penetration-testing

Testing of Web Security

In your experience, what have you found, worked on, or encountered in terms of site vulnerabilities? And what actions did you take to mitigate these issues? This may include XSS (cross site scripting), SQL Injection attacks, plain old DDOS or phishing attempts on your site's customers. Only yesterday I came across an entire section of ...

Advice on code scanning / penetration testing tools

As far as I can see the offerings fall into two categories – scanning services such as McAfee, Comodo, etc. and tools such as Burp Proxy, HP’s WebInspect,CodeScan, etc. In an ideal world, I’d use something that actively scanned a certain URL (the target being a LAMP stack) on a daily basis (or as required if it’s a standalone tool), bu...

How can we monitor/ensure penetration from HTTP Request/communication bucket?

Website security testing is an imp area of testing. How can we ensure the penetration of important info from HTTP request bucket? There are many tools which can show us http request bucket but how can we ensure penetration from it ? What should be techniques to test this area ? ...

What type of penetration-testing tools are available for web applications

I am in late testing phase of my web application. The application will be tested at a larger scale now. During this time I want to test my website against various types of known penetration tools. I am aware that it will be better to let a professional handle this subject, and this will be happening. But before I take that route I wan...

HTTP::Proxy for pen testing tasks

Could someone provide ideas how HTTP::Proxy module is compared to others proxies like paros and burp proxy and if someone use it during his work specifically if it used by the pen testing community for real job ...

Perl libwhisker library

Could someone provide links for tutorial about libwhisker library? ...

Penetration testers say that the .ASPXAUTH cookie is insecure and is displaying session data?

I thought the .ASPXAUTH was for user authentication? Can anyone confirm if this cookie is indeed a security risk and/or contains session information? Is it even suppose to be used or is it some debug thing? ...

Security vulnerability testing tool for .NET web applications?

Hi, I am planning to check my website against all common security vulnerabilities like cross site scripting ,sql injection etc. Can somebody tell me is there any automated tool which I can run for my .net web app and find all security flaws exist. I tried CAt.net but it is not able to support big apps. i saw abt owsap but againt it is a...

Penetration Testing/Ethical Hacking - Books

I have been interested in this for a while, Could anyone suggest any books on this topic? I have programming experience but nothing involving pentesting or web security. If the book required pre-requisite knowledge please say so! Thanks! ...

Learning to become a penetration tester?

Im interested in learning penetration testing, but I have no idea where to begin. Could someone suggest some beginner books or resources? I have experience with programming (not in C/C++ though...) so I understand basic concepts like that. Thanks ...

Work of a penetration tester?

Im interested in a job involving security and I was curios what its like as a pen tester from the time the client approches you to the time your finished. Like what steps are taken to test an app? Thanks! ...

How to validate length of received byte array, which is not null terminated?

Hi all, I have a C\C++ code that receives a structure over the network, from this form: struct DataStruct { int DataLen; BYTE* Data; } The code I have runs over Data in a loop of DataLen times and processes the data. ...The problem: After the code came to security experts for penetration tests, they prepared a fake application whic...

Test code coverage without source code?

What tools are out there that can perform code coverage analysis at the machine code level rather than the source code level? I'm looking for a possible solution to perform fuzz testing on software that I do not have source code access. ...

MySQL commands (not SQL statements) from PHP

Is it possible to, from within a PHP script, execute the same commands you could with the MySQL client? I know I could theoretically call 'system' to invoke the mysql client installed on the system, but I am not sure how to avoid interactivity (I don't want a REPL/shell, I just want to fire a command). Is there a way to execute command...