Countless organizations have fallen prey to cyber attacks – from high profile retailers to enterprises and government agencies. Some attacks have been high profile, like last year’s Adobe attack that compromised tens of millions of customer accounts, leading to other sites, including Facebook, to force users who may have […]
As of this writing in February 2014, Android has the greatest OS market share on both smartphones and tablets. If you don’t own an Android device, chances are that your friends, family or co-workers do.
The security implications of Android affect many millions of people worldwide who use their devices […]
Buffer overflows have been the most common form of security vulnerability in the last 10 years. Buffer overflow attacks make up a substantial portion of all security attacks simply because buffer overflow vulnerabilities are so common and so easy to exploit. Most of the exploits based on buffer overflows […]
In the previous article, we discussed how to integrate Burp Suite Free Edition with SoapUI to fuzz different parameters of a soap request, how to configure Burp, and how to use different features like Burp Repeater and Intruder. I assume that whoever is going through this article have that […]
In this article we are going to see some major vulnerabilities typical of a remote banking application. We found an interesting vulnerable machine created by PHDays team. We hosted the vulnerable machine in Virtual box and logged in with these credentials: Username:root Password:phd2012. We identified the IP for that […]
A social engineering assessment is a very valuable tool in understanding the security exposure of most organizations. Since human beings tend to be the weakest link in any security strategy, this work can quickly identify which areas need to be addressed in the timeliest fashion. Another factor that needs […]
A password is the secret word or phrase that is used for the authentication process in various applications. It is used to gain access to accounts and resources. A password protects our accounts or resources from unauthorized access.
What is Password Cracking?
Password cracking is the process of guessing or recovering […]
This article is especially designed to show how to crack a Java executable by disassembling the corresponding bytes code. Disassembling of Java bytecode is the act of transforming Java bytecode to Java source code. Disassembling is an inherent issue in the software industry, causing revenue loss due to software […]
In a previous post, I covered the basics on the popular penetration testing Web browser Mantra. That post contains information on how to download Mantra, as well as installation and basic configuration. The Mantra browser comes with a nice GUI and most of the security and penetration testing related […]
When we test a web application, we do not test a single page, but a lot of pages of a single web application. Each page may have more than one variable, so technically you will be engaging with a ton of variables during your web application test. So when […]
This article is the first part of a series on NSA BIOS backdoor internals. Before we begin, I’d like to point out why these malwares are classified as “god mode.” First, most of the malware uses an internal (NSA) codename in the realms of “gods,” such as DEITYBOUNCE, GODSURGE, […]
In this article we will look at an example of Insecure or Broken Cryptography which is a common vulnerability found in most IOS applications. This vulnerability occurs when the data stored on the device is not encrypted properly thereby allowing a malicious user to gain access to that information. […]
In the previous article we discussed in what cases we might face challenges performing manual web services penetration testing and how SoapUI will help in those circumstances. Now, what are the logical and business logic test cases when testing a web services, how do we test them, and what […]
If you are looking to prepare for the CISSP, one of the domains that gives many students trouble is Cryptography. Quite often IT professionals have experience with crypto, but not on the level of detailed required to pass the CISSP. InfoSec Institute trains more IT pros on the CISSP […]
Effective threat intelligence is one major service that most companies offer to alert about the latest threats. Threat intelligence alerts about the latest threats, vulnerabilities, malware attributes, malicious IPs, etc., which can cause risk to an organization. This information will help the engineers to plan and prepare themselves to […]
Summing up what happened, Der Spiegel published an internal NSA catalog that contains detailed information on spies’ backdoors used by the agencies and designed to compromise a wide range of equipment from major IT vendors.
The document contains product data sheets of tools and exploits designed by NSA for cyber […]
In Part 26 of this series, we looked at how we can use IDA Pro and Hex Fiend to patch an IOS application and modify its implementation. Patching an application has the specific advantage that once a change has been made, it is permanent. However, if you look back […]
Most likely you will agree that security education is the thing that needs enhancement the most in companies worldwide – it is pointless to expend millions of dollars on the most recent software and hardware to defend the corporate networks against all kinds of internal and external threats only […]
Users of web applications are identified by session IDs. An attacker can impersonate users when generated sessions are predictable. This article introduces Burp Suite Sequencer and shows how it can be used to analyze session randomness.
2. Burp Suite Sequencer
The sequencer is part of Burp Suite, which is […]
From an organizational point of view, the concept of resilience is basically the same as the concept of business continuity: An organization’s ability to react properly in the event of a disaster or some other kind of disruption, and recover its operations quickly enough to avoid high losses.
But how […]