Web Application Security Mode:
(Page 7 of 331)  < Prev  2 3 4 5 6 7 8 9 10 11 12  Next >
Administrivia: Out of office replies 2012-08-15
Andrew van der Stock (vanderaj greebo net)
Can folks please ensure that their e-mail systems do not process out
of office replies to the mail list.

As moderator, I get them and they go straight to /dev/null. Please
hope that I don't approve any, or else everyone will know that only
your cat is home. :)

thanks,
Andrew

This list is sponso

[ more ]  [ reply ]
Password Blacklist 2012-08-14
Reed Black (reed unsafeword org) (3 replies)
Can anyone recommend a good password dictionary, preferably one where
the author speaks to the method of its construction?

As part of our authentication system, I want to blacklist the most
commonly used passwords. I searched for dictionaries for use with John
the Ripper, hoping to use one of these

[ more ]  [ reply ]
Re: Password Blacklist 2012-08-15
Nick Galbreath (nickg client9 com)
Re: Password Blacklist 2012-08-15
Per Thorsheim (per thorsheim net) (1 replies)
Re: Password Blacklist 2012-08-15
Reed Black (reed unsafeword org) (1 replies)
RE: Password Blacklist 2012-08-15
Nigel Ball (Nigel K Ball dsl pipex com)
Re: Password Blacklist 2012-08-15
Andrew van der Stock (vanderaj greebo net)
Parameter name injection - Not tested by WebInspect 9.x 2012-08-09
Danux (danuxx gmail com) (1 replies)
Old technique but still out of testers' radar. Ninety nine percent
(99%) of tools concentrate on identifying and injecting malicious code
into parameter values, also 99% of Developers concentrate on html
encoding parameter values specially to prevent client-side attacks,
but what about parameter nam

[ more ]  [ reply ]
RE: Parameter name injection - Not tested by WebInspect 9.x 2012-08-09
Dafydd Stuttard (dafydd stuttard portswigger net)
[HITB-Announce] HITB Magazine Issue 009 - Call for Submissions 2012-08-09
Hafez Kamal (aphesz hackinthebox org)
This is a call for article submissions for Issue 009 of HITB's quarterly
magazine - http://magazine.hitb.org/ which will be released alongside
#HITB2012KUL - The 10 year anniversary of the HITB Security Conference
series in Malaysia.

HITB Magazine is a deep-knowledge technical publication and we ar

[ more ]  [ reply ]
Re: Testing Webservices ASMX 2012-08-06
Arvind (arvind doraiswamy gmail com)
Forwarding to the list..

> Thnx Kevin...I didn't ..no. Largely I kind of ran out of time. So when
> I saw that I could not break out of the XML tags, I kind of gave up on
> it. Are you saying though, even though you can't break out of tags, by
> say closing them, you can still inject data using th

[ more ]  [ reply ]
Re: Testing Webservices ASMX 2012-08-03
Arvind (arvind doraiswamy gmail com)
Thnx Kevin...I didn't ..no. Largely I kind of ran out of time. So when
I saw that I could not break out of the XML tags, I kind of gave up on
it. Are you saying though, even though you can't break out of tags, by
say closing them, you can still inject data using that string you
mentioned? How does i

[ more ]  [ reply ]
Testing a Flex application 2012-08-02
Arvind (arvind doraiswamy gmail com)
Hi All,
I was testing a Flex application recently and had a few experiences
that I've put down at
http://ardsec.blogspot.com/2012/08/testing-flex-application.html. Do
share your thoughts if you have any on any of the items on that blog.

Thanks
Arvind

This list is sponsored by Cenzic
------------

[ more ]  [ reply ]
AMF Testing with Blazer 2012-08-02
Luca Carettoni (luca matasano com)
Hi folks,

This may be of some interest to people on the list.

http://code.google.com/p/blazer/

Blazer is a Burp Suite plugin for testing AMF-based applications that use Java remoting technologies (e.g. Adobe BlazeDS).
It implements a new testing approach, introduced at Black Hat USA 2012. In a n

[ more ]  [ reply ]
Testing Webservices ASMX 2012-08-02
Arvind (arvind doraiswamy gmail com)
Hi All,
Along with a flex app (just posted a thread) I also tested a few web
services and that's documented here -
http://ardsec.blogspot.com/2012/08/asmx-webservices-xss.html. Is there
anything else you guys can think of?

Cheers
Arvind

This list is sponsored by Cenzic
--------------------------

[ more ]  [ reply ]
Pentesting attacks 2012-07-25
ITlook (madziak12 vp pl)


- Zed Attack Proxy - see what it;s all about!
- Understand how A Wireless (802.11) Probe Request Based Attack works
- How to secure users from Phishing, Smishing & Social Media Attacks
- Cyber war... Is the digital apocalypse approaching?
- Original â??security through obscurity" viz. SCADA penetr

[ more ]  [ reply ]
winAUTOPWN v3.1 Released 2012-06-20
QUAKER DOOMER (quakerdoomer inbox lv)
Dear all,

This is to announce release of winAUTOPWN version 3.1

The improved GUI extension - WINAUTOPWN ACTIVE SYSTEMS TRANSGRESSOR GUI [ C4 - WAST ] is a
Systems and Network Exploitation Framework built on the famous winAUTOPWN as a backend.
C4 - WAST gives users the freedom to select ind

[ more ]  [ reply ]
EUSecWest 2012 - Amsterdam, Sept 19/20 featuring Mobile PWN2OWN - CFP Deadline June 15 2012-06-05
Dragos Ruiu (dr kyx net)
EUSecWest 2012, Amsterdam, September 19/20, Featuring Mobile PWN2OWN
CALL FOR PAPERS - Deadline June 15 2012

   AMSTERDAM, Nederland -- The seventh annual EUSecWest
   applied technical security conference - where the eminent
   figures in the international security industry get
   together share b

[ more ]  [ reply ]
Re: [Pauldotcom] hydra and HTTP NTLM 2012-05-26
Robin Wood (robin digininja org)
On 25 May 2012 21:59, Sherif El-Deeb <archeldeeb (at) gmail (dot) com [email concealed]> wrote:
> Back when nothing was supporting Outlook Web Access bruteforcing, I've
> written a simple bash script that automated the process using "curl"... I
> suggest you do the same.
>
> "curl --ntlm" -> it will be two nested for loops, the

[ more ]  [ reply ]
Re: hydra and HTTP NTLM 2012-05-25
Robin Wood (robin digininja org)
On 25 May 2012 08:55, Jamie Riden <jamie.riden (at) gmail (dot) com [email concealed]> wrote:
> On 23 May 2012 13:14, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>> Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying
>> to brute force a MS Front Page login which only asks for
>> authentication when the OPTIONS met

[ more ]  [ reply ]
Re: hydra and HTTP NTLM 2012-05-25
Robin Wood (robin digininja org) (1 replies)
On 25 May 2012 13:52, Security Auditor <auditor.sec (at) gmail (dot) com [email concealed]> wrote:
> Hi,
> I would say use an interceptor proxy which can handle this stuff
> easily. For example burp, ZAP or others.
>
> I played with hydra on DVWA app and could not succeed at bruting.....
>
> hope this helps

I don't know a way

[ more ]  [ reply ]
Re: hydra and HTTP NTLM 2012-05-27
Gary Oleary-Steele (GaryO sec-1 com) (1 replies)
Re: hydra and HTTP NTLM 2012-05-27
Robin Wood (robin digininja org)
Re: [Pauldotcom] hydra and HTTP NTLM 2012-05-25
Robin Wood (robin digininja org)
On 25 May 2012 16:59, Navarro, Gregory J <Gregory.J.Navarro (at) disney (dot) com [email concealed]> wrote:
> Do you know of a valid login but just not the password.  If so just fuzz it with Burp

I have no credentials but even if I did I don't think Burp does NTLM,
for it to do it it would have to be able to work with the four

[ more ]  [ reply ]
Re: hydra and HTTP NTLM 2012-05-25
Norma Snockers (norma snockers hotmail co uk)
Ok not what you were originally asking but I used to use tsgrinder

-----Original Message-----

From: Robin Wood
Sent: 25 May 2012 03:33:31 GMT
To: _
Cc: webappsec (at) securityfocus (dot) com [email concealed],PaulDotCom Mailing List
Subject: Re: hydra and HTTP NTLM

On 24 May 2012 13:06, _ <packetnull (at) gmail (dot) com [email concealed]> wrote:
> http

[ more ]  [ reply ]
(Page 7 of 331)  < Prev  2 3 4 5 6 7 8 9 10 11 12  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus