Security Aegis

Hacking with your Browser

Today I rebuilt my Windows 7 partition. Amidst flurry of backing up I forgot to save my Firefox profiles. I figured this was a good time to review what I use addons-wise for all my day to day hacking needs. First things first, most of these addons will have compatibility issues. To update a Firefox [...]

Blackhat and Defcon Parties

Every year we head to the desert to learn the newest attack/defenses in the world, to share groundbreaking ideas… but not least of all, to have some fun! Who? When? (July) Time Where? Link/RSVP Why? ModSecurity Happy Hour Wednesday 28th 4-6pm munchbar @ Caesar's Palace open to anyone modsecurity is awesome MAD & [...]

smpCTF – 2010 Hacker Olympics

I just finished playing in the yearly smpCTF with team MRL. MRL is Midnight Research Labs based out of Boston, who do some really cool research/presentations/tools. You might remember them from their release of SEAT (Search Engine Assessment (Tool) a year or so back. smpCTF is a yearly top tier CTF, akin to the Defcon [...]

OSINT, because knowing is half the battle…

Profiling, or OSINT (open source intelligence), is an art. Private investigators have been doing it for years now but, it has just started to show real promise in application to Penetration Testing and Red Team Testing. A lot of work has been done recently by Chris Gates and Chris Nickerson on bringing it into the [...]

Interview: Hakin9, Ferruh Mavituna on Web Security

A new interview with Ferruh focusing less on Netsparker and more on web security in general. Published in Hakin9 Magazine, Pages 56-58 =) Download the issue! http://download.hakin9.org/en/hakin9_04_2010_EN.pdf Also, Since it was con-time near deadline-time, Ferruh might expand a bit here on some of the questions he didn't get to cover, so stay tuned.

Review: eLearnSecurity’s Penetration Testing Pro

My original review appeared over at http://www.ethicalhacker.net/content/view/307/24/ eLearnSecurity’s Penetration Testing Pro - What CEH Should Have Been Recently the web has been abuzz with pentest training options. The CEH received new life as it was added to DoD Directive 8570 as well as revamped its courseware in version 6.0, Offensive Security rolled out [...]

Netsparker Community Edition – “The Sparkler”

Believe me when i say that we’ve used a lot of tools. We love scripts, we love things that free up our time to do the real analysis on a web application assessment. We have used w3af, nikto, Grendel Scan, etc, etc… We are really happy to see a new tool we have used in [...]

Finding Social Security Numbers in packet captures with grep and ngrep

From @ap3r on the Redspin Labs Blog by Nathan Drier on Apr.16, 2010: I’ve been spending a lot of time lately working with packet captures. I’ve been stringing together a long list of silly one-liners to make a very rough pcap vulnerability scanner of sorts. This is one of those one-liners. One of the main [...]

Release: Burp Proxy to XML – BURP2XML

With the incorporation of Burp Suite Professional into our audit processes, we (the redspin engineers) discovered that there was not an easy method to extract results from Burp’s session file without having to manually re-run Burp. In order to automate this process, we have developed a standalone Python script to process Burp’s session files into [...]

Skipfish, Google Enters the Web Scanner Fray

Just wrote a quick review and jotted down some insights to Google's new web application security scanner. Skipfish. Read the whole thing at the link or just check out the "skinny" The Skinny: We like it. As Google says, its not an end-all-be-all for web application scanners, but it definitely has some great logic, features, [...]