Web Application Security Mode:
(Page 7 of 331)  < Prev  2 3 4 5 6 7 8 9 10 11 12  Next >
Parameter name injection - Not tested by WebInspect 9.x 2012-08-09
Danux (danuxx gmail com)
Old technique but still out of testers' radar. Ninety nine percent
(99%) of tools concentrate on identifying and injecting malicious code
into parameter values, also 99% of Developers concentrate on html
encoding parameter values specially to prevent client-side attacks,
but what about parameter nam

[ more ]  [ reply ]
[HITB-Announce] HITB Magazine Issue 009 - Call for Submissions 2012-08-09
Hafez Kamal (aphesz hackinthebox org)
This is a call for article submissions for Issue 009 of HITB's quarterly
magazine - http://magazine.hitb.org/ which will be released alongside
#HITB2012KUL - The 10 year anniversary of the HITB Security Conference
series in Malaysia.

HITB Magazine is a deep-knowledge technical publication and we ar

[ more ]  [ reply ]
Re: Testing Webservices ASMX 2012-08-06
Arvind (arvind doraiswamy gmail com)
Forwarding to the list..

> Thnx Kevin...I didn't ..no. Largely I kind of ran out of time. So when
> I saw that I could not break out of the XML tags, I kind of gave up on
> it. Are you saying though, even though you can't break out of tags, by
> say closing them, you can still inject data using th

[ more ]  [ reply ]
Re: Testing Webservices ASMX 2012-08-03
Arvind (arvind doraiswamy gmail com)
Thnx Kevin...I didn't ..no. Largely I kind of ran out of time. So when
I saw that I could not break out of the XML tags, I kind of gave up on
it. Are you saying though, even though you can't break out of tags, by
say closing them, you can still inject data using that string you
mentioned? How does i

[ more ]  [ reply ]
Testing a Flex application 2012-08-02
Arvind (arvind doraiswamy gmail com)
Hi All,
I was testing a Flex application recently and had a few experiences
that I've put down at
http://ardsec.blogspot.com/2012/08/testing-flex-application.html. Do
share your thoughts if you have any on any of the items on that blog.

Thanks
Arvind

This list is sponsored by Cenzic
------------

[ more ]  [ reply ]
AMF Testing with Blazer 2012-08-02
Luca Carettoni (luca matasano com)
Hi folks,

This may be of some interest to people on the list.

http://code.google.com/p/blazer/

Blazer is a Burp Suite plugin for testing AMF-based applications that use Java remoting technologies (e.g. Adobe BlazeDS).
It implements a new testing approach, introduced at Black Hat USA 2012. In a n

[ more ]  [ reply ]
Testing Webservices ASMX 2012-08-02
Arvind (arvind doraiswamy gmail com)
Hi All,
Along with a flex app (just posted a thread) I also tested a few web
services and that's documented here -
http://ardsec.blogspot.com/2012/08/asmx-webservices-xss.html. Is there
anything else you guys can think of?

Cheers
Arvind

This list is sponsored by Cenzic
--------------------------

[ more ]  [ reply ]
Pentesting attacks 2012-07-25
ITlook (madziak12 vp pl)


- Zed Attack Proxy - see what it;s all about!
- Understand how A Wireless (802.11) Probe Request Based Attack works
- How to secure users from Phishing, Smishing & Social Media Attacks
- Cyber war... Is the digital apocalypse approaching?
- Original â??security through obscurity" viz. SCADA penetr

[ more ]  [ reply ]
winAUTOPWN v3.1 Released 2012-06-20
QUAKER DOOMER (quakerdoomer inbox lv)
Dear all,

This is to announce release of winAUTOPWN version 3.1

The improved GUI extension - WINAUTOPWN ACTIVE SYSTEMS TRANSGRESSOR GUI [ C4 - WAST ] is a
Systems and Network Exploitation Framework built on the famous winAUTOPWN as a backend.
C4 - WAST gives users the freedom to select ind

[ more ]  [ reply ]
EUSecWest 2012 - Amsterdam, Sept 19/20 featuring Mobile PWN2OWN - CFP Deadline June 15 2012-06-05
Dragos Ruiu (dr kyx net)
EUSecWest 2012, Amsterdam, September 19/20, Featuring Mobile PWN2OWN
CALL FOR PAPERS - Deadline June 15 2012

   AMSTERDAM, Nederland -- The seventh annual EUSecWest
   applied technical security conference - where the eminent
   figures in the international security industry get
   together share b

[ more ]  [ reply ]
Re: [Pauldotcom] hydra and HTTP NTLM 2012-05-26
Robin Wood (robin digininja org)
On 25 May 2012 21:59, Sherif El-Deeb <archeldeeb (at) gmail (dot) com [email concealed]> wrote:
> Back when nothing was supporting Outlook Web Access bruteforcing, I've
> written a simple bash script that automated the process using "curl"... I
> suggest you do the same.
>
> "curl --ntlm" -> it will be two nested for loops, the

[ more ]  [ reply ]
Re: hydra and HTTP NTLM 2012-05-25
Robin Wood (robin digininja org)
On 25 May 2012 08:55, Jamie Riden <jamie.riden (at) gmail (dot) com [email concealed]> wrote:
> On 23 May 2012 13:14, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>> Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying
>> to brute force a MS Front Page login which only asks for
>> authentication when the OPTIONS met

[ more ]  [ reply ]
Re: hydra and HTTP NTLM 2012-05-25
Robin Wood (robin digininja org) (1 replies)
On 25 May 2012 13:52, Security Auditor <auditor.sec (at) gmail (dot) com [email concealed]> wrote:
> Hi,
> I would say use an interceptor proxy which can handle this stuff
> easily. For example burp, ZAP or others.
>
> I played with hydra on DVWA app and could not succeed at bruting.....
>
> hope this helps

I don't know a way

[ more ]  [ reply ]
Re: hydra and HTTP NTLM 2012-05-27
Gary Oleary-Steele (GaryO sec-1 com) (1 replies)
Re: hydra and HTTP NTLM 2012-05-27
Robin Wood (robin digininja org)
Re: [Pauldotcom] hydra and HTTP NTLM 2012-05-25
Robin Wood (robin digininja org)
On 25 May 2012 16:59, Navarro, Gregory J <Gregory.J.Navarro (at) disney (dot) com [email concealed]> wrote:
> Do you know of a valid login but just not the password.  If so just fuzz it with Burp

I have no credentials but even if I did I don't think Burp does NTLM,
for it to do it it would have to be able to work with the four

[ more ]  [ reply ]
Re: hydra and HTTP NTLM 2012-05-25
Norma Snockers (norma snockers hotmail co uk)
Ok not what you were originally asking but I used to use tsgrinder

-----Original Message-----

From: Robin Wood
Sent: 25 May 2012 03:33:31 GMT
To: _
Cc: webappsec (at) securityfocus (dot) com [email concealed],PaulDotCom Mailing List
Subject: Re: hydra and HTTP NTLM

On 24 May 2012 13:06, _ <packetnull (at) gmail (dot) com [email concealed]> wrote:
> http

[ more ]  [ reply ]
Re: hydra and HTTP NTLM 2012-05-24
_ (packetnull gmail com)
what kind of attack have you done so far?

On May 24, 2012, at 6:17 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:

> On 24 May 2012 13:06, _ <packetnull (at) gmail (dot) com [email concealed]> wrote:
>> http ntlm is IIS based windows auth.
>
> Yes but I still don't know how to attack it.
>
> Robin
>
>> On May 23, 2012, at 6:1

[ more ]  [ reply ]
Re: [Pauldotcom] hydra and HTTP NTLM 2012-05-24
Robin Wood (robin digininja org) (1 replies)
On 24 May 2012 13:36, Tony Turner <tony_l_turner (at) yahoo (dot) com [email concealed]> wrote:
> Have you tried http://www.foofus.net/~jmk/tools/FPbrute.pl yet? Or is there
> a reason you wanted to use Hydra?

I've tried that but it seems to expect the login request for a simple
GET. I'm testing a FrontPage install which allow

[ more ]  [ reply ]
RE: [Pauldotcom] hydra and HTTP NTLM 2012-05-25
Navarro, Gregory J (Gregory J Navarro disney com)
hydra and HTTP NTLM 2012-05-23
Robin Wood (robin digininja org) (4 replies)
Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying
to brute force a MS Front Page login which only asks for
authentication when the OPTIONS method is used as far as I can tell.

Robin

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Befor

[ more ]  [ reply ]
Re: hydra and HTTP NTLM 2012-05-25
Jamie Riden (jamie riden gmail com)
Re: hydra and HTTP NTLM 2012-05-25
Security Auditor (auditor sec gmail com)
Re: hydra and HTTP NTLM 2012-05-23
Seth Art (sethsec gmail com) (1 replies)
RES: hydra and HTTP NTLM 2012-05-26
Fábio Soto (fabio andradesoto com br)
Re: hydra and HTTP NTLM 2012-05-24
_ (packetnull gmail com) (1 replies)
Re: hydra and HTTP NTLM 2012-05-24
Robin Wood (robin digininja org)
t2'12: Call for Papers 2012 (Helsinki / Finland) 2012-05-11
Tomi Tuominen (tomi tuominen t2 fi)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# t2'12 - Call For Papers #
Helsinki, Finland
October 25 - 26, 2012

We are pleased to announce the annual t2'12 infosec conference, which
will take place in Helsinki, Finland, from October 25

[ more ]  [ reply ]
A survey on web application attacks 2012-05-10
Hannes Holm (Hannes Holm ics kth se)
Hi webappsec subscribers,

I am researching the domain consensus regarding the effectiveness of different web application firewalls (WAF)s and would be glad if you could spare a few minutes of your time to answer a survey on the topic.

By completing this survey you will:

* Help build valuable d

[ more ]  [ reply ]
(Page 7 of 331)  < Prev  2 3 4 5 6 7 8 9 10 11 12  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus