally i would have used crowbar, Suru or a ugly mangled Python script, but the application was strangely difficult.. i.e. the login process…
Another time sink-hole..
A while back some of us discovered and subsequently lost days to “The Python Challenge“. Well.. prepare to write off a little more time, and check out “Project Euler“. From its about page: ” What is Project Euler? Project Euler is a series of challenging mathematical/computer programming problems that will require more than just mathematical insights to solve. Although mathematics will help you arrive at elegant and efficient methods, the…
Amazon SimpleDB – Outsource your database??
Amazon announced the beta of Amazon SimpleDB without that much fanfare, but it is an interesting trend to watch.. Essentially amazon are giving the power of a database to people used to excel and simple queries, backed by their massively optimised infrastructure. It will make popping up a web shop even more trivial than it has been in the past, and i guess continues along the growing trend of allowing…
The coolest thing this weekend…
Ok.. so being the cautious geek i am, i had bought a mac mini a while back before jumping into the OS X waters.. Unfortunately it was probably the last PPC mac mini’s sold, which means it has limited options (unless i convert it to yellowdog or somethign of the sort). About 4 months ago i bought a (huuuuge) tv.. unfortunately i quickly figured out that the reason i never…
Rob Auger from OWASP/WASC/CGiSecurity on Timing..
Rob had a rant on his site on the timing attack, with a CSRF twist.. We met him after our Vegas talk, but im not really sure how his attack differs from our published one.. my on-list response: -snip- From: haroon meer To: bugtraq@cgisecurity.net Cc: websecurity@webappsec.org Subject: Re: [WEB SECURITY] Performing Distributed Brute Forcing of CSRF vulnerable login pages Hi Robert.. Thanks for the kind words on the talk.. If…
Casper and hidden IE windows..
OK.. so it was a long time ago, and old code is supposed to embarrass you.. but i pulled casper.exe form our webpage today to test something for the project im on.. interestingly it runs pretty ok, and actually doesnt look from the outside as ugly as it is underneath.. if you never used casper, take it for a quick spin.. if nothing else u will be suprised by how…